Incident Response

As a computing security student, a process that I believe I’ll see a lot in my future career is incident response.  Incident response is the process in which an organization handles a data breach or cyberattack. In particular, this includes the way the organization manages the consequences of the attack or breach. There are many steps to this process. Incident response phases follow the pattern of preparation, identification, containment, eradication, and recovery.

To elaborate on each step in full, preparation is simply the act of being ready to deal with an attack or breach at a moment’s notice. The identification step deals with the detection and determination of whether a deviation from normal operations has occurred within an organization qualifying as an incident. Containment is meant to limit the damage and prevent further damage from happening. Eradication is the actual removal of risk so that devices will not be compromised again. Finally, the final step is recovery which is to bring affected systems back to the way they once were prior. While these methods are effective I believe there is one very crucial part that is missing.

After all steps are carried out and systems are fully recovered it is necessary to learn how this attack happened and how it can be prevented in the future. Essentially there should always be a dedicated step in incident response to learn from past mistakes. This would most likely be the most important step in the entire process as if you do not take measures to learn from your mistakes you risk falling for the same problem again. When reading about incident response I do hear that learning from your mistakes is important, but it is never emphasized how important it is. There should always be a dedicated step for it as some people brush it off as soon as a problem is “solved” however, the problem is never really solved if you haven’t learned from it.

By emphasizing this step, you are inspiring people to learn more about their own systems which is beneficial in future incident response.

-Ted Kaminski