Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish
| (844) 627-8267

4 Critical Phase We Need to Know Before Developing a Cybersecurity Incident Response Plan | by Bernadus Raven Christianto | Jan, 2024 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | #hacking | #aihp

Artificial Intelligence, Blockchain, Internet of Things (IoT) — Over the past 10 years our technology continuously advances every single day. While we may already familiar with those tech-wonders, we should also be aware of emerging cyberthreats that have the capability to compromise the confidentiality, integrity, and availability of technology that we use everyday.

According to Mandiant’s M-Trends 2023 Report states that in 2022, They have closely monitor 588 new malware families. Among these, the top five categories were identified for their primary objective: to help bad actors achieve financial gains by stealing credentials, disrupting systems, and performing malicious actions on the target victim’s system. This indicate that bad actors continue to enhance their skill and toolset to create new cyberthreats (threat that targets computer networks, systems, and user data) and perform cyberattacks (unauthorized and unlawful attempt to steal, modify, destroy systems, user data, or digital assets).

Without close attention and mitigation in place, cyberthreats could eventually become something far more sinister— a cybersecurity incident (an event that cause adverse impact on computer network, systems, data or information). As for businesses, failure to prepare against cybersecurity incident could lead to severe consequences such as financial losses, regulatory penalties, damage to reputation, and loss of customer trust.

Alright, what if a cybersecurity incident really happen, do businesses have their capabilities and resources ready, how about the preparation and the team to handle the incident? To answer these questions, an adequate incident response plan should be developed to respond, minimize the impact that occur due to successful cybersecurity incident, and recover into normal operational state.

The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information system(s).

Definitions of Incident Response Plan from NIST Special Publication 800–34 Rev. 1

But before developing an incident response plan, we should be familiar with incident response phase — a systematic process to manage cybersecurity incident. At the high level, NIST SP 800–61 (a guidelines for establishing computer security incident response capabilities and handling incidents) has set out 4 main phase of incident response:

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-Incident Activity

Now, lets delve into each of this four phase and see what are the activities covered on each phases.

Let’s think metaphorically as if we are about to prepare for a thunderstorm. We want to make sure that we have a safe place in our house to gather during thunderstorm, stock piling on supplies and first aid kit, also to teach our family some survival skills such as avoiding windows or breakable objects and take cover under a sturdy furniture for example.

In this phase, we are preparing the aspects of people, process, and technology to effectively respond a cybersecurity incident.

  • People aspects consist of Management Committee, who is responsible for making decisions that are aligned with business needs and provide high level direction during the incident response process; Incident Response Team (IRT) a cross-functional team who is responsible for preparing and respond to cybersecurity incident; also Business Users who is responsible to notify any suspicious sign that may lead to cybersecurity incident to the designated IT team and to support the IRT during each stage of incident response. Each of these stakeholders should be prepared via scenario-based exercise in order to operate effectively.
  • Process aspects emphasize on developing incident response plan, communication plan, metrics for performance measurement, along with related documents that serve as a guideline such as incident response policy and procedure. On top of that, incident response plan and communication plan should be tested regularly to ensure that it operate as expected to.
  • Technology aspects emphasize on tools or systems that will be utilized to support incident response process, this could be Security Information and Event Management (SIEM) to detect abnormal security events, or Security Orchestration, Automation, and Response (SOAR) to integrate separate security tools and enable streamline incident response workflow.

Now that we have everything in its place, it feel a little bit safer. But wait a minute, notice that there is a large dark clouds approaching and the temperature suddenly feels cold, um maybe its a sign of a coming- thunderstorm.

In this phase, we want to detect if something abnormal is happening and validate that it is a sign of a cybersecurity incident or not by following this course of actions:

  • Identify and monitor inputs that could signal a cybersecurity incident may happen in the future or already happen right now, these inputs could be alerts from security monitoring tools, systems logs that show unauthorized changes, a report from user about the problems in their device, or a report from systems administrator about a unusual large traffic coming out from the businesses network.
  • Perform initial analysis and validation, by first establishing a baseline of what normal behaviors in a application systems looks like, then take a sample of those inputs and look for an anomalous events that may indicate something is happening by correlating it to the baseline.
  • Declare an incident if the anomalous events that have been validated could significantly impact the confidentiality, integrity, and availability in a negative way or it matches the criteria to be categorized as an incident.
  • Record and document the important information in a systematic manner such as incident responder name, summary of the incident, date and time of detection, where the incident initially detected, action taken by the responder, etc. This activity could be accomplished using spreadsheet, database application, or tracking system.
  • Notify the appropriate stakeholders within the business organizations such as C-levels, system owners, human resources, public relations, and law enforcement.

During a thunderstorm, we want to do our best to keep our family members safe by staying inside, find shelter on a safe spot, and wait for at least 30 minutes for the thunderstorm to cease then after the storm completely subside, we want to clear any debris, assess, and repair any damage to our house.

In this phase, we want to isolate the source of incident, stop the ongoing attack, and prevent its further spreading across networks/application systems, then to clean all residual threat or vulnerability, and lastly to restore the affected systems back into normal operating state.

  • Incident containment should follow a tailored strategies that may differs based on the type of incident, actions taken to contain may include taking down the affected systems, disconnect/isolate it from the network, or redirecting the bad actors into a sandbox environment (Isolated environment that enable IRT to monitor the bad actors activity without affecting existing applications) one thing to note that evidence should be gathered and preserved for legal and regulatory purposes.
  • Incident eradication emphasize on purging all of the identified malicious content, threats, or vulnerabilities on the affected systems. the actions taken may include removing malware using anti-malware solutions or deleting bad actors artifacts such as files or software.
  • Incident recovery entails several actions that may include restoring systems from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions and to continuously monitor the systems until returning to normal state.

Finally the thunderstorm has gone, and we are going back to our activity as usual. But keep in mind that it may come again one day, therefore we want to plan in advance, also to learn from our previous mistakes.

In this phase we want to reflect backwards on what goes well and what could be improved. At the end of the incident, all the stakeholders that take the responsibilities during the incident response process should held a meeting to discuss this matters. A self assessment question to ask during the meeting that includes:

  • How well the team collaborate during the incident?
  • What are the obstacles that we face during the incident response?
  • What areas that could be improved to prevent the same incident occurs again?

During this meeting all feedbacks and actions items should be documented, and an improvement plan should be developed to be implemented in the future.

Now, we have come to the end of this post. We understand that as our technology advances it also brings new cyberthreats that put our tech-assets at risk. Left uncheck, these cyberthreats could escalate into cybersecurity incidents. A cybersecurity incident response plan need to prepare all the resources need and serve as a guideline on responding to cybersecurity incident. To develop a thorough cybersecurity incident response plan, first we should understand the four phase of incident response: Preparation, detection and analysis, containment, eradication, recovery, and post-incident activity.

Thank you for joining me! If you found this post helpful, make sure to follow me and share this with your friends and colleagues. Let me know your thoughts in the comments section below.


  1. Mandiant M-Trends 2023
  2. NIST SP 800–61 Rev. 2

Click Here For The Original Source.