3. Describe the stages of a cyber security incident response lifecycle (AC 1.3)

If you're following the American National Institute of Standards and Technology framework for your incident response lifecycle it will have four stages. Looking at the arrows in the picture linked, you'll see that the some of the arrows point backwards and then forwards. That's because it's not a linear process, meaning it's doesn't go step 1, step 2, step 3, step 4 and you're done. But instead it's a process where you revisit each stage several times. Preparation This is the most important stage, if your organisation isn't prepared for an incident, it can be crippling, examples include: vast majority of staff unable to work, critical systems offline with no known resolution, breach of sensitive client or personal data, financial impact and severe reputation damage. Which is why your organisation need to establish policies, implement the right tools, have available resources, conduct training and importantly build a robust incident response plan. This Preparation step also works as a prevention for future incidents. Detection & Analysis Is about monitoring, detecting, alerting and reporting all incidents. Systems are often under a large volume of small -scale attempts of breaching your defences, but most of these do not pose any threat. The really difficult part then is identifying the legitimate threats that can seem small or insignificant at first, but can lead to serious problems if not addressed immediately. The Incident Response team (IR team) should collect and document information on any incident that has made it past your defences. The IR team should determine the severity, type and danger of the incident. Containment Eradication & Recovery If you find malicious software or a breach, the best practice is to isolate and contain this security incident. The purpose of this stage is to minimise the impact of the incident. Some systems have a feature called a sandbox. Where you can test just how malicious the malware is. Sandbox is an isolated operating system, where you can run the malware and analyse the results. Running malware in an isolated environment will not affect your system or network. When you're done with your tests, you simply clean out the sandbox with a push of a button, and it's like nothing ever happened. All you're left with is the analysis. This method might not always work as some types of malware are "smart" enough to realise they're in a simulated environment and behave differently to when in a real system and network. After the incident have been dealt with and there is no longer any threat. It's time for recovery. This is where you would restore all your backups, turn back on any servers or services that have gone down and recover to a similar state before the attack. As I've mentioned at the start of this question, after you're done with this stage, it's important to go back to the previous stage - Detection & Analysis and perform a thorough check of all systems to make sure your system is in the clear. Post-incident Activity In this phase, organisations look at the response in great detail and determine what exactly went wrong and what could be improved to prevent this kind of incident. This stage also directly affects the Preparation stage as everything you've learned from dealing with this incident should be used to prevent any further ones. You can use your knowledge to streamline the whole process from the beginning of finding out there's an incident, to the end where the incident has been mitigated. Do this by analysing each part of the process by keeping the steps that worked, and improving the steps that didn't.