According to the common phase of IR, there are Five key phases of an incident response plan.
- Preparing users and IT staff to handle potential incidents, should they arise.
2. Identification and Assessment:
- Determining and communicate clearly & engage expertise to ask some of the questions such as:
- When did the event happen?
- How many areas have been impacted?
- What is the scope of the compromise?
3. Containment and Intelligence:
- After a breach is first detected we focus on limiting the damage of the incident and isolating affected systems to prevent further damage.
- Eradication involves the following steps:
- Identifying the root cause of the incident
- Isolating affected systems from the production environment.
5. Recovery and Follow-up Actions:
- Post-incident activities the team brings affected production systems back online carefully, to ensure another incident doesn’t take place.
- Important decisions at this stage are from which time and date to restore operations,
- How to test and verify that affected systems are back to normal, and how long to monitor the systems to ensure activity is back to normal.