Incident Response: Recovery and Maintenance
This chapter discusses key steps that firms should take after containing a security incident and regaining control of their systems. They include recovery, maintenance, forensics, and preservation of technical data (Whitman, Mattord, & Green, 2013). Recovery is a continuation of the incident response process, but in this case focuses on identifying things that went wrong and how systems were compromised. Some of the main things that CSIRT teams should examine include nature of the attack, extent of damage or compromise, attacker strategies, and state of security controls. The desired product of this process is identification of the underlying problem and elimination of vulnerabilities that were exploited by attackers. The maintenance stage where CSIRT teams will review the incident, identify lessons learned, and use them to improve future plans. Firms are recommended to implement them during training, especially when running drills with their staff. In case there is evidence of a crime, then an organizations may be required to involve the forensics department of the law enforcement. Forensics is usually part of the recovery process, but its goal is to collect data or evidence that can be used in court (Johnson, 2013). The process can be complex if an organization does not have a policy that permits search for such evidence. Firms planning for a forensics operation should take into account the cost, response time, and data sensitivity. The process should also be done in two steps, including first response, and analysis and presentation. Besides, they should preserve the technical data using the best practices to ensure that it is safe.
Question: when should an organization plan for a forensic investigation and what are the benefits of the practice?
Johnson, L. (2013). Computer incident response and forensics team management. Burlington: Elsevier Science.
Whitman, M., Mattord, H., & Green, A. (2013). Principles of incident response and disaster recovery (2nd ed.). New York: Cengage Learning.