A cyber incident can range from a minor power outage to a full-scale cyber attack. No matter the incident scale, having clear guidelines to follow can help organizations create effective and standardized response plans.
The SysAdmin, Audit, Network, and Security (SANS) Institute is one of the leading organizations providing cybersecurity training, research, and certification. Their decades of experience in the field led them to publish their cybersecurity framework, the Incident Handler’s Handbook, in 2012.
Since its release, the SANS framework has been recognized as one of the most comprehensive incident response approaches and has been implemented by many influential organizations worldwide.
Here are the six steps of the SANS framework’s Incident response process:
Preparation is about getting your team ready to handle an incident as quickly and efficiently as possible. Preparing and having a response plan will make a world of difference when every step you take can affect the outcome.
The preparation process involves creating policies, which are clear, written principles or practices. These policies are then incorporated into a response plan to guide your organization’s actions throughout the incident.
A big part of the response plan is the prioritization of incidents, which should be based on business impact. High-impact incidents are more likely to gain the attention of upper management.
The identification process typically involves gathering information from log files, intrusion detection systems, and other sources to determine whether there’s a deviation from the norm. Keep in mind that a deviation doesn’t necessarily mean an incident. Non-IT employees can also help identify an incident, primarily when their systems are behaving strangely.
After an incident is identified, the focus should turn to containing and minimizing its impact. There are several steps to this phase:
1. Short-term containment
The main purpose of this step is to minimize the incident and stop it from doing further damage (for example, disconnecting an infected device from the organization’s network).
2. System Back-Up
Before wiping an affected system, it’s necessary to take a forensic image showing the system’s state during the infection. A forensic image can come in handy during a criminal case and for preventing something similar from happening in the future.
3. Long-term containment
The last step is when the affected system is temporarily fixed so it can be used and prevent a pause in production. This can be done by installing security patches and other measures to prevent future escalation.
Eradication is the phase when the systems are wiped to remove any malicious content. That’s usually done by reimagining the system using original disk images from before the system was used in production,
The “new” system should be equipped with adequate tools and strong security measures to prevent a future attack.
The recovery process will see the affected systems back into production, but only after careful testing, monitoring and validation that they won’t lead to another infection.
It’s imperative to have the necessary tools to test, monitor, and validate the system to ensure its fully functional and clean. The system’s users should have a set testing period, as well as a time and date to restore operations.
The final phase in the SANS framework can be achieved only through constant and detailed documentation throughout the five previous stages. The documentation can then be compiled into a single report summarizing the incident and answering When, Why, and How it happened.
The report’s main goal is to help the organization learn from the incident. It can help improve employee performance and be a reference point during a similar future incident.
It’s best to have a lessons learned meeting that will summarize the incident concisely and progressively and outline future courses of action.
How SecurityScorecard can help
SecurityScorecard’s continuous compliance monitoring solution allows you to track adherence to current public and private sector security mandates and detect potential compliance gaps.
As cyber risks grow, companies of all sizes are looking for high security standards from vendors, such as SANS or NIST compliance.
SecurityScorecard clients can use the Evidence Locker to store compliance documentation and display certification badges for quick identification. This brings transparency, speed, and automation to the assessment process and helps you showcase your compliance posture.
To learn more, visit securityscorecard.com, or request a demo.