SOC 2 Incident Management
Chapter 2 - Implement an Incident Response Process

Lesson 4: Responding to and Resolving Incidents

Complete & Continue Next Lesson Learn More

Three-step Workflow in Incident Responses

Step 1 - Assess

  • Develop a standardized process for triaging and prioritizing reported incidents based on their potential impact and severity.

  • Assign reported incidents to the appropriate incident response team members based on their skills and expertise.

  • Conduct a thorough analysis of the incident, including collecting and preserving relevant data and evidence, such as system logs, network traffic captures, and memory dumps. Use threat intelligence and knowledge bases to identify the tactics, techniques, and procedures (TTPs) used by the attacker, as well as any known indicators of Compromise (IOCs).

  • Determine the scope and extent of the incident, including which systems, data, and users have been affected. Preserve relevant data and evidence for further analysis and potential legal or regulatory proceedings.

Step 2 - Contain and Eradicate

  • Implement immediate containment measures to prevent the incident from spreading or causing further damage, such as isolating affected systems, blocking malicious traffic, or revoking compromised user accounts.

  • Communicate the status of the incident and containment efforts to relevant stakeholders, including executive management, legal counsel, and public relations.

  • Identify and remove the root cause of the incident, such as malware, compromised accounts, or vulnerabilities.

  • Conduct a thorough scan of all systems and networks to ensure that the threat has been completely eradicated and that no backdoors or persistence mechanisms

    remain.

  • Implement additional security controls and measures to prevent similar incidents from occurring in the future, such as patching vulnerabilities, strengthening access controls, or enhancing monitoring and detection capabilities.

Step 3 - Recovery

  • Restore affected systems and data to their pre-incident state, using backups or other recovery mechanisms as necessary.

  • Verify the integrity and security of restored systems and data, and conduct additional testing and monitoring to ensure that they are functioning properly.

  • Document all containment, eradication, and recovery activities in the incident tracking system, and update relevant policies, procedures, and training materials

    as appropriate.