Incident response helps organizations ensure that organizations know of security incidents and that they can act quickly to minimize damage caused. The aim is also to prevent follow on attacks or related incidents from taking place in the future. Show The SANS Institute is a private organization, which provides research and education on information security. In this article, we’ll outline, in detail, six components of a SANS incident response plan including elements such as preparation, identification, containment, and eradication. Read on to learn more about Cynet’s 24/7 incident response team and how they can help your organization. In this article:
Incident response is a process that allows organizations to identify, prioritize, contain and eradicate cyberattacks. The goal of incident response is to ensure that organizations are aware of significant security incidents, and act quickly to stop the attacker, minimize damage caused, and prevent follow on attacks or similar incidents in the future. What Is SANS?The SANS Institute is a private organization established in 1989, which offers research and education on information security. It is the world’s largest provider of security training and certification, and maintains the largest collection of research about cybersecurity. SANS also operates the Internet Storm Center, an early warning system for global cyber threats. SANS Incident Response PlanThe SANS Institute published a 20-page handbook that lays out a structured 6-step plan for incident response. Below is a brief summary of the process, and in the following sections we’ll go into more depth about each step:
Step 1: PreparationThe goal of the preparation stage is to ensure that the organization can comprehensively respond to an incident at a moment’s notice. In a SANS incident response plan, these are critical elements that should be prepared in advance:
Leveraging an integrated breach protection platform for incident response An integrated security platform like Cynet 360 is highly useful for incident response teams. This platform can automatically determine behavioral baselines, identify anomalies that indicate suspicious behavior, and collect all relevant data across endpoints, networks, and users to help the CSIRT explore the anomaly. Cynet 360 can help your organization perform remote manual action to contain security events. These actions can include deleting files, stopping malicious processes, resetting passwords and restarting devices that have been affected. Cynet can also help your organization carry out measures such as preventing rapid encryption of files or automatically isolating endpoints that have been the target of malware. Learn more about Cynet 360’s incident response capabilities. Step 2: IdentificationThis step involves detecting deviations from normal operations in the organization, understanding if a deviation represents a security incident, and determining how important the incident is. The SANS incident response identification procedure includes the following elements:
Step 3: ContainmentThe goal of containment is to limit damage from the current security incident and prevent any further damage. Several steps are necessary to completely mitigate the incident, while also preventing destruction of evidence that may be needed for prosecution. The SANS containment process involves:
Step 4: EradicationEradication is intended to actually remove malware or other artifacts introduced by the attacks, and fully restore all affected systems. The SANS eradication process involves:
Step 5: RecoveryThe goal of recovery is to bring all systems back to full operation, after verifying they are clean and the threat is removed. The SANS recovery procedure involves:
Step 6: Lessons LearnedNo later than two weeks from the end of the incident, the CSIRT should compile all relevant information about the incident and extract lessons that can help with future incident response activity. The SANS lessons learned process includes:
SANS suggests this general format for the incident report:
Follow the SANS IR Framework with CynetCynet 360 provides powerful capabilities across the three first SANS stages:
Contact Cynet for immediate help |