This phase consists of several essential items that are important to ensure a successful response to an incident. The policy is created to support the incident response process. A response and communication plan is developed and refined to direct the efforts during the incident response process. It is also crucial that
incident responders have access to information systems on the network to perform their duties.
This phase of the of the process is identifying an event as an incident. The response time to the incident is critical to ensure the incident response team can collect the evidence and prepare for the next phases. The evidence will help answer the questions of who, what, where, how, and why.
This phase is to limit or prevent further damage to the information system or network. The containment phase is broken up into three steps. The first is short-term containment, this stops any further damage quickly but does not solve the issue. The second step is to ensure there is a backup of the system for either forensics or to collect information that is critical to the business. The last step is long-term containment; this allows the business to either safely continue the use of the information system or prepare for the rebuilding of the system.
This phase is to remove malicious software, accounts, and backdoors. The goal of this phase is to remove the attacker’s artifacts from the information systems or network. Defenses will be improved during this phase to prevent further incidents. Further vulnerability analysis of all information systems and the network are conducted to verify there are no additional attack vectors.
This phase is where the systems get put back into production. The goal is to ensure they will not cause any further damage or present a new risk. To put systems back into production, they can be wiped and restored to baseline configuration or restored from a backup that is verified that it does not have any malicious software, accounts, or backdoors. After systems are restored, it is essential to closely monitor the systems to ensure that another incident does not occur or artifacts do not return.
The final phase this is where all the documents and information is collected and compiled. The goal of this phase is to ensure documentation is complete and provides information to assist in the future incident response. This documentation consists of a step by step replay of the entire incident and provides recommendations on how to improve the incident response process for the future.