Incident Response Steps: A Step-By-Step Plan

Incident Response Mitigation Steps

The National Institute of Standards and Technology (NIST) defines a four-step process for managing a security incident:

#1. Preparing for Incident Response

Preparation is essential to ensure that an organization is ready for an incident when one happens. Some key elements of the preparation stage include:

• Incident Response Planning: Companies face a wide variety of cyber threats (like an insider threat) and should have processes in place for addressing them. For example, an effective incident response plan should include strategies for managing ransomware, distributed denial-of-service (DDoS), data breaches, and other cyber attacks.
• Developing an Incident Response Team (IRT): The IRT is responsible for managing an identified incident and needs to be able to take prompt action. Defining the team in advance ensures that members can act quickly, and provides the opportunity to train responders before an incident occurs.
• Defining Roles and Responsibilities: Incident response framework requires quick decision-making and action. Roles and responsibilities should be defined in advance so that everyone knows their role and who to contact for key decisions.
• Establishing Communication Channels: The IRT should be reachable at all times to ensure a rapid response to an incident. Additionally, the organization should have established channels in place to contact key internal and external stakeholders, such as senior management, legal, law enforcement, and regulators.
• Conducting Risk Assessments: Preventing an incident before it happens is always better than managing it after the fact. Regular risk assessments can highlight security gaps that the organization can close before they can be exploited by an attacker.

#2. Initial Identification and Assessment

Before an IRT can begin addressing an incident, it needs to know that a problem exists. Some key steps toward incident identification and assessment include:

• Recognizing Indicators of Compromise (IoCs): IoCs are signs that a cyber incident has happened, such as suspicious network traffic or the presence of malware on a computer. Ongoing monitoring can identify these IoCs, which point to a potential security incident.
• Detecting and Analyzing Security Events: IoC identification and incident detection are enabled by event monitoring. Analysts using security information and event management (SIEM) and similar solutions, can identify anomalies or trends that point to a security incident.
• Determining the Type of Incident: Companies can experience a variety of security incidents. Determining the type and scope of the incident is important to incident prioritization and a correct response.
• Prioritizing Incidents Based On Impact and Risk: An organization may experience multiple simultaneous cyberattacks. Prioritization is essential to ensure that the company doesn’t overlook or delay the management of a major incident due to a response to a minor one.

#3. Containment, Mitigation, and Recovery

After an incident has been identified, containing the cybersecurity threat and mitigating it is essential to limiting the damage done.

Some key activities in this phase include:

• Short-Term Containment Strategies: In the short term, the IRT needs to take action to quickly halt the spread of the intrusion. This may involve more disruptive containment strategies — such as taking down important systems or services — that can’t be sustained long-term.
• Long-Term Containment Strategies: An organization is likely to need a more targeted containment strategy in the long term. This strategy should be based on the type of incident and the set of affected systems, and the IRT should create both short-term and long-term containment plans in advance.
• Investigating and Remediating Compromised Systems: After affected systems have been isolated, the IRT can begin investigating and remediating the compromised systems. This includes collecting data and evidence to enable targeted remediation and to support any legal action.
• Restoring Affected Systems and Services: After the incident has been remediated, affected systems can be restored to normal. Throughout this process, the IRT should monitor and test systems to ensure complete eradication of the intrusion and a full recovery.

#4. Post-Event Activities

Once an incident response is complete, the IRT can perform wrap-up activities, including:

• Documenting the Incident: Fully documenting an incident is key to avoiding similar issues in the future incidents and maintaining regulatory compliance. Incident responders should take notes during the IR process and generate formal documentation after it is complete.
• Performing a Retrospective: IRTs commonly conduct a retrospective after a security incident. This enables them to identify any issues with the incident response process that could be corrected in the future.
• Addressing the Root Cause: During the investigation, the IRT should identify the initial vulnerability that enabled the incident to occur. The organization can address this issue by applying patches and updates or taking other actions to tighten security controls.