Building an Incident Response Team & IR Process

Incident response team & IR process

Cybersecurity incidents happen in business, and the only thing you can do about it is to prepare for them. You need two things to fully prepare for eventual incidents: an IR or incident response team and an IR process.

Building an incident response team

The IR team is responsible for all IR activities across an organization. An effective IR or Incident Response team is collaborative and comprehensive. Collaborative means that all the team members work together and advocate for the IR process. Comprehensive means the team has cross-functional representation within the organization to ensure each aspect of the incident can be addressed.

At a minimum, your Incident Response team should include the following:

IR Lead

The IR Lead oversees the IR process, prioritizes certain activities, and ensures the IR process is followed. The IR Lead is also the primary communicator to internal stakeholders.

Legal

The legal team can be internal or outside (or a combination of the two). Either way, ensure you have access to legal representation with privacy and data security expertise.

Technical

For most incidents, the technical team means members of the IT staff. As most incidents involve data and/or IT infrastructure, the IT staff is in the best position to isolate the problem quickly.

Executive 

The executive team must be kept up to date, and they are also necessary for timely approving resource allocation, including funding, staffing, and time commitments.

Public Relations

The PR team communicates with external stakeholders and the press. It is essential that their messaging be honest, accurate, timely, and consistent.

Subject Matter Experts

SMEs can come from any discipline but almost always include security analysts. These are experts who can identify when and how an incident occurred. They are also responsible for triage and forensics.

Formulating an IR process

After building your incident response team, you will need a  good IR process which will include the following seven steps:

Step 1 – Detection

Detection begins with monitoring, typically using a SIEM application. Frequently an incident will be triggered by an alert from the SIEM, with an incident ticket created soon after that documenting initial findings and classifying its criticality.

Step 2 – Analysis

In this step, you’ll deploy your SMEs and the IT staff to collect data using tools and systems for further analysis, including endpoint analysis, binary analysis, or enterprise hunting. All forensic efforts should follow procedures documented ahead of time in runbooks.

Step 3 – Containment

Like analysis, containment should follow procedures documented in advance in runbooks. The procedures should include things like coordinated shutdowns. SMEs and IT staff are very active in ensuring the incident is contained.

Step 4 – Eradication

Once the incident is contained, it needs to be eradicated. This will be done by the same teams who were active in step 3. The goal here is to remove any traces of the incident from your systems and networks.

Step 5 – Recovery

The goal here is to restore normal business operations. How long varies depending on the severity of the incident. This is where you will take advantage of off-site backups and re-imaging systems.

Step 6 – Communications

The IR Lead is the focal point for this step. They must ensure timely and accurate dissemination of information to the appropriate stakeholders. Communications must be treated as confidential at this stage.

Step 7 -Post mortem/Lessons learned

Everything about the incident must be documented in the Incident Report. From there, the SMEs and IT staff should conduct root cause analysis, identify preventative measures, document lessons learned and continue to monitor the situation.

Conclusion

Much of the success of the response to an incident depends on what you put in place before the cyber incident occurs. That includes an Incident Response team and an IR process. Even with proper planning, not all organizations have access to the subject matter experts they’ll need at a moment’s notice to analyze, contain, eradicate and recover from an incident. If you’re not sure your organization has the right SMEs in place to quickly respond to an incident, reach out to the folks at Cyber Defense Group. They help over 300 companies just like yours respond to incidents with absolute minimum damage.