What are the phases of an incident response plan?

What Are The Incident Response Phases? 

According to NIST, the incident response process consists of four key phases. 

• Preparation: This is where you lay the groundwork for the rest of your incident response plan. In addition to establishing preventative measures and controls, you must also determine what you need in terms of security tools. 
• Detection and Analysis: Once an incident has been detected, how will you evaluate the severity and root cause? 
• Containment, Eradication, and Recovery: How will your security or incident response team mitigate an emerging incident? How can you prevent it from causing further damage? Once all this is done, how do you get your systems up and running again? 
• Post-Incident Activity: This includes generating incident reports, meeting with key stakeholders to determine lessons learned, and revisiting your incident response process to find opportunities for improvement.

The incident response steps according to SANS are more comprehensive. 

• Preparation: As with NIST, this involves laying the groundwork for an effective incident response. This includes establishing a full map of your infrastructure, identifying your most critical assets, evaluating and mitigating risk, and defining a communication plan. 
• Identification: This step is also identical to NIST’s second step. When you identify a security incident, what process and tools do you have in place for evaluating it? Who are the key stakeholders? To whom do you assign clear roles and responsibilities? 
• Containment: Address the root cause of the incident. This may involve patching a vulnerability to eliminate an entry point, removing access from a bad actor, or air-gapping an infected system.
• Eradication: Next, flush the threat from your systems. The process here will vary depending on the nature of the incident; this step may not be necessary for incidents such as infrastructure failure. 
• Recovery: Finally, this step involves a return to regular business operations. 
• Lessons Learned: Reporting, meeting with stakeholders, and so on. Again, this is identical to NIST’s final step. 

As you can see, both frameworks ultimately hit the same points. The only real difference is that SANS treats containment, eradication, and recovery as three distinctive steps. As such, which one you use for your own incident response plan is largely a matter of preference and suitability. 

Do note, however, that certain standards may require you to adhere to one or the other.