What is Incident Response?

Phases of Incident Response

The goal of incident response is to take an organization from knowing little or nothing about a potential intrusion (other than that it exists) to complete remediation.

The process of achieving this goal is broken up into six main stages:

1. Preparation: Preparation is key to effective incident response and minimizing the cost and impact of a cybersecurity incident. To prepare for incident response, an organization should create an incident response team, and define and test an incident response plan that outlines how each stage of the incident response process should be handled.
2. Detection & Triage: Incident response begins with triaging the incident to ensure that it is a cyber security incident, collecting and preserving any available evidence prior to containment actions, and assigning the correct categorization and prioritization to ensure an appropriately resourced team is formed.
3. Containment: The security team uses information gathered from the previous phase and may use intel regarding cyber attack techniques to build a containment plan. Containment may involve isolating one or more systems, applying firewall rules or IDS signatures, adding hashes to endpoint protection products, disabling accounts or isolating an entire network. The goal is to reduce the damage caused by the incident and ensure that networks or systems are not further compromised.
4. Remediation/Eradication: At this point in the process, the incident response team has performed a complete investigation and believes that it has a complete understanding of what has occurred. The incident responders then work to remove all traces of the infection from compromised systems. This may include malware deletion and removal of persistence mechanisms or a complete wipe and restoration of affected computers from clean backups.
5. Recovery Time: After eradication, the incident response team may scan or monitor the infected systems for some time to ensure that the malware has been completely eliminated. After this is complete, the computers are restored to normal operation by lifting the quarantine isolating them from the rest of the corporate network.
6. Lessons Learned: Cybersecurity incidents occur because something went wrong, and it’s important to remember that incident response doesn’t always go off flawlessly. After the incident has been remediated, the incident responders and other stakeholders should perform a retrospective to identify security gaps and shortcomings in the incident response plan that could be fixed to reduce the probability of future incidents and improve incident response in the future.

Incident Response Process and Techniques

Some key elements of an incident response strategy include:

• Incident Reduction: Ensuring that there are security controls which reduce the number of incidents that an organization has is the goal of any incident response team. There will always be incidents, which is why preparation and testing controls along with a planned response will assist in reducing the impact of the incident as well as the number of cyber incidents.
• Incident Investigation Techniques: The more quickly that an organization can determine the cause and details of a security incident, the faster it can be quarantined and remediated. Defining processes for investigating security incidents helps to support rapid remediation and ensure that an incident is not misclassified or overlooked.
• Incident Response Playbooks: Ransomware attacks and DDoS attacks are very different threats and require unique responses. Organizations should have playbooks in place for handling the major types of security incidents, ensuring that incident responders aren’t confused and trying to figure out what to do in the midst of a cyberattack.
• Incident Response Technology and Tools: To carry out incident detection and response activities, security analysts will need access to certain tools and technology. After defining these processes and determining key capabilities, the organization can acquire and train incident responders on the tools required to support corporate incident response activities.