Creating a great and effective Incident Response plan is very critical. There are many reasons why people struggle to get one properly implemented despite a lot of different materials out there.<\/p>\n\n\n\n
Challenges<\/strong>:<\/p>\n\n\n\n PICERL Incident Response Framework<\/strong><\/p>\n\n\n\n PICERL<\/strong>\u00a0is a well-structured framework for\u00a0incident response<\/strong>\u00a0that guides organizations through the process of handling security incidents.<\/p>\n\n\n\n PREPARE<\/strong> IDENTIFY<\/strong> CONTAIN<\/strong> ERADICATE<\/strong> RECOVER<\/strong> LESSONS LEARNED<\/strong> Stop reading this, go plan your Incident Response!<\/p>\n","protected":false},"excerpt":{"rendered":" Creating a great and effective Incident Response plan is very critical. There are many reasons why people struggle to get one properly implemented despite a lot of different materials out there. Challenges: PICERL Incident Response Framework PICERL\u00a0is a well-structured framework for\u00a0incident response\u00a0that guides organizations through the process of handling security incidents. PREPAREFail to Prepare, Prepare to Fail. When not actively responding to an incident, you are in this phase. Strive to get better with continuous improvement and attack surface reduction. System hardening, vulnerability management, patching, monitoring, documentation, training and practice are some things you should focus on. IDENTIFYSomething has happened,…<\/span> Read More \"INCIDENT RESPONSE \u2013 PICERL\"<\/span><\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-2785","post","type-post","status-publish","format-standard","hentry","category-cyber-mike","no-post-thumbnail"],"_links":{"self":[{"href":"https:\/\/cybermike.io\/index.php?rest_route=\/wp\/v2\/posts\/2785","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cybermike.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybermike.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cybermike.io\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cybermike.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2785"}],"version-history":[{"count":1,"href":"https:\/\/cybermike.io\/index.php?rest_route=\/wp\/v2\/posts\/2785\/revisions"}],"predecessor-version":[{"id":2786,"href":"https:\/\/cybermike.io\/index.php?rest_route=\/wp\/v2\/posts\/2785\/revisions\/2786"}],"wp:attachment":[{"href":"https:\/\/cybermike.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2785"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybermike.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2785"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybermike.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2785"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
DO NOT rush into this, it will be different for every organization based on different factors. This is not a “check box” activity. DO NOT rush to put an Incident Response Plan and Procedure in place to fulfill a requirement.
<\/li>\n\n\n\n
I get it, you are a small organization or an organization that hasn’t put much value into cybersecurity or incident response. “We are too small of a company to be targeted”, “We have nothing they want”. Get something together from a high level, keep working to get it better. Cybersecurity is about continuous improvement, this will take genuine effort to make this process better and from multiple people, communication will be a key factor in success.
<\/li>\n\n\n\n
Are you the lead? Train thru practice. Get your baseline created and then test the users that you will need to communicate with during an Incident Response scenario. Your lessons learned after the scenario will better prepare your team and get them to think about “what ifs” and “how can I better prepare”.
<\/li>\n\n\n\n
Not only is this a common obstacle but it is also a huge reason why preparation is key. Know your environment, the better you know and the better it is documented the easier it will be to notice when something is wrong. Identify your critical assets or “crown gems”, doing that will help you understand what needs to be done to create better Defense in Layers.
<\/li>\n\n\n\n
This is the most common obstacle I find and the most important thing I want everyone to work on. If something bad happened right now and you wanted to alert your Incident Response Team how would you do it? If you message in Teams or Slack and don’t have a dedicated place to do this, good luck getting their proper attention that it is an emergency. Have an Incident Response area so that users know “If I post here I need your immediate attention because it is a RED LEVEL EMERGENCY”.<\/li>\n<\/ol>\n\n\n\n
Fail to Prepare, Prepare to Fail. When not actively responding to an incident, you are in this phase. Strive to get better with continuous improvement and attack surface reduction. System hardening, vulnerability management, patching, monitoring, documentation, training and practice are some things you should focus on.<\/p>\n\n\n\n
Something has happened, act quickly and accurately to assess the situation and properly determine if it really is in incident. Make sure to categorize the incident and prioritize the incident based on severity, risk and impact. Make sure to escalate if needed to ensure the proper incident responders are working any confirmed incidents.<\/p>\n\n\n\n
The goal here is to stop the attack from spreading. Do not rush into this to ensure there are no holes in your containment. You need to prevent things from getting worse by being decisive with your actions.<\/p>\n\n\n\n
Get the attacker completely out and keep them out in the future. This should be the more permanent fix that happens after the threat has been contained. Complete any hardening, patching and additional configuration required. Make sure to continue monitoring.<\/p>\n\n\n\n
Restore affected systems back to their previous state with additional measures in place to ensure the incident or a similar incident cannot happen again. Test monitor and validate your systems as they are restored. Get things back to normal.<\/p>\n\n\n\n
Document and Learn. What happened in the incident? How did the incident happen? How was the incident dealt with? What went well with the incident response? What went bad with the incident response? What needs to be changed in the incident response plan?<\/p>\n\n\n\n