6 Incident Response
This chapter covers
- The difference between events, incidents, and security incidents
- The four phases of the Incident Response Lifecycle
- The Incident Response Plan
- Organization of the Security Operations Center (SOC)
While risk management seeks to lower the likelihood and minimize the impact of risks, some risks can never be completely eliminated. Undesired events in the form of cyberattacks or equipment failures will make risks materialize and can cause significant damage if not resolved effectively. We will call such an incident to any undesired event that causes or has the potential to cause disruption or damage.
To protect themselves from disruptions to their business operation and damages to assets, organizations implement an incident response strategy that detects incidents and then takes action to mitigate, contain, and resolve them. A central aspect to this strategy is the creation and maintenance of an incident response plan, collecting data and feedback to continually improve it, and organizing teams around it.
This chapter will present the concepts related to incident response and their role in safeguarding organizational security. We will examine each key stage of the incident response process—including preparation, identification, containment, eradication, recovery, and lessons learned. Additionally, we will become familiar with common types of security incidents and learn how to appropriately respond to each scenario.