According to Symantec Corp., the incident response cycle is defined as: “The sequence of phases that a security event goes through from the time that it is identified as a security compromise or incident to the time that it is resolved and reported.”
1. According to Symantec Corp., the incident response cycle is defined as: “The sequence of phases that a security event goes through from the time that it is identified as a security compromise or incident to the time that it is resolved and reported.” (Symantec, 2017)
While researching, I found that there seem to be variations to the cycle. The simplified idea is identifying, investigating, and repairing. Organizations SANS Institute recommend a 4 step process: Plan, Resist, Detect, and Respond, while others (National Institute of Standards and Technology – NIST) have broken it down even further into 7 steps. (US Department of Commerce, 2012)
Looking at the four step model, it starts with planning. During this step, preparations are undertaken to attempt to understand vulnerabilities and assess your own security posture. In the resistance step, the organization uses points identified in the planning step to resist incoming attack. The third step is detection in which a compromise is investigated. Finally, the fourth step in the process is the response. Responding is where an intrusion is dealt with.
2.Honestly, at least at this point, I am not sure. The questions seems a lot like asking which one is the most important for a car: gas, an engine, or tires…. Without all of them, the car won’t run.
From my very limited understanding starting out in the field, they all seem important at least if an attack is believed to be imminent. If someone believed that an intrusion was never going to happen then detection and response might be neglected. Therefore it would seem that each part plays its own important role.
Incident response cycle – Symantec Security Response – Glossary – Symantec Corp.. (2017). Us.norton.com. Retrieved 17 March 2017, from https://us.norton.com/security_response/glossary/define.jsp?letter=i&word=incident-response-cycle
SANS Digital Forensics and Incident Response Blog | The Big Picture of the Security Incident Cycle | SANS Institute. (2017). Digital-forensics.sans.org. Retrieved 17 March 2017, from https://digital-forensics.sans.org/blog/2010/09/27/digital-forensics-security-incident-cycle/
US Department of Commerce, (2012). Computer Security Incident Handling Guide (pp. 21-42). Gaithersburg, MD: National Institute of Standards and Technology.
- What is the incident response cycle?
Each organization has someone who handles their IT problems or disasters. An incident response cycle is what is followed by the ITT department when they get computer related problems or disasters.
Compare and contrast its various phases?
Preparation: The process of preparing for incidents such as security breaches etc.
Identification: The response team is notified and they will review the data to determine if indeed there was a breech in security.
Containment: The team analysis the security breech to determine how bad the situation is, then put measures in place to stop and correct the problem.
Eradication: Is to discover of the root cause, and implement a plan to remove cause and plan to eliminate future causes.
Recovery: Data and software, cleaned and restored for use.
Lessons Learned: Team talks about the pros and cons and learns about what they can be better prepared for.
Do you think any one of the phases is more important than the others? Why or why not?
I believe that the 1st phase is important. There isn’t anything more frustrating than not being prepared for what may happen. In addition, we are talking about security breaches that can potentially affect numerous amount of people that shouldn’t be taken lightly.
What is incident response? – Definition from WhatIs.com. (n.d.). Retrieved March 18, 2017, from http://searchsecurity.techtarget.com/definition/incident-response
My initial instinct would be (and at least in my experience) leaders in all the organizations I worked for we brought up in a low-tech environment and have little personal experience in tech. Certainly, they are briefed and think it is important but without exposure, it must be difficult to comprehend what’s out there. Kind of a blissful lack of knowledge.
I had something similar happen when applying for a cell phone search warrant several years ago. The case involved a string of robberies and we had and arrest and recovered the suspect’s cell phone. With the help of the US Attorney’s Office, we typed up a warrant that included detailed probable cause for the robberies (and a lot of boilerplate stuff) referring to possible GPS locations contained in the phone of the suspect during the time of the robbery. The very senior judge kept asking how is that possible and why? It took forever. Not his fault so much, but I bet he had very little to no exposure to a smartphone (kind of evident from the flip phone on his desk).
PWC (2013). Key Findings from the 2013 US State of Cybercrime Survey. Retrieved from http://www.pwc.com/us/en/increasing-it-effectiveness/publications/assets/us-state-of-cybercrime.pdf