Incident detection is the process of identifying threats by actively monitoring assets and finding anomalous activity (NIST, 2018). Once a threat is detected, appropriate actions are taken to neutralize the threat (if it is an active threat at the time of the response) and investigate the incident. After responding to the incident, the first step in the recovery process is to restore access and availability of systems, networks, services and data to a pre-incident state (NIST, 2018).
Recovery also involves an element of planning that requires the identification, creation, and ultimate implementation of measures for resilience and to enable the restoration of systems, networks, services, and data that were unavailable, harmed, damaged, and/or compromised during the incident. An essential element in ensuring resilience is having an up-to-date business continuity plan or emergency management plan (Maras, 2014b), which outlines instructions to be followed and actions to be taken in the event of a cybersecurity incident. Put simply, this plan includes detailed information on the ways in which to respond to an incident and recover from it. All those involved in cybersecurity response and recovery should be informed about the emergency managementplan. Here, training is required that includes exercises designed to test the efficacy and efficiency of these plans. An example of this type of exercise is the US Department of Homeland Security's Cyber Storm exercises, which involves participants from national public and private agencies, as well as agencies from other countries (e.g., Australia, Canada, Denmark, Finland, France, Germany, Hungary, Italy, Japan, New Zealand, the Netherlands, Sweden, Switzerland, and the United Kingdom), in order to test current information sharing practices between these agencies, and their cybersecurity preparedness, protection, and response capabilities (DHS, n.d.).