The phases of a security incident - The reporting stages of the First Check

Our First Check serves to check how well a company is prepared for a possible security incident. In order to determine the current level of preparation of relevant systems and processes, we work with the respective partner to answer our comprehensive catalogue of questions, which we have developed ourselves and which is based on the SANS methodology. In management reporting, we use different reporting levels to show companies how well prepared they currently are for the various incident response phases. The reporting levels shown correspond to the incident response phases. To make the significance of the individual phases more tangible for you, we will go into the individual stages and the measures they contain in more detail below.

‍

1. Preparation

This phase is the decisive phase, as it primarily serves to protect your company. The first step is to check the extent to which a basis has been created for dealing with possible attacks in the company. This includes creating and defining organisational, technical and communicative preparations and requirements in IT, crisis management and crisis communication. For example, various reporting chains must be defined, who notifies whom and when in the event of an incident. By defining processes and procedures, including with regard to internal and external communication, a faster response to a security incident can be initiated.

2. Identification

This is about identifying how well you are able to recognise an attacker in your systems with the help of technical measures. To do this, it is crucial to keep an eye on the company's technical infrastructure and look for so-called IOCs (Identifiers of Compromise). Certain tools, such as a SIEM, can provide support here.

3. Containment

This phase of incident handling describes the moment when an attacker or malware has been detected in the system. The first check examines whether your systems can trace the threat back to its origin, what damage it could cause and how the systems can then be used safely again. If, for example, only one user in the network is affected, this user can be disconnected from the network in order to contain the outgoing damage and protect the rest of the operation. We therefore also examine which measures can be implemented by your systems in the short term, e.g. through the existence of a NAC (Network Access Control) solution or a multi-level administration concept.

4. Eradication

In this stage, it is important to identify the extent to which your IT is able to determine which files and networks have actually been attacked and to eliminate the incident or attack. This includes the existence or availability of certain security tools and a dedicated team that monitors the affected systems in order to eradicate the threat based on the knowledge gained.

5. recovery

This is the process of restoring and returning systems and endpoints to the green zone. Various decisions have to be made here, some of which can be defined in advance. Basically, the aim is to get the system back into normal operation as quickly as possible. It is therefore important to be clear about which processes are really critical for the company and to formulate priorities. Certain interdependencies between different processes should be taken into account at all times. Our First Check helps you to check whether all important preparations have been made for a timely and successful recovery of data and processes.

6. Post-incident

The sixth and final stage of the report is designed to help you better handle and assess the follow-up of a security incident. Reflection afterwards is helpful to determine what went particularly well and what went less well. Basically, this answers the question of how relevant learnings can flow back into the company in a targeted manner.

All of these phases are run through in every incident response and without sufficient preparation, a security incident can cause considerable damage to your company. It is therefore particularly important to prepare for an incident in the best possible way using the various stages and to plan appropriate measures in advance. If you need support with this or have any questions about us or our services, please feel free to contact us directly at any time.

The phases of a security incident - The reporting stages of the first check