Incident Response

Incident response (IR) is the systematic process of detecting, analysing, containing, eradicating, and recovering from cybersecurity incidents. A well-prepared incident response plan minimises damage and speeds recovery when security events occur.

Incident response phases (NIST framework):

1. Preparation: Building IR capability before incidents occur
2. Detection and Analysis: Identifying that an incident has occurred and determining its scope
3. Containment: Limiting the incident's spread and impact
4. Eradication: Removing the threat from the environment
5. Recovery: Restoring affected systems to normal operation
6. Lessons Learned: Post-incident review and improvement

Incident response plan components:

• Incident classification and severity levels
• Roles and responsibilities (IR team members)
• Communication protocols (internal and external)
• Escalation procedures
• Evidence preservation guidelines
• Containment and eradication procedures
• Recovery procedures and priorities
• Legal and regulatory notification requirements
• Post-incident review process

Incident categories:

• Malware: Ransomware, trojans, viruses
• Phishing: Successful social engineering attacks
• Data breach: Unauthorised access to sensitive data
• Account compromise: Stolen or compromised credentials
• DDoS: Distributed denial of service attacks
• Insider threat: Malicious or accidental internal action
• System compromise: Unauthorised access to servers or systems

Australian incident response requirements:

• Notifiable Data Breaches (NDB) scheme: Mandatory notification within 30 days
• OAIC notification for eligible data breaches
• ACSC reporting for significant cyber incidents
• APRA notification requirements for regulated entities
• Potential requirement to notify affected individuals