The Six Stages of Incident Response

As the Manager for IT Security and Identity Services at Griffith University, Ashley Deuble has to manage a complex environment with a massive number of internal and external users. Securing such a wide gamut of customers, often with very specific needs is very challenging, particularly when it comes to securing the environment so everyone has appropriate and reliable access.

Ashley Deuble speaking at AusCERT2016
Ashley Deuble speaking at AusCERT2016

“My big focus is around ensuring that appropriate security and risk evaluation is baked into everything that we do. As we are a university we tend to deal with a lot of different types of data ranging from public information through to cutting edge research information and even health and patient medical records. It's definitely a juggling act to securely make most of our information as open and accessible as possible, whilst still protecting other key assets,” he says.

Like most organisations, there’s pressure to look beyond traditional, on-premise systems and move operations to the cloud. However, that is not without its own challenges.

“One of my key areas of focus is in the governance of security and identity as we push the boundaries of the traditional University network model out to these services,” says Deuble.

A major part of that focus is around incident response. Over several years, through working with many companies and observing the actions of many more, Deuble saw that all had an idea of what incident response was but when the time came were unable to execute it in a smooth or reliable manner.

“Incident response is one of those things that should be practised regularly like fire safety training or disaster recovery testing so that when something bad happens, your actions are almost second nature ensuring a favourable outcome,” he says.

Through that experience and observation, Deuble has developed a six-stage model for dealing with incidents.

Deuble says the six stages of incident response that we should be familiar with are preparation, identification, containment, eradication, recovery and lessons learned. At each of these stages there are a few big ticket items that we want to make sure we get right.

1 - Preparation

The preparation phase is about ensuring you have the appropriate (response plans, policies, call trees and other documents in place and that you have identified the members of your incident response team including external entities.

2 - Identification

In the identification phase you need to work out whether you are dealing with an event or an incident. This is where understanding your environment is critical as it means looking for significant deviations from "normal" traffic baselines or other methods.

3 - Containment

Deuble says that as you head into the containment stage you will want to work with the business to limit the damage caused to systems and prevent any further damage from occurring. This includes short and long term containment activities.

4 - Eradication

During the fourth stage the emphasis is on ensuring you have a clean system ready to restore. This may be a complete reimage of a system, or a restore from a known good backup.

5 - Recovery

At this point, it’s time to determine when to bring the system back in to production and how long we monitor the system for any signs of abnormal activity.

6 - Lessons Learned

This final stage is often skipped as the business moves back into normal operations but it’s critical to look back and heed the lessons learned. These lessons will allow you to incorporate additional activities and knowledge back into your incident response process to produce better future outcomes and additional defenses.