Following best practices for security incident response is so important that the general steps have been codified by NIST, replicated here:
The simplicity of the diagram hides many of the challenges facing security incident responders:
- Preparation requires incident response professionals to study and track all the assets they are protecting.
- Detection and Analysis requires coordination among many team members, each with subject-matter expertise on one or more “commercial-off-the-shelf” (COTS) products and solutions.
- Containment, Eradication and Recovery requires that detection and analysis approaches are 100% successful, which is particularly hampered by the ways in which advanced malware can hide, sometimes for weeks or months, on infected hosts.
- Post-incident Activity involves tuning procedures and shoring up defenses, all of which can be expensive or controversial.