By: Elviraluke Napwora
February 22, 2022
What Is Incident Response and Why Companies Should Implement It?
By: Elviraluke Napwora
February 22, 2022
WHAT IS INCIDENT RESPONSE?
Incident response is the organized process that organizations follow to identify, prioritize, contain, and eradicate a security incident while remediating the cause to prevent related incidents from recurring in the future. The ultimate goal of incident response is a quick turnaround in handling incidents to minimize damage and business impact. Therefore, it is an invaluable process for all organizations to have.
An incident response plan is a documented, written plan with distinct phases that helps IT professionals and staff recognize, respond and manage a cybersecurity incident methodically.
Learn more on the various activities involved in each step of the incidence response through the following Incident Response Steps Course.
INCIDENT RESPONSE STAGES
The incident response plan stages are as discussed below:
The preparation stage ensures that an organization can comprehensively respond to an incident at an instant to minimize damage and disruption to the business. Experiencing a breach is disruptive, hence the need to have a plan with the proper preparation to prevent and respond to events.
Critical elements prepared in this phase include:
- Define the Team (Computer Security Incident Response)
Construct a team in place with the roles and responsibilities clearly defined to facilitate decision-making and take action in support of the business when an incident occurs. The team should include a diverse range of disciples such as business leadership, technical, legal, Communications, etc. All of these disciples are instrumental in dealing with and mitigating an attack.
- Create a plan and update it occasionally
Creating a Response Plan/Strategy ensures that when an incident occurs, proper prioritization of incidents is carried out based on organizational impact rather than approaching the process randomly.
The plan and other supporting documents (i.e., security policy) should be implemented and updated periodically or after a significant incident. The essential funding and approvals required to implement the plan must be contemplated prior.
- Acquisition and Maintenance of Required Tools
Having the right tools (software & hardware), technology, and processes will serve as a guide in responding to an incident more effectively and further your investigations on the given incident. The CSIRT team must possess the knowledge and skills to detect and investigate all security incidents. Members of the CSIRT team must use various tools in different scenarios to save time and minimize impact. It is critical to ensure that the tools used for detecting and investigating incidents preserve evidence properly.
Identify the tools and the appropriate access control permissions required by the CSIRT team to undertake the various incident response processes.
- Skills and Support Training
Ensure the IR team is well-staffed with the appropriate skills and training on their incident response roles and responsibilities in case of a data breach. It ensures that the team understands the incident response processes, technical skills, relevant cyberattack patterns and techniques, various kinds of security threats and incidents and is prepared to respond and mitigate them accordingly in the event of an incident. It is good practice to exercise the IR plan from time to time through incident response drill scenarios and mock data breaches to evaluate your incident response capability. Learn more on the core skills of an incident responder through the following course on Incidence Response Fundamentals.
Designate a communication channel when an incident occurs and define it under an incident category. The communication plan should also indicate how to manage communications in cases with law enforcement or public communication.
Documentation is vital in addressing the Who, What, When, Where, Why, and How questions relating to the incident. Any information you collect about the incident presents as part of the incident investigation, public communication, legal process, or implications.
This process determines whether a security breach, or incident, has occurred, its severity, and its type. Have a method to detect deviations from normal operations in the organization and whether they represent a security incident.
With a security incident identified, it is vital to undertake further research and gather all the relevant information related to the incident to facilitate analysis and investigation. This process is substantially effortless and faster if you have all the appropriate security tools to identify incidents.
The key activities under the Identification phase include:
Monitor all sensitive/critical network and IT systems and the general infrastructure for indicators of compromise or any irregularities that could signal an incident.
Analyze events and co-relating the data from multiple sources (i.e., log files, error messages, and alerts from security tools) to identify if indicators are part of an actual attack or a false positive and report to the relevant parties.
Incident documentation: In case an incident has occurred, document all the artifacts related to the incident and continue logging all actions taken throughout the process.
The documentation process begins as you identify aspects of your system that you deem compromised. Also, document every action conducted by the incident responders to answer questions related to the incident.
Incident prioritization: Incidents should be scored based on the resulting business impact. Prioritization of incidents looks at the incident type, severity, and other subsequent effects that could put the organization in violation of standards or contracts.
Incident notification: After an incident has been analyzed and prioritized, the IR team should notify the appropriate departments/individuals and the general CSIRT members. The designated communication channel is predefined in the IR plan, including the specific reporting requirements.
This step focuses on limiting damage due to the given security incident and preventing further damage or impact on your business. A quick turnaround in handling an incident is critical to mitigating the eventual effect of an incident on your organization. There should be short-term and long-term containment strategies to ensure the business is fully covered and the acceptable risk level of the organization contemplated. The activities in the preparation phase should have confirmed that you have the right tools and skills to handle the task.
It is crucial to ensure that while carrying out containment, the necessary evidence is documented and not destroyed in the process; learning from the attack increases the security team's expertise and possibly prepares for potential litigation.
The containment process covers involves:
Short-term containment- Limiting damage/impact of the incident by applying temporary fixes such as isolating network segments, disconnecting systems, Identification, and quarantine of discovered malware, etc.
System backup- Take a forensic image/snapshot of the affected system. Having a system backup will preserve evidence from the attack to be used in court, further investigation of the incident, and lessons learned. You can understand more about what Digital Forensics entails from the Everyday Digital Forensics course.
Long-term containment- This includes measures to not only contain the current breach but to prevent future incidents in the long term. Look to address the root cause of the incident or the identified security loopholes to strengthen defense-in-depth, i.e., updating protections as needed, reviewing and reinforcing access credentials, reviewing authentication mechanisms, patching vulnerabilities, etc. You must ensure the resources required to implement the identified long-term are also updated and sufficient funding is allocated towards that.
Eradication aims to remove the threat (i.e., securely removing malware or other artifacts introduced by the attack) and fully restore all affected systems. Hardening, patching, and updating the affected systems are applied to mitigate against the given attack in the future.
Finding and eliminating the root cause of the breach is critical in ensuring any trace of malware, any security issues, or loopholes that would make you vulnerable to future attacks are all handled.
It is worth bearing in mind that the activities under containment and eradication may occasionally be similar as the two phases are intertwined, and some incident response standards classify them as one.
Some of the main processes in the eradication phase involve:
Reimaging—Doing a complete wipe and re-image of affected system hard drives is fundamental in ensuring the removal of any malicious content.
Understanding the root cause of the incident is critical in handling the underlying security loophole and preventing future compromise.
Implementing security best practices ensures the hardening of systems against potential threats; this includes performing the necessary security patches, implementing software upgrades, scanning for malware, disabling unused ports/services.
The recovery phase aims at restoring the affected systems and devices to normal business operations or productions after removing the threats. The recovery procedure involves:
Restoring operations– This centers around the decision by system owners on when to restore services to production based on information provided by the CSIRT team regarding the incident. Also, this involves the process of testing and verifying that the systems are functional before they go live again. System testing is pivotal before restoring operations as it checks whether the system's security has been hardened by the security patches/updates applied.
Continuous Monitoring- Occurs after the incident to observe operations and check for abnormal behaviors. Create a timeline indicating the affected system(s) that should be placed under active monitoring and what to check for is essential in the recovery process.
Prevent another incident- Consider what can be done on the restored systems to protect them from recurrence of the same incident. What tools can we implement to ensure similar attacks do not recur? (endpoint monitoring and detection, file integrity monitoring, next-generation firewall protection, etc.)
6. LESSONS LEARNED
This step provides an opportunity to critically analyze the incident response process and identify areas of improvement by learning from the experience on how to better respond to future security events. An after-action meeting to reflect on the security incident will allow the team to analyze the incident, draw lessons and determine what works well or otherwise in their incident response plan.
Lessons Learned are essential because the threat landscape is continuously evolving; thus, IR needs to be updated regularly. You should add the identified improvements to your IR plan.
The lessons learned process includes:
Comprehensive documentation— Document all aspects of an incident to identify positive and negative experiences next time.
Incident report— Review the entire incident, and answer the Who, What, Where, Why, and How questions.
CSIRT performance improvement— Extract items from the incident report and those not handled correctly as pointers on what needs improvement next time. Check areas where the team was effective and sections where they were ineffective as a benchmark of the skill capability within your team.
Establish a benchmark for comparison— Derive metrics from the incident report that you can use to guide you in future incidents, such as providing a baseline of activities to conduct during incident response.
Lessons learned meeting— Engage the various stakeholders to discuss the incident and the lessons learned. Have a roadmap on how to implement changes to mitigate the given risk.
From the incident response steps highlighted above, having a plan of action is necessary to handle and mitigate security incidents that organizations face.