The Six Stages of Incident Response

As the Manager for IT Security and Identity Services at Griffith University, Ashley Deuble has to manage a complex environment with a massive number of internal and external users. Securing such a wide gamut of customers, often with very specific needs is very challenging, particularly when it comes to securing the environment so everyone has appropriate and reliable access.

Ashley Deuble speaking at AusCERT2016
Ashley Deuble speaking at AusCERT2016

“My big focus is around ensuring that appropriate security and risk evaluation is baked into everything that we do. As we are a university we tend to deal with a lot of different types of data ranging from public information through to cutting edge research information and even health and patient medical records. It's definitely a juggling act to securely make most of our information as open and accessible as possible, whilst still protecting other key assets,” he says.

Like most organisations, there’s pressure to look beyond traditional, on-premise systems and move operations to the cloud. However, that is not without its own challenges.

“One of my key areas of focus is in the governance of security and identity as we push the boundaries of the traditional University network model out to these services,” says Deuble.

A major part of that focus is around incident response. Over several years, through working with many companies and observing the actions of many more, Deuble saw that all had an idea of what incident response was but when the time came were unable to execute it in a smooth or reliable manner.

“Incident response is one of those things that should be practised regularly like fire safety training or disaster recovery testing so that when something bad happens, your actions are almost second nature ensuring a favourable outcome,” he says.

Through that experience and observation, Deuble has developed a six-stage model for dealing with incidents.

Deuble says the six stages of incident response that we should be familiar with are preparation, identification, containment, eradication, recovery and lessons learned. At each of these stages there are a few big ticket items that we want to make sure we get right.

1 - Preparation

The preparation phase is about ensuring you have the appropriate (response plans, policies, call trees and other documents in place and that you have identified the members of your incident response team including external entities.

2 - Identification

In the identification phase you need to work out whether you are dealing with an event or an incident. This is where understanding your environment is critical as it means looking for significant deviations from "normal" traffic baselines or other methods.

3 - Containment

Deuble says that as you head into the containment stage you will want to work with the business to limit the damage caused to systems and prevent any further damage from occurring. This includes short and long term containment activities.

4 - Eradication

During the fourth stage the emphasis is on ensuring you have a clean system ready to restore. This may be a complete reimage of a system, or a restore from a known good backup.

5 - Recovery

At this point, it’s time to determine when to bring the system back in to production and how long we monitor the system for any signs of abnormal activity.

6 - Lessons Learned

This final stage is often skipped as the business moves back into normal operations but it’s critical to look back and heed the lessons learned. These lessons will allow you to incorporate additional activities and knowledge back into your incident response process to produce better future outcomes and additional defenses.

Join the CSO newsletter!

Error: Please check your email address.

Tags network securityIncident responseAusCERT2016IT SecurityIdentity Protectiondata protection

More about Griffith UniversityIT Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place