Incident response is the process of dealing with a data breach or cyberattack, including how an organization attempts to control the consequences of such an incident. The goal is to effectively manage incidents to minimize damage to systems and data, reduce recovery time and cost, and control damage to brand reputation. Show
Organizations must implement a clear incident response plan. This plan should state what constitutes a security incident and describe a straightforward process teams can follow when an incident occurs. It is also important that organizations designate a team, employee, or leader responsible for managing the overall incident response initiative and executing on the plan. In a larger organization, this team is called the Computer Security Incident Response Team (CSIRT). Under attack? Get help from the BlueVoyant incident response team Why Is Incident Response Important?Incident activity that is not properly controlled can escalate into a bigger problem, ultimately leading to data breaches, high costs, or system outages. By responding quickly to incidents, organizations can minimize losses, mitigate exploited vulnerabilities, restore services and processes, and mitigate the risk of future incidents. Incident response enables organizations to do the following:
Beyond these direct impacts, failure to effectively respond to incidents hurts the organization’s business performance. Unhandled incidents are associated with negative brand reputation and low levels of customer loyalty and satisfaction. Although an organization cannot completely eliminate incidents, incident response can help minimize their occurrence. Organizations should focus on preparing for the impact of a security incident. Attackers will always be out there, but any organization can prepare for an attack with a functionally effective approach to incident response. What Is an Incident Response Plan?An incident response plan is a document that details the security processes to be carried out in case of an incident, and those responsible for incident response. An incident response plan typically includes the following details:
The benefits of an incident response plan don't end when a cybersecurity incident is resolved. The plan
continues to provide support for litigation, documentation to submit to auditors, and historical knowledge that enables a better response to similar incidents in the future. Incident Response StepsA standard incident response plan that may be implemented by an organization includes the following steps: Step 1: Early detection A security event occurs, and the system detects it. Typically, the security information and event management (SIEM) platform alerts the incident response team. Step 2: Analysis Analysts review alerts, identify indicators of compromise (IoC), and use them to triage the threat. They will often perform additional testing, reviewing related alerts and ruling out false positives to get a complete picture of suspicious events. Step 3: Prioritization Analysts need to understand the impact of security incidents on the organization’s business activity and valuable assets. Prioritizing incidents helps a team understand which security events to focus on, and how to best manage resources in subsequent steps. Step 4: Notification First, the incident responder notifies the appropriate people within the organization. In case of a confirmed breach, organizations typically notify external parties, such as customers, business partners, regulators, law enforcement agencies, or the public. The decision to notify external parties is usually left to senior management. Step 5: Containment and forensics Incident responders take action to stop the incident and prevent the threat from reinfecting the environment. They also collect forensic evidence as needed for further investigation or future legal proceedings. Step 6: Recovery Incident responders eradicate malware from affected systems, then rebuild, restore from backup, and patch those systems to restore normal operation. Step 7: Incident review To prevent an incident from reoccurring and to improve future response, security personnel review the steps that led to the detection of the most recent incident. They identify aspects of successful incident response, opportunities to improve systems (such as tools, processes, and staff training), and recommend remediations for discovered vulnerabilities. Learn more in our detailed guide to incident response steps Incident Response FrameworksSome large organizations with significant security expertise have developed incident response frameworks to help organizations create standardized response plans. The National Institute of Standards and Technology (NIST) and the SysAdmin, Auditing, Networking, and Security Institute (SANS) have each developed well-known incident response frameworks. SANS Incident Response FrameworkSANS is a private organization that works to investigate and educate the public on security issues. The SANS framework divides the incident response process into six phases:
SANS also includes an incident response checklist for each step and two templates with system commands to help organizations carry out specific incident response tasks. These templates are available for Windows and UNIX systems. NIST Incident Response FrameworkNIST is a US government agency that develops standards for the technology and security industry. As part of their cybersecurity work, they developed a comprehensive incident response framework. It includes details on creating an incident response plan, establishing an incident response team, building a communication plan, and training scenarios. The framework condenses the six incident response steps used by the SANS framework into four:
NIST considers the containment, eradication, and recovery phases as overlapping. For example, while the system contains threats, an organization should not wait until all threats have been discovered before eradicating the problem. If other threats are present, they should be contained and eliminated as soon as possible. Also, recovery is not a strictly defined step but a process that depends on the prioritization and content of the assets being recovered. Learn more in our detailed guide to incident response NIST Incident Response Plan TemplatesDeveloping an incident response plan can be difficult. Using one of the following templates provides structure and direction for this task:
Incident Response PlaybooksAn incident response playbook provides teams with standard steps and procedures for responding to and resolving incidents in real time. Playbooks can also include peacetime training and exercises to prepare the team for the next event. Playbooks are an integral part of DevOps and IT Ops incident management and cybersecurity. They help teams handle unplanned outages and restore systems to order, and their organizational policies and practices ensure a consistent response to incidents and security threats. A playbook typically contains the following elements:
Incident Response TeamIncident response teams are groups of IT professionals who prepare for and respond to cyber attacks. An incident response team's responsibilities include developing a proactive incident response plan, testing and resolving system vulnerabilities, maintaining strong security best practices, and providing support for all incident handling actions. Incident response team members typically have varied skills, backgrounds, and roles, so they can prepare for a range of security incidents. The specific skill set of organizations’ incident response teams may differ because companies have different personal risk profiles and business processes. In general, the core functions of incident response team members are:
A Framework for Leveraging Incident Response ToolsIn addition to seeking administrative support and following a documented incident response plan, incident response tools are key to preparing for and responding to security incidents. Cybersecurity tools should be implemented long before an incident occurs, because they can provide critical information that can be used to detect, investigate, and respond to incidents. Most organizations already have common security controls in place to support incident response capabilities, particularly with regard to logging and alerting. However, there are dedicated tools that can guide a team through its incident response workflow and provide all the details needed to make an informed decision. Some organizations follow the Observe, Orient, Decide, Act (OODA) cycle to provide guidance on which tools are needed and when. This military approach to incident response follows a four-step approach to threats:
Incident Response Tool CategoriesThere are several types of tools that are useful for incident response: Security Orchestration, Automation, and Response (SOAR)SOAR refers to platforms that offer tools for collecting security data from various sources. A SOAR solution may combine machine learning and human input to analyze the data to extract insights and prioritize the relevant incident response procedures. SOAR software typically includes three capabilities:
User and Entity Behavior Analytics (UEBA)UEBA solutions use large datasets and machine learning to establish baselines for typical behavioral patterns, allowing them to identify atypical behavior within the network, which may indicate threats. The emphasis on suspicious behavior allows UEBA to detect threats that can evade traditional security and antivirus tools, including non-malware-based attacks. UEBA uses behavioral models to assess threat levels, providing risk scores to guide the response process. Security Information and Event Management (SIEM)SIEM is a security management approach that provides a unified system to combine information and event management functions. SIEM solutions deploy multiple data collection agents to hierarchically collect event data from servers, end-user devices, and network infrastructure. A central management console consolidates the data, allowing security analysts to filter the noise and prioritize real security incidents. Endpoint Detection and Response (EDR)EDR systems collect and analyze endpoint security data to protect the network from vulnerable user devices and workstations. EDR aims to detect security breaches in real time, enabling rapid response. This approach helps identify emerging and advanced threats that traditional security tools might not. The specific capabilities of each EDR solution may vary significantly. Extended Detection and Response (XDR)XDR solutions are SaaS tools for detecting security threats and implementing incident response procedures. XDR tools integrate several security capabilities in a unified security operations solution, making sophisticated incident response capabilities more accessible and affordable. The advantage of XDR is its consolidation of multiple security products building on EDR capabilities. It can improve the productivity of security operations with enhanced detection and response and centralized visibility and control across enterprise environments. XDR tools ingest and distill multiple telemetry streams and analyze threat vectors and tactics. They help speed up response efforts by handling the detection and investigation processes. Learn more in our
detailed guide to incident response tools Incident Response ServicesIncident response is most effective when undertaken quickly by experienced responders. Organizations often lack the resources to maintain a full incident response team that is active 24 hours a day. One option is to work with an external organization that provides professional incident response services. Engaging with these organizations provides the following benefits:
What are the benefits of an incident response plan to an organization?An incident response plan helps mitigate the impact of an attack, remediate vulnerabilities, and secure the overall organization in a coordinated manner. It also ensures that your organization can utilize manpower, tools and resources to efficiently tackle the issue and minimize its impact on other operations.
What is the role of incident response and management in risk mitigation and risk management?Incident response and management are vital to risk mitigation; they provide the timely detection, notification, and intervention capabilities that contain the impact of a risk event and manage efforts to recover from it and restore operations to normal.
Why the organization needs an incident response plan to secure information and knowledge?Incident response procedures focus on planning for security breaches and how organization's will recover from them. Without a formal IR plan in place, organizations may not detect attacks or may not know what to do to contain, clean up and prevent attacks when detected.
Why is an incident response team important?What's the Goal of an Incident Response Team? The incident response team's goal is to coordinate and align the key resources and team members during a cyber security incident to minimize impact and restore operations as quickly as possible.
|