The incident response framework detailed in the previous chapter provided the specific structure of a Computer Security Incident Response Team (CSIRT), and how the CSIRT will engage with other business units. The chapter further expanded on the necessary planning and preparation an organization should undertake to address cyber incidents. Unfortunately, planning and preparation cannot address all the variables and uncertainties inherent in cyber incidents.
As the boxer Mike Tyson said:
This chapter will focus on executing those plans and frameworks detailed in Chapter 1, Understanding Incident Response, to properly manage a cyber incident. A solid foundation in and an understanding of cyber incident management allows organizations to put their plans into action more efficiently, communicate with key stakeholders in a timely manner and, most importantly, lessen the potential damage or downtime of a cyber incident.
This chapter will address how to manage a cyber incident, examining the following topics:
- Engaging the incident response team
- Incorporating crisis communications
- Investigating incidents
- Incorporating containment strategies
- Getting back to normal: eradication and recovery