The incident response lifecycle provides a framework for the successful mitigation and management of cyber-attacks.
In this blog post, we outline the steps that make up the incident response lifecycle and explain how it can be used alongside the Kroll Intrusion Lifecycle to help organisations strengthen their security posture.
What is the incident response lifecycle?
The incident response lifecycle is a sequence of steps that organisations follow after a security incident. Organisations and cyber specialists define incident response in this way to emphasise the continuous nature of truly effective response. Each stage helps to shape the direction and progression of the wider incident response process.
What is the value of the incident response lifecycle?
The incident response lifecycle provides key benefits for organisations, including:
- A clearly defined approach: By covering all the principal areas that make up incident response, organisations can be sure they are addressing all the aspects of managing and mitigating an attack.
- A cyclical perspective: The cyclical nature of the framework allows businesses to fully understand and proactively plan the actions involved with acting quickly and effectively in response to an incident.
- Enhanced insight: The iterative approach of the incident lifecycle ensures that the knowledge gained in dealing with an incident helps to improve the process and avoid further incidents in the future.
What does the incident response lifecycle involve?
The incident response lifecycle covers all the key stages involved with managing and mitigating an incident and ensuring that an organisation is able to regain business continuity. The number of stages usually varies between five and seven, with common steps, including:
Preparation: Some incident response models include this as a stage in which organisations plan and prepare for their response ahead of an attack.
Identification: Critical to effective response, this phase, also referred to as the Detection and Analysis stage, involves identifying potential threats and determining their severity, enabling organisations to prioritise how threats are managed. This stage may also include penetration testing.
Containment: This step is aimed at preventing a security threat from spreading. Actions may include disconnecting affected systems from the internet, quarantining infected systems, reviewing backup systems and applying relevant security updates. This stage may also involve forensic analysis in order to better understand the event.
Eradication: Once the security issue has been contained, it needs to be eradicated from the environment. This can involve the use of antivirus tools or manual removal techniques. It should also include checking that all security software is fully up to date in order to reduce the likelihood of further incidents occurring in the future.
Recovery: After eliminating the issue, organisations must restore all systems to their pre-incident state. This involves actions such as restoring data from backups and rebuilding infected systems.
Post-incident: This is the stage of the incident response lifecycle in which organizations gain specific insights that will help inform their overall response strategy. It involves going beyond technical analysis to understand which policies or company infrastructure may need to be updated.
The NIST incident response lifecycle
The NIST incident response lifecycle is part of the cyber security framework defined by NIST, the National Institute of Standards and Technology, a U.S. government-funded agency. Similar to the steps outlined above, the NIST lifecycle aims to help organisations prepare for security incidents.
The Kroll Intrusion Lifecycle: anticipating threat actor behaviour
While the incident response lifecycle model aims to help organisations follow a clearly defined route to ensure an effective response, the Kroll Intrusion Lifecycle aims to help organisations more quickly and easily understand and anticipate different types of cyber threats.
Developed by Kroll’s forensics experts and drawing on insight gained from thousands of investigations, the Kroll Intrusion Lifecycle focuses specifically on the behavior of threat actors. The framework is defined by aspects such as repeatability and clear and distinct stages in the common progress of attacker behavior, processes and intrusion steps. It reflects the fact that threat actors are first and foremost people, albeit acting with criminal intent. This means that, regardless of the tools they deploy, the methods they leverage or the speeds at which they move, threat actors operate by following common and measurable stages.
Defining each stage of the intrusion threat sequence in simple, easy-to-understand terms, the lifecycle provides a visual, step-by-step behavioral model to enable stakeholders at every level to track and explain the stages of modern attacks.
Defining each intrusion threat stage
The Kroll Intrusion Lifecycle specifies each stage of the intrusion threat sequence in simple terms, presented in a visual, step-by-step behavioural model, which covers six key stages from external victim scouting to mission execution.
The framework functions as both an overview and a visual timeline to enable greater insight and to support better informed security decision-making. It was also designed to allow for overlay and cross-compatibility with existing frameworks, such as organisations’ individual incident response lifecycles and MITRE ATT&CK®.