Incident Response
Responding to and managing security incidents
Incident Response is the organized approach to addressing and managing security breaches or cyberattacks, minimizing damage and reducing recovery time and costs.
Incident Response Phases
- Preparation - Developing plans, tools, and team capabilities
- Identification - Detecting and confirming security incidents
- Containment - Limiting the spread and impact of incidents
- Eradication - Removing threats from the environment
- Recovery - Restoring systems to normal operations
- Lessons Learned - Analyzing incidents to improve defenses
Key Activities
- Alert triage and investigation
- Forensic evidence collection
- Malware analysis
- Threat hunting
- Stakeholder communication
- Regulatory notification
Team Structure
- Incident Commander
- Security Analysts
- Forensic Investigators
- Communications Lead
- Legal and Compliance Representatives
Frameworks
- NIST SP 800-61 (Computer Security Incident Handling Guide)
- SANS Incident Response Process
- MITRE ATT&CK for incident analysis
