The goal of response and recovery is to prevent further damage, restore infrastructure integrity, ensure all assets are accounted for and reevaluate the success or failure of the current incident response plan. Items to focus on after recovery include:
Resolve the incident based on the IR plan to mitigate the threat Restore system and network integrity Continue documentation Ensure proper notifications have taken place Coordinate with incident response team Evaluate status of assets Perform post-incident analysis Evaluate success of current plan Perform a “hotwash” Implement new strategies and proactive measures
Step 1: Follow the incident response plan to mitigate the threat
Organizations should have an incident response plan already written and in place. This incident response plan is the complete guide on what to do after a breach or any type of security incident. Once the breach occurs, follow the plan to ensure the threat is mitigated.
Step 2: Restore system & network integrity
Once the threat has been mitigated, the system has to be restored back to not only a safe state, but also to its healthiest state. Part of a good incident response plan is the response and recovery section that illustrates how to restore network and system integrity.
Step 3: Document the incident response process
As the system is being restored, it is important to document the process. The incident response plan gives information on how to mitigate the threat and restore the system, however, there are always anomalies that happen in the cyber world. Thus, given fixes may not always work as expected. It is important to document any hiccups that happened during the restoration process. It is also important to document as much information as possible during the actual breach. This type of information is used to evaluate the potential for future incidents, and it is also helpful when performing future security training, exercises or in writing future policies.
Step 4: Ensure proper notifications have taken place
When a cyber security incident takes place, it is easy to forget to notify everyone that needs to be notified. This includes both executive-level officials, as well as possibly law enforcement. The incident response plan will identify who needs to be notified during various types of incidents.
Step 5: Coordinate with incident response team
Now that you are in the recovery and restoration phase, it is important to coordinate with the incident response team to make sure efforts aren’t being duplicated and to verify the status of the system state.
Step 6: Evaluate status of data assets
During the chaos of an incident, the status and location of items can change. It is important during the restoration phase to review the inventory list and make sure all items are accounted for. It is also important to evaluate system processes to ensure they have all been restored. The most important asset of all are the people associated with an organization. During certain cyber events, an incident response plan may suggest calling employees by implementing a call tree.
Step 7: Conduct post-incident analysis
Designate members of the incident response team or lead cybersecurity personnel to review the incident, including the response and recovery process. This review will evaluate what happened, how quickly the response started and how long it lasted. During the post-incident analysis, documentation of the incident and the response will be reviewed as well. During this analysis, a report may be created to document the findings.
Step 8: Evaluate success of current incident response plan
Use the post incident analysis to evaluate the effectiveness of the current incident response plan. Was the incident found in a reasonable amount of time? Was the system down as long as expected? Were the right personnel available to respond? Did recovery and restoration happen in the time expected? Were backups available and as up to date as possible? These are questions to ask while evaluating the success of the plan. These questions can be answered in the post incident analysis report.
Step 9: Perform a “Hotwash”
A hotwash is also called an after action report (AAR). This is when you gather all of the pertinent personnel to review the incident and collaborate on everyone’s view on the success or failure of the response to the incident. A hotwash should include the incident response team, a member of the IT team, high-level executives and third-party vendors that may have participated in the incident response. A hotwash could be a series of several meetings or one long meeting, but it is a post-incident analysis and review, as well as an evaluation of the plan success.
Step 10: Implement new incident response strategies & proactive measures
During a hotwash, items will be presented that can be used to update the current incident response plan. If flaws are found, this is the time to start documenting potential changes to the plan based on the response to the incident. Reviewing documentation captured during the response and mitigation phase is very important. Knowing what worked during a particular event can make the recovery process more streamlined and repeatable. You will evaluate how everyone performed, if the plan is clear to everyone that plays a role in incident response and if you were able to contact everyone you needed to during the event.