Incident Response Team & IR Process
Cybersecurity incidents happen in business, and the only thing you can do about it is to prepare for them. You need two things to fully prepare for eventual incidents: an IR or incident response team and an IR process.
Building an Incident Response Team
The IR team is responsible for all IR activities across an organization. An effective IR or Incident Response team is collaborative and comprehensive. Collaborative simply means that all the members of the team work together and advocate as one for the IR process. Comprehensive means the team has cross-functional representation within the organization to ensure each aspect of the incident can be addressed.
At a minimum, your Incident Response team should include the following:
IR Lead The IR Lead oversees the IR process, prioritizes certain activities and ensures the IR process is followed. The IR Lead is also the primary communicator to internal stakeholders.
Legal The legal team can be internal or outside (or a combination of the two). Either way, make sure you have access to legal representation with both privacy and data security expertise.
Technical For most incidents, the technical team means members of the IT staff. As most incidents involve data and/or IT infrastructure, the IT staff is in the best position to quickly isolate the problem.
Executive The executive team must not only be kept up to date, but they are also necessary for timely approving resource allocation including funding, staffing and time commitments.
Public Relations The PR team is responsible for communicating with external stakeholders and the press. It is essential that their messaging be honest, accurate, timely and consistent.
Subject Matter Experts SMEs can come from any discipline, but almost always include security analysts. These are experts who can identify when and how an incident occurred. They are also responsible for triage and forensics.
Formulating an IR Process
After building your incident response team, you will need a good IR process which will include the following seven steps:
Step 1 Detection
Detection begins with monitoring, typically using a SIEM application. Frequently an incident will be triggered by an alert from the SIEM, with an incident ticket created soon thereafter documenting initial findings and classifying its criticality.
Step 2 Analysis
In this step, you’ll deploy your SMEs and the IT staff to collect data using tools and systems for further analysis, which may include endpoint analysis, binary analysis or enterprise hunting. All forensic efforts should follow procedures documented ahead of time in runbooks.
Step 3 Containment
Like analysis, containment should follow procedures documented in advance in runbooks. The procedures should include things like coordinated shutdowns. SMEs and IT staff are very active in this step ensuring the incident is contained.
Step 4 Eradication
Once the incident is contained, it needs to be eradicated. This will be done by the same teams who were active in step 3. The goal here is to remove any traces of the incident from your systems and networks.
Step 5 Recovery
The goal here is to restore normal business operations. How long varies depending on the severity of the incident. This is the step where you will take advantage of off-site backups and re-imaging systems.
Step 6 Communications
The IR Lead is the focal point for this step. They must ensure timely and accurate dissemination of information to the appropriate stakeholders. Communications must be treated as confidential at this stage.
Step 7 Post-Mortem/Lessons Learned
Everything about the incident must be documented in the Incident Report. From there, the SMEs and IT staff should conduct root cause analysis, identify preventative measures, document lessons learned and continue to monitor the situation.
Much of the success of the response to an incident depends on what you put in place before the cyber incident occurs. That includes an Incident Response team and an IR process. Even with proper planning, not all organizations have access to the subject matter experts they’ll need at a moment’s notice to analyze, contain, eradicate and recover from an incident. If you’re not sure your organization has the right SMEs in place to quickly respond to an incident, reach out to the folks at Cyber Defense Group. They help over 300 companies just like yours respond to incidents with absolute minimum damage.