WK4 Phases of incident response playbooks Flashcards
Playbook
A playbook is a manual that provides details about any operational action. Playbooks also clarify what tools should be used in response to a security incident.
In the security field, playbooks are essential.
Urgency, efficiency, and accuracy are necessary to quickly identify and mitigate a security threat to reduce potential risk. Playbooks ensure that people follow a consistent list of actions in a prescribed way, regardless of who is working on the case.
Common used playbook
Incident response playbook
Incident response is an organization’s quick attempt to identify an attack, contain the damage, and correct the effects of a security breach. An incident response playbook is a guide with six phases used to help mitigate and manage security incidents from beginning to end.
- Preparation
Organizations must prepare to mitigate the likelihood, risk, and impact of a security incident by documenting procedures, establishing staffing plans, and educating users. Preparation sets the foundation for successful incident response. For example, organizations can create incident response plans and procedures that outline the roles and responsibilities of each security team member.
Before incidents occur, mitigate potential impacts on the organization by documenting, establishing staffing plans, and educating users.
- Detection and Analysis
The objective of this phase is to detect and analyze events using defined processes and technology. Using appropriate tools and strategies during this phase helps security analysts determine whether a breach has occurred and analyze its possible magnitude.
Detect and analyze events by implementing defined processes and appropriate technology.
- Containment
The goal of containment is to prevent further damage and reduce the immediate impact of a security incident. During this phase, security professionals take actions to contain an incident and minimize damage. Containment is a high priority for organizations because it helps prevent ongoing risks to critical assets and data.
Prevent further damage and reduce immediate impact of incidents.
- Eradication and Recovery
his phase involves the complete removal of an incident’s artifacts so that an organization can return to normal operations. During this phase, security professionals eliminate artifacts of the incident by removing malicious code and mitigating vulnerabilities. Once they’ve exercised due diligence, they can begin to restore the affected environment to a secure state. This is also known as IT restoration.
Completely remove artifacts of the incident so that an organization can return to normal operations.
- Post-incident activity
This phase includes documenting the incident, informing organizational leadership, and applying lessons learned to ensure that an organization is better prepared to handle future incidents. Depending on the severity of the incident, organizations can conduct a full-scale incident analysis to determine the root cause of the incident and implement various updates or improvements to enhance its overall security posture.
Document the incident, inform organizational leadership, and apply lessons learned.
- Coordination
Coordination involves reporting incidents and sharing information, throughout the incident response process, based on the organization’s established standards. Coordination is important for many reasons. It ensures that organizations meet compliance requirements and it allows for coordinated response and resolution.
Report incidents and share information throughout the response process, based on established standards.
