2011 has quickly become the year of the cyber attack, with organizations across the U.S., from Hyundai to the Pentagon, publicly reporting major data breaches.

What these attacks have continued to demonstrate is that it is no longer if an attack will evade traditional perimeter security, but when. To reduce the impact of these attacks, today’s organizations must be prepared for a rapid incident response to minimize damage to IT systems and maximize the amount of information they can learn about the attack.

Rapid incident response requires preparing a plan that maps out the activities, personnel, tools, and timing for each phase of the response. Most incident response plans include traditional NIST phases, including preparation, identification, triage, containment, eradication, and report/lessons learned.

The first phase occurs before an incident and is a preparation phase, which includes establishing the incident response capability, preventing attacks by securing systems and networks, and more importantly, finding and understanding your sensitive data and securing it before it is compromised. I have consistently seen surprise in many organizations when sensitive data is compromised on systems where they did not expect to have that data. Often systems pass or process data where it is not intended to be or expected. For example, there may be an application that processes credit card data before passing it to a database. In this case, debugging may be inadvertently turned on and malware can expose the card data.

The second phase, identification, is a pure incident response phase in which an organization assesses the scope, location, and significance of the incident so that it can begin to contain the threat and move on to the next stages.

After identification is triage and containment, in which the organization stops the “bleeding” by shutting down access to the compromised systems and marks the point in which the organization can begin to zero in on what malware or attack they are dealing with. In the containment steps, an organization determines whether there are any further points of entry to the systems and just what data has been compromised.

The next phases are fairly straightforward: Eradicate or eliminate the threat, report the outcome to management and customers, and determine lessons learned that could be applied to future occurrences.