Computer security incident management#Definitions

An incident response plan (IRP) is a group of policies that dictate an organizations reaction to a cyber attack. Once a security breach has been identified, for example by network intrusion detection system (NIDS) or host-based intrusion detection system (HIDS) (if configured to do so), the plan is initiated.{{Citation|last=Fowler|first=Kevvie|title=Developing a Computer Security Incident Response Plan|date=2016|url=http://dx.doi.org/10.1016/b978-0-12-803451-4.00003-4|work=Data Breach Preparation and Response|pages=49–77|publisher=Elsevier|doi=10.1016/b978-0-12-803451-4.00003-4|isbn=978-0-12-803451-4|access-date=2021-06-05|url-access=subscription}} It is important to note that there can be legal implications to a data breach. Knowing local and federal laws is critical.{{cite journal |last1=Bisogni |first1=Fabio |title=Proving Limits of State Data Breach Notification Laws: Is a Federal Law the Most Adequate Solution? |journal=Journal of Information Policy |date=2016 |volume=6 |pages=154–205 |doi=10.5325/jinfopoli.6.2016.0154 |jstor=10.5325/jinfopoli.6.2016.0154 |doi-access=free }} Every plan is unique to the needs of the organization, and it can involve skill sets that are not part of an IT team.{{Citation|title=Understanding Plan for Every Part|date=2017-07-27|url=http://dx.doi.org/10.1201/b10336-5|work=Turbo Flow|pages=21–30|publisher=Productivity Press|doi=10.1201/b10336-5|isbn=978-0-429-24603-6|access-date=2021-06-05|url-access=subscription}} For example, a lawyer may be included in the response plan to help navigate legal implications to a data breach.{{citation needed|date=January 2023}}

As mentioned above every plan is unique but most plans will include the following:{{cite web |last1=Wills |first1=Leonard |title=A Brief Guide to Handling a Cyber Incident |url=https://www.americanbar.org/groups/litigation/committees/minority-trial-lawyer/practice/2019/a-brief-guide-to-handling-a-cyber-incident/ |work=American Bar Association |date=27 February 2019 }}

Good preparation includes the development of an incident response team (IRT).{{Citation|last=Johnson|first=Leighton R.|title=Part 1. Incident Response Team|date=2014|url=http://dx.doi.org/10.1016/b978-1-59749-996-5.00038-8|work=Computer Incident Response and Forensics Team Management|pages=17–19|publisher=Elsevier|doi=10.1016/b978-1-59749-996-5.00038-8|isbn=978-1-59749-996-5|access-date=2021-06-05|url-access=subscription}} Skills need to be used by this team would be, penetration testing, computer forensics, network security, etc.{{Cite journal|date=February 2014|title=Computer Incident Response and Forensics Team Management|url=http://dx.doi.org/10.1016/s1353-4858(14)70018-2|journal=Network Security|volume=2014|issue=2|pages=4|doi=10.1016/s1353-4858(14)70018-2|issn=1353-4858|url-access=subscription}} This team should also keep track of trends in cybersecurity and modern attack strategies.{{Citation|title=Cybersecurity Threat Landscape and Future Trends|date=2015-04-16|url=http://dx.doi.org/10.1201/b18335-12|work=Cybersecurity|pages=304–343|publisher=Routledge|doi=10.1201/b18335-12|isbn=978-0-429-25639-4|access-date=2021-06-05|url-access=subscription}} A training program for end users is important as well as most modern attack strategies target users on the network.

This part of the incident response plan identifies if there was a security event.{{Citation|title=Information technology. Security techniques. Information security incident management|url=http://dx.doi.org/10.3403/30268878u|publisher=BSI British Standards|doi=10.3403/30268878u|access-date=2021-06-05|url-access=subscription}} When an end user reports information or an admin notices irregularities, an investigation is launched. An incident log is a crucial part of this step.{{Citation needed| reason=article has nothing to with incident logs|date=December 2023}} All of the members of the team should be updating this log to ensure that information flows as fast as possible.{{Citation|last=Turner|first=Tim|title=Our Beginning: Team Members Who Began the Success Story|date=2011-09-07|url=http://dx.doi.org/10.4324/9781466500020-2|work=One Team on All Levels|pages=9–36|publisher=Productivity Press|doi=10.4324/9781466500020-2|isbn=978-0-429-25314-0|access-date=2021-06-05|url-access=subscription}} If it has been identified that a security breach has occurred the next step should be activated.{{Cite book|title=Defensive Strategies|last=Erlanger|first=Leon|publisher=PC Magazine|year=2002|pages=70}}

In this phase, the IRT works to isolate the areas that the breach took place to limit the scope of the security event.{{Citation|title=of Belgrade's main street. The event took place in absolute|date=2013-11-05|url=http://dx.doi.org/10.4324/9781315005140-28|work=Radical Street Performance|pages=81–83|publisher=Routledge|doi=10.4324/9781315005140-28|isbn=978-1-315-00514-0|access-date=2021-06-05|url-access=subscription}} During this phase it is important to preserve information forensically so it can be analyzed later in the process.{{Cite book |title=The Manipulation of Choice|publisher=Palgrave Macmillan|year=2013|isbn=978-1-137-31357-7|chapter=Why Choice Matters So Much and What Can be Done to Preserve It|doi=10.1057/9781137313577_7 |last1=White |first1=Mark D. |pages=127–150 }} Containment could be as simple as physically containing a server room or as complex as segmenting a network to not allow the spread of a virus.{{cite web|url=https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf|title=Computer Security Incident Handling Guide|date=2012|website=Nist.gov}}

This is where the threat that was identified is removed from the affected systems.{{Cite journal|title=Table S3: Results from linear-mixed models where {{sic|non-signf|icant|nolink=y}} parameters have not been removed |journal=PeerJ|date=4 April 2016|volume=4|pages=e1867 |doi=10.7717/peerj.1867/supp-3|last1=Borgström|first1=Pernilla|last2=Strengbom|first2=Joachim|last3=Viketoft|first3=Maria |last4=Bommarco|first4=Riccardo |doi-access=free }} This could include deleting malicious files, terminating compromised accounts, or deleting other components.{{Citation|last=Penfold|first=David|title=Selecting, Copying, Moving and Deleting Files and Directories |date=2000 |work=ECDL Module 2: Using the Computer and Managing Files|pages=86–94 |place=London|publisher=Springer London|doi=10.1007/978-1-4471-0491-9_6|doi-broken-date=3 December 2024 |isbn=978-1-85233-443-7}}{{Cite book|first=Onur|last=Gumus|title=ASP. NET Core 2 Fundamentals : Build Cross-Platform Apps and Dynamic Web Services with This Server-side Web Application Framework|date=2018|publisher=Packt Publishing Ltd|isbn=978-1-78953-355-2|oclc=1051139482}} Some events do not require this step, however it is important to fully understand the event before moving to this step.{{Citation|date=2005-02-25|url=http://dx.doi.org/10.4324/9780203416907-8|work=Trouble-shooting Your Teaching|pages=36–40 |publisher=Routledge|doi=10.4324/9780203416907-8|isbn=978-0-203-41690-7|access-date=2021-06-05|title=Do the Students Understand What They Are Learning?|url-access=subscription}} This will help to ensure that the threat is completely removed.

This stage is where the systems are restored back to original operation.{{Citation|title=Where Are Films Restored, Where Do They Come From and Who Restores Them?|work=Film Restoration|year=2013 |publisher=Palgrave Macmillan|doi=10.1057/9781137328724_3 |isbn=978-1-137-32872-4 |last1=Enticknap |first1=Leo |pages=45–70 }} This stage could include the recovery of data, changing user access information, or updating firewall rules or policies to prevent a breach in the future.{{Cite journal|last1=Liao|first1=Qi|last2=Li|first2=Zhen|last3=Striegel|first3=Aaron|date=2011-01-24|title=Could firewall rules be public - a game theoretical perspective|url=http://dx.doi.org/10.1002/sec.307|journal=Security and Communication Networks|volume=5|issue=2|pages=197–210|doi=10.1002/sec.307|issn=1939-0114|url-access=subscription}}{{Cite book|first1=Philip|last1=Boeckman |first2=David J.|last2=Greenwald|first3=Nilufer|last3=Von Bismarck|title=Twelfth annual institute on securities regulation in Europe : overcoming deal-making challenges in the current markets|date=2013|publisher=Practising Law Institute|isbn=978-1-4024-1932-4|oclc=825824220}} Without executing this step, the system could still be vulnerable to future security threats.

In this step information that has been gathered during this process is used to make future decisions on security.{{Cite web|title=Figure 1.8. Spending of social security has been growing, while self-financing has been falling|url=http://dx.doi.org/10.1787/888932459242|access-date=2021-06-05|doi=10.1787/888932459242}} This step is crucial to the ensure that future events are prevented. Using this information to further train admins is critical to the process.{{Citation|title=Information Governance: The Crucial First Step|date=2015-09-19|url=http://dx.doi.org/10.1002/9781119204909.ch2|work=Safeguarding Critical E-Documents|pages=13–24|place=Hoboken, NJ, US|publisher=John Wiley & Sons, Inc.|doi=10.1002/9781119204909.ch2|isbn=978-1-119-20490-9|access-date=2021-06-05|url-access=subscription}} This step can also be used to process information that is distributed from other entities who have experienced a security event.{{Cite journal|last=He|first=Ying|date=December 1, 2017|title=Challenges of Information Security Incident Learning: An Industrial Case Study in a Chinese Healthcare Organization|journal=Informatics for Health and Social Care|volume=42|issue=4|pages=394–395|doi=10.1080/17538157.2016.1255629|pmid=28068150|s2cid=20139345|url=http://eprints.gla.ac.uk/134944/7/134944.pdf}}

• Computer emergency response team
• Proactive cyber defence
• Cyber attribution

• Handbook for Computer Security Incident Response Teams (CSIRTs) http://www.sei.cmu.edu/library/abstracts/reports/03hb002.cfm

Category:Incident management

Category:Cybersecurity engineering