What Is Incident Response?

Although cybersecurity defences stop many attacks, there is never a 100% guarantee that they will catch all intruders. When an attacker exploits a vulnerability, the organisation must first recognise the event and then use an incident response team to contain and eradicate it.

Incident response is a systematic and planned approach that organisations rely upon to identify, handle, and recover from cyber threats. It’s the series of actions an organisation takes when faced with a cybersecurity breach. As with data prevention and other threat protection solutions, incident response is a critical cornerstone of any enterprise cybersecurity programme, and its importance cannot be overlooked.

An incident response plan is a step-by-step guide that outlines what an organisation must do after a cybersecurity incident. The plan includes executing each step, defining the people involved in the response and teams responsible for data recovery, and investigating what happened and who could be responsible.

The main goal of incident response is to handle situations in a way that limits damage and reduces recovery time and costs. Effective incident response can also help prevent future threats and mitigate attempts by threat actors to use backdoor alternatives.

The aftermath of a data breach can be a stressful, busy time for everyone involved. An incident response and disaster recovery plan laying out all necessary steps avoids costly mistakes and ensures nothing is overlooked. But not every company has a plan until a breach has already happened.

The SANS Institute describes six major steps during incident response and gives a general overview of what to do during a response. The following six steps should be included in an incident response plan:

1. Preparation: Establishing and maintaining an incident response plan, selecting and training an incident response team, and procuring and setting up necessary tools and resources. Proper preparation ensures the organisation can respond swiftly and effectively when an incident occurs.
2. Identification: Knowing that an incident occurred requires proper monitoring and analysis. Subsequently, identifying the incident involves investigation into logs, audit trails, errors, authentication information, and firewall reports.
3. Containment: Quick containment of an attacker is critical. A good incident response team will stop the threat from persisting. It’s not unusual for a persistent attacker to have multiple backdoors in case of detection. Swift threat detection leads to more effective containment, making the attacker less likely to create additional backdoors. Containment is often in two phases:
   1. Short-term containment: Immediate actions to quickly limit the spread and impact, like isolating the affected network segment.
   2. Long-term containment: More permanent solutions that ensure the threat can’t expand or persist.
4. Eradication: Eradication completely removes a threat from the environment. Fast containment and eradication reduce the degree of damage and data theft. Eradication is a delicate procedure that eliminates the threat but avoids compromising the production environment to preserve productivity.
5. Recovery: After the threat is removed, the organisation might need to recover data and make changes to the system to resume a normal state. The execution of this step could be lengthy for significant changes such as data recovery after its destruction. Testing may be necessary after cybersecurity incidents to ensure that the production environment is free from the vulnerability.
6. Lessons learned: Without reviewing what went wrong, the same mistakes will likely occur. Lessons learned reflect improvements during incident response and are required to ensure that the same attack is unsuccessful.

Organisations often rely on various tools and technologies to support incident response, including Security Information and Event Management (SIEM) systems, intrusion detection systems (IDS), and other specialised platforms.

A cybersecurity incident can cost organisations millions in discovery, containment, and the legal aftermath of losing records to an attacker. Effective incident management reduces both the time an attacker persists on the network and the number of future incidents. Numerous prominent companies have handled incident response poorly, and it’s caused them legal reparations, fines, and additional government regulation.

In addition to minimising damages, costs, and recovery time associated with a cyber-attack, incident response is vital in ensuring business continuity in the wake of a security crisis, such as a data breach. An incident response plan also provides invaluable support for successful litigation, audit documentation, and historical knowledge to feed into the risk assessment process. With proper incident response in place, organisations can improve their security posture by identifying areas for improvement and developing stronger security methods to prevent similar incidents in the future.

An incident response plan is a documented, systematic process that defines how an organisation should manage a cybersecurity incident. It’s a set of instructions to help teams detect, respond to, and recover from network security incidents. An incident response plan is an organisation’s playbook for specific incident scenarios and documentation that details which threats, exploits, and situations qualify as actionable security incidents and what to do when they occur.

Key components of an incident response plan include:

• Forming an incident response team and determining the roles and responsibilities for completing response activities.
• Identifying and setting up the necessary tools and resources to detect and respond to incidents.
• Recognising the signs of an incident and distinguishing between an actual incident and a false alarm.
• Outlining short- and long-term measures to ensure the threat does not return or spread while addressing the root cause.
• Documenting specific actions required at each stage of the incident response process and logging all relevant incident data for further analysis.
• Listing the steps for resolving security incidents, restoring systems to normal operations, investigating the primary cause, and communicating the event to all concerned parties.
• Modifying the incident response plan based on what was learned from the incident to handle future threats more effectively.

The incident response plan should be simple enough for the team to understand and take the required actions under the pressure of an actual cyber-attack.

An incident response team is critical during a data breach. The team can reduce and contain the damage faster than staff unfamiliar with threat response. The longer an attacker persists on a network, the more complex the response is due to increased malware and backdoors left by the attacker. The team comprises IT professionals and security experts familiar with how attackers work.

As the name suggests, an incident response team is responsible for cleaning up and securing the network environment after a successful attack. A computer incident response team (CIRT) can comprise several key organisational stakeholders or be outsourced to a professional agency. They usually involve IT staff, including database administrators, operations people, and developers. Several potential incident response members are highlighted below:

• Key management: Management is the only group of people who can make decisions during a response. They may allow access to network resources or make changes to the production environment.
• IT auditors: Auditors ensure that procedures are followed pre-incident, but they also help identify what went wrong and how to stop an attack in the future.
• Information Security: IS staff helps identify the exploit and if the vulnerability exists. They can also advise IT staff on future information security protocols and procedures.
• Attorneys: Attorneys advise the organisation on taking the proper steps to avoid legal liability.
• Human resources: For insider threats, HR staff advises on handling employee issues.
• Public relations: Should the data breach require an announcement to customers, a PR team will create the communication necessary to inform the general public about the incident.
• Financial auditor: A financial auditor will assess and determine the monetary fallout for organisations.

Incident response also involves leveraging specific technology to detect incidents. Here are some of the most commonly used incident response technologies:

• Security Information and Event Management (SIEM): These technologies help detect potential threats and provide actionable intelligence to aid in incident response.
• Security Orchestration, Automation, and Response (SOAR): SOAR tools automate incident response workflows, such as gathering and correlating security data, detecting incidents in real-time, and responding to in-progress attacks.
• Intrusion Detection Systems (IDS): IDS monitor network traffic or system activities for malicious actions or policy violations. They can be network-based to monitor traffic or host-based to oversee individual system activities.
• Endpoint Detection and Response (EDR): EDR solutions monitor endpoints for suspicious activity and provide real-time alerts to help incident response.
• Network Traffic Analysis (NTA): NTA tools monitor network traffic for suspicious activity and provide real-time alerts to aid in incident response.
• Deception technology: This involves deploying decoys like honeypots within the network. These decoys mimic real assets to trap and study attackers, providing insights into their techniques and tools without risking genuine assets.
• Vulnerability scanners: Vulnerability scanners help identify vulnerabilities in an organisation’s systems and applications, which helps incident response by identifying potential attack vectors.
• Forensic tools: Forensic technologies help incident response teams investigate incidents by analysing system logs, memory dumps, and other data to identify the incident’s root cause.

These technologies are used with incident response processes and frameworks to detect and respond to cyber threats and security incidents.

Security incidents encompass a wide range of malicious activities that can compromise an organisation’s information integrity, confidentiality, or availability. Recognising the types of incidents is crucial for formulating an appropriate response. Here are common types of security incidents and a brief description of each:

• Malware infections: This includes viruses, trojans, worms, ransomware, and spyware. These malicious software variants infiltrate, damage, or exploit systems and data, sometimes holding information hostage until a ransom is paid.
• Phishing attacks: Cyber attackers use deceptive emails, messages, or websites that impersonate legitimate entities to trick individuals into revealing sensitive information, such as login credentials or financial details.
• Distributed Denial of Service (DDoS) attacks: Attackers flood a system, server, or network resource with traffic, overwhelming it so it’s unavailable to users. DDoS attacks involve multiple compromised systems targeting a single system.
• Unauthorised access: When someone gains unauthorised access to a system, network, or data, often by exploiting vulnerabilities or using stolen credentials.
• Insider threats: Malicious actions performed by individuals within the organisation, such as employees, contractors, or business associates. These individuals have inside information concerning the organisation’s security practices, data, and computer systems.
• Data breaches: Incidents where unauthorised individuals copy, transmit, view, steal, or use sensitive, protected, or confidential data. This can include personal data, intellectual property, or financial information.
• Misconfiguration: Inadvertent mistakes in configuring security settings, databases, cloud services, or network devices, which can expose sensitive information or create vulnerabilities that attackers can exploit.
• Physical theft or loss: This involves physically stealing devices like laptops, smartphones, or storage media containing sensitive data. It also includes situations where such devices are lost and possibly found by individuals with malicious intent.
• Privilege escalation: Incidents where attackers gain elevated access to resources that are typically restricted, allowing them to control systems or data they shouldn’t access.
• Social engineering: Manipulative tactics used by attackers to deceive and convince individuals to divulge confidential information or perform actions that compromise security.
• Man-in-the-Middle (MitM) attacks: Attackers secretly intercept and relay communication between two parties. They can eavesdrop or manipulate the data to mislead the parties involved.

Identifying the type of incident is the first step in the incident response process. Each incident type might necessitate a distinct approach, but understanding the nature of the threat helps teams craft the most effective countermeasures.

Ideally, an organisation never faces a cybersecurity incident. While no cyber-defences are 100% secure, an organisation can take necessary precautions to avoid becoming a targeted victim. All administrators understand the basics: A firewall protects from outside traffic, identity management and access controls prevent threats and unauthorised access, and physical security safeguards assets. What some administrators fail to implement is monitoring and intrusion detection.

Network monitoring, cloud security monitoring, and intrusion detection alert administrators to a potential attack. The alert typically goes to an analyst for further review to avoid false positives. Too many false positives lead to analyst exhaustion, meaning the many false positive alerts could detract from a potential genuine threat. Monitoring should be as precise as possible so that analysts can handle a breach as quickly as possible.

Intrusion detection tools are a component of monitoring. Monitoring tools log incidents, and intrusion detection with artificial intelligence determines if an attack is occurring. If the intrusion is persistent, an attacker could access the network for months. Attackers will sometimes exfiltrate data slowly to avoid detection, so it’s important to keep monitoring sensitive data based on benchmark access requests and any unusual authorisation attempts.

Even when armed with the right prevention tool, organisations should review an incident response plan annually to ensure it contains accurate documentation and information. An incident response plan is critical for the company’s success, and it can save millions in legal fees, reparations to customers, and data loss.

At the core of incident response solutions, Proofpoint’s Threat Response is a security orchestration, automation, and response (SOAR) platform that helps organisations respond faster and more efficiently to the dynamic threat landscape. Threat Response collects alerts from various sources and automatically enriches and groups them into incidents in seconds.

The platform surrounds security alerts with rich contextual data to help security teams understand the “who, what, and where” of attacks, prioritise and quickly triage incoming events, and automate workflows and response actions such as quarantine and containment actions across security infrastructure. Threat Response also provides forensic collection and IOC verification, helping analysts take push-button response actions, identifying areas for additional investigations, or turning on automated response.

Organisations rely on Threat Response to close the gap between threat detection and rapid response by providing deep contextual data for each incident, as well as supporting a variety of network enforcement options. It’s a vital asset that helps incident response teams detect and respond to cyber threats and security incidents faster and reduce the lost revenue, regulatory fines, and other costs associated with these threats. Learn more about Threat Response or get in touch by contacting Proofpoint.