Cyber incident response is a way of dealing with some of today’s nastiest cyber attacks and intrusions. What exactly is this concept of cyber countermeasure? Read on for a basic rundown of this important concept.
Defining “Incidents”
Incident response in the cyber realm is all about what we alluded to above as “attacks and intrusions”. To understand that response, we must first know what the incidents are, specifically, to which a response is being applied. According to the US Department of Homeland Security, “A cyber incident is the violation of an explicit or implied security policy. In general, types of activity that are commonly recognized as being in violation of a typical security policy include but are not limited to:
- attempts (either failed or successful) to gain unauthorized access to a system or its data, including PII related incidents (link to the below description)
- unwanted disruption or denial of service
- the unauthorized use of a system for processing or storing data
- changes to system hardware, firmware, or software characteristics without the owner’s knowledge, instruction, or consent”
The Cyber Response
While businesses, organizations, and even private enterprises may all approach these matters with some variation, all organized responses to cyber incidents have many of the same attributes in common. To glean yet another, largely universal view, this time of the typical response effort, the DHS also explains that when such events occur, the department “provides assistance to potentially impacted entities, analyzes the potential impact across critical infrastructure, investigates those responsible in conjunction with law enforcement partners, and coordinates the national response to significant cyber incidents.”
Response Components
Just like the DHS, when cyber incidents occur in businesses and other entities, the response effort essentially seeks to stop the problem and move on from it in an enlightened manner. In common, most all response efforts take on the same, four attributes. These four common components to most cyber incident response efforts are as follows.
- Identify the Threat and Impact – First, the affected party must identify all components to the incident. These include the parameters of the threat as well as the effects of its presence.
- Stop the Threat – Having identified all elements to the given situation, the threat can then be immediately addressed.
- Rebuild – Now that the threat has been terminated, the affected areas of its manifestation and damage must be repaired, rebuilt, and restructured.
- Grow From the Event – One of the arguably most important steps to any response is the final one. In the wake of the incident, much can be learned, and thus much growth can be adapted into further security structure so as to be even stronger and more aware for the sake of a safer future. This is much like the concept of those being doomed to repeat history who are ignorant of it.
Related Resource: What is Counterintelligence?
We live in an increasingly “cyber” world. This means for a future of cyber events and the subsequent concerns for them. When an event, or incident takes place, it is the affected entity’s cyber incident response effort that handles the entirety of the situation.