What is Incident Response?
After experiencing a cybersecurity incident such as a data breach, DDoS attack, or ransomware infection, an organization will perform incident response. The goal of incident response is to minimize the impact of the security incident and restore the organization to normal operations.
Having an incident response policy and incident response team (IRT) in place can dramatically reduce the time and cost of recovery. In fact, having an incident response team and plan in place is one of the top three factors that reduce the overall cost of a data breach.
How Does Incident Response Work?
Incident response is a structured process designed to minimize the impact of a security incident and the time to full recovery. The tasks performed during incident response can be largely broken up into six main stages:
- Preparation: Before a security incident occurs, an organization should take steps to prepare for it. Preparation steps include defining the incident response team and creating the policies and procedures that will be followed as part of the incident response effort.
- Identification: Management of an incident begins with identifying the incident. Often, the incident will be initially identified by the organization’s security operations center (SOC), which will hand over to the IRT once it has validated that it is a true positive.
- Containment: Containment is focusing on controlling the potential damage caused by the security incident. For example, quarantining infected machines or locking compromised user accounts can help to prevent the intrusion from spreading.
- Eradication: During the eradication, the IRT performs an in-depth investigation to determine the scope and root cause of the incident. Once this is complete, the IRT eradicates the intrusion from the organization’s systems.
- Recovery: Once the intrusion has been eradicated, the IRT begins recovering systems back to normal operations. This could include restoring systems from backups, unlocking user accounts, and similar actions. Throughout this process, the IRT tests that systems restored successfully and that there are no remaining signs of infection.
- Lessons Learned: The incident response process ends with a retrospective. This can include attempting to identify and fix the root cause of the incident — preventing future attacks — and identifying potential room for improvement in the IRT’s processes and procedures.
Developing an Incident Response Strategy
Incident response plans can differ significantly from one organization to another. Every company has its own unique infrastructure, and incident response policies should be tailored to support business needs. For example, protecting and restoring critical systems is likely a higher priority than other tasks.
That said, there are resources available for organizations looking to develop an incident response strategy. Some useful frameworks include:
- NIST’s Computer Security Incident Handling Guide
- ISO/IEC 27035:2016
- SANS Institute’s Incident Handler’s Handbook
Incident response is the practice of managing and recovering from a security incident. Ideally, organizations will have incident response teams and policies in place before an incident occurs. This streamlines the process of incident response, which can reduce the cost and impact of the security incident on the organization.