Incident Response, Business Continuity, and Disaster Recovery

Incident

• An incident is any event that compromises, or has the potential to compromise, the confidentiality, integrity, or availability (CIA) of information or systems.
• Example:
  • Malware infection
  • Unauthorized access to sensitive data
  • Denial-of-service attack

Security Event

• A security event has been confirmed as a violation of security policies, or acceptable use.
• Example:
  • A ransomware attack encrypting company files.
  • A data breach exposing customer PII

Incident Response (IR)

• A structured process to detect, analyze contain, eradicate, and recover from security incidents.
• Purpose:
  • Minimize impact of incidents
  • Restore normal operations quickly
  • Gather evidence for investigation or compliance

Key Phase of Incident Response

1. Preparation:
   • Establish policies, procedures, tools, and communication plans.
   • Example: Security awareness training, backup systems.
2. Identification/Detection:
   • Recognize potential incidents from logs, alerts, or report.
   • Example: IDS alerts, unusual network traffic.
3. Containment:
   • Limit the spread of impact of the incident.
   • Example: Isolating infected systems from the network.
4. Eradication:
   • Remove the root cause of the incident.
   • Example: Deleting malware, closing exploited vulnerabilities.
5. Recovery:
   • Restore systems to normal operation and monitor for recurrence.
   • Example: Restoring backups, verifying system integrity.
6. Lesson Learned / Post-Incident Review:
   • Analyze what happened and improve controls and processes.
   • Example: Updating policies, patching vulnerabilities, employee training.