Incident response is not just about avoiding breaches- it is also about reacting when they first occur. Incident response can be a very overwhelming process for SMBs, but it is crucial for protecting data, not only the organization's private networks but also stored customer information. It is also essential for complying with data privacy laws.
With incident response, RSG can help after the event occurs with forensic and deep expertise in reconstructing the event and working with law enforcement if needed. RSG will be responsible for developing a proactive IR plan, assessment and resolution of system vulnerabilities, assisting with maintenance of the best security applications, and providing support for your IR handling procedures.
Preparation
This is an important step, and we advise our customers to have key members within their organizations to be available 24/7/365 who can identify and access critical assets and applications during incident response. Only allow access to systems and applications to authorized users. While it is extremely difficult to prepare for every possible contingency, having a plan established ahead of time in-case of a data breach or compromise should be our customers number one priority.
Identification
In the event of a potential compromise of information or systems that has been detected, we will escalate the matter to our customers with a High Alert followed by a phone call to the responsible party that has been pre-determined by the customer. All High Priority events will be escalated to the designated contacts immediately and we will continue to contact these individuals until they are reached or until all the required methods of contacts have been exhausted. Lower priority items are escalated to customers in accordance with the recommended time to resolve the issue and will likely be communicated through email.
Containment
Containment is crucial within the incident response plan and can help stop the effect of an incident. Certain situations require different types of containment strategies to use. Our Cyber Security Analysts in-case there has been an incident, will request information from the customer and will work with our customers in order to access and contain the compromised systems, and will guide in the recovery of the assets, disable systems, identify the source of the problem, collect evidence, and assess damage. Such containment shall not interfere with the incident response investigation.
Eradication
We identify the root cause of the attack, removal of malware or threats, and preventing similar attacks in the future. An example would be, if a weak authentication mechanism was the entry point for the attack, it should be replaced with strong authentication; if a vulnerability was exploited, it should be immediately patched. Although containment and Eradication may seem like similar steps, eradication differs from containment. In the containment phase, you are merely trying to prevent the problem from getting worse. In the eradication phase, you eliminate the threat from your network or your endpoint of application.
Recovery
The recovery phase is where you restore your systems to full working order as it was before the incident occurred. This usually involves restoring from backups and testing the network to make sure no traces of the threat remain.
Lessons Learned
This is a step that is often overlooked but important to ensure information is fresh in the team’s mind. The purpose of this phase is to complete documentation if it could not be prepared during the response process and investigate the incident further to identify its full scope, how it was contained and eradicated, what was done to recover the attacked systems, areas where the response team was effective, and areas that require improvement. It should not be a time for placing blame, but instead a time to focus on preventing future occurrences of the incident that just happened.