Incident Response - An Introduction
Incident response, also known as incident management, is the tactical and strategic approach to fixing a security breach or cyber attack. Every year, thousands of businesses and organizations are digitally attacked by outside threats. These external breaches can lead to information becoming compromised, legal and regulatory liability, significant financial loss, and overwhelming public distrust.
Incident response provides the actionable steps to follow once a breach has been detected. Through the deployment of various tools, a Security Incident Response Team (SIRT) will regain control of the system or network and restore its integrity. The goal of incident response is to limit the severity of the damage and speed up the recovery time.
Due to the growing online footprint, there is an increased opportunity for cybercriminals to target businesses and entities of all sizes and magnitudes. It is estimated that every 39 seconds there is a cyber-attack taking place. Although no industry is spared, government, retail, and technology are often the most targeted sectors as they typically hold the most sensitive information and personal data which can be extorted for financial gain.
With this ever-present cybersecurity risk, incident response is a critical component of any security plan. As digital economies continue to grow, companies and agencies will need to familiarize themselves with incident response — as both a long-term investment and a proactive measure against immediate harmful actors.
How does incident response work?
Incident response consists of a multi-tier approach, with each element working in conjunction to:
- Detect an incident
- Assess the severity and scope
- Plan – consider the response strategy
- Execute – Eliminate the Threat and return to normal operation
- Improve your defenses to close the original gaps
While the exact backend strategy to incident response may vary between cybersecurity providers, the overarching plan remains consistent: identify the issue and return the network to full strength.
Due to the importance and value of intellectual and digital properties, time is always critical in responding to an attempted or successful breach. Therefore, quickly contacting and hiring an external SIRT to deploy “boots on the ground” is essential in limiting the damage done by the outside invader. From this point, your hired team can begin to contain the network and restore control.
Why is incident response so important?
Incident response issues aren’t just a cybersecurity problem, they are business problems — and even legal problems. Today, nearly any business or organization deals with a variety of personal and confidential information — making them a possible target for cybercriminals. Roughly 43 percent of cyber attacks target small businesses, and 60 percent of those targeted are forced out of business within six months due to the after-effects. While it is not impossible to rebound from a security breach, when an incident response plan is absent or not in place, the likelihood of severe business impact significantly increases.
As the internet continues to be further infused with everyday business, more threats will become present and pending. The days of in-store robberies are being traded out for online hacks and network breaches. Criminals today can gain access to bank accounts, health records, tax information, and more when getting inside certain business networks. The payout and lack of potential traceability make these types of crimes attractive.
The infiltration of a company or organization’s network sets off a chain reaction of consequences. According to IBM, as of 2020, the average cost of a data breach is $3.86 million. Many businesses are never able to bounce back from the financial fallout that occurs due to legal fees, temporary operational shutdown, client loss, etc. It is imperative that businesses do not wait for an incident to occur, but to regularly and thoroughly plan and assess their cybersecurity measures — including incident response.
It is an unfortunate oversight that many businesses are quick to adopt the convenient capabilities of eCommerce, cloud storage, and other internet advancements — yet they are too slow to recognize the need and dedication to proper online security. Those that fail to prioritize cybersecurity will cease to exist in the economy of tomorrow.
The breakdown of a security incident response team
The security breach of a business can be rather simple, such as a standard phishing scam, or a highly technical coding attack. Regardless of the type of attack, your in-house or hired Security Incident Response Team (SIRT) needs to be able to handle any degree of breach complexity and severity.
A SIRT will consist of several highly technical experts, including Digital Forensics experts, Malware Analysts, Incident Managers, and SOC Analysts who specialize in network attacks. This team of professionals will plug into your network and start deploying their tools, as they initiate phase one of their recovery.
This team will work around the clock to understand the breach, discover what went wrong, learn how to restore control, and how to rebuild security strength. Having a SIRT of multiple professionals in several areas of cybersecurity expertise better ensures that the care of your breach is fully vetted and approached from a multi-faceted perspective.
How an incident response plan is devised (and what it might consist of)
A SIRT team will create a custom plan for your situation, and deploy the necessary resources in order to address the breach. There are traditionally six steps to an incident response plan:
An effective incident response plan starts with intense preparation. Security breaches or attempts are just a matter of time. Therefore, organizations need to flesh out an in-house incident response plan or hire an on-call SIRT team that is ready to respond to an incident. This preparation should involve actionable and repeatable steps, including policy, response plan/strategy, communication, documentation, determining the SIRT members, access control, tools, and training.
The identification step is the process where incidents are detected. Any breach is bad, but the quicker the identification, the better opportunity an incident response plan has at being successful in reducing costs and damages. In this step of effective incident response, IT staff gathers events from log files, monitoring tools, error messages, intrusion detection systems, and firewalls to detect and determine incidents and their scope.
Once an incident is identified, containing it is the next step. This phase is tasked with preventing further damage from occurring and setting up a “digital perimeter” around the infecting actor. It’s critical within the containment phase to preserve evidence against possible destruction in the case of a later prosecution.
Eradication is the phase within an incident response plan that removes the threat from the network and restores the affected systems to their previous state. Ensuring that the proper steps have been taken to this point, a SIRT is able to remove the malicious content and wipe out foreign invaders — aiming to clean these affected systems and prepare them for everyday use once again.
The recovery phase puts to the test, all the work done to this point. A SIRT will begin testing, monitoring, and validating systems as they are put back into production. During this step, experts are looking for further vulnerabilities and reassessing the point of access in the previous breach. Teams are focused on verifying that systems are not re-infected or compromised. This phase works through the proper time and date to relaunch operations and gauges the network strength in order to independently stand alone once again.
Lessons learned is a critical phase of incident response as it brings to light the shortcomings and errors in the previous cybersecurity plan and technology. In this step, educating and improving future security measures and protocol are the goal of incident response efforts. Organizations have the opportunity to update their documentation and emergency responses to limit the destruction and effectiveness of future incidents. A comprehensive report during this phase gives a review of the entire incident and may be used during recap meetings, improve training materials, and build public relation responses.
Need to develop an incident response plan?
If you’re looking for more guidance on how to develop an incident response plan or need immediate security assistance, CDG can help. An expert & dedicated incident response services team will help consult and rectify your emergency. Founded in 2016 by cybersecurity expert Lou Rabon, Cyber Defense Group was designed to address the growing demand for experienced cybersecurity consulting for innovative cloud-native and cloud-reliant organizations. Get in touch, and see what results are possible for your organization.