Incident response is the actions that an organization takes when it believes IT systems or data may have been breached. For example, security professionals will act if they see evidence of an unauthorized user, malware, or failure of security measures.
The goals of the response are to eliminate a cyberattack as quickly as possible, recover, notify any customers or government agencies as required by regional laws, and learn how to reduce the risk of a similar breach in the future.
Incident response typically starts when the security team gets a credible alert from a security information and event management (SIEM) system.
Team members need to verify that the event qualifies as an incident and then isolate infected systems and remove the threat. If the incident is severe or takes a long time to resolve, organizations may need to restore back up data, deal with a ransom, or notify customers that their data was compromised.
For this reason, people other than the cybersecurity team are typically involved in the response. Privacy experts, lawyers, and business decision makers will help determine the organization’s approach to an incident and its aftermath.
There are several ways that attackers try to access a company’s data or otherwise compromise its systems and business operations. Here are several of the most common:
Phishing is a type of social engineering where an attacker uses email, text, or a phone call to impersonate a reputable brand or person. A typical phishing attack tries to persuade recipients to download malware or provide their password. These attacks exploit people’s trust and deploy psychological techniques like fear to get people to act. Many of these attacks are untargeted, going out to thousands of people in the hopes that just one responds. However, a more sophisticated version called spear phishing uses deep research to craft a message that is intended to be persuasive to a single individual.
Malware refers to any software that’s designed to harm a computer system or exfiltrate data. It comes in many different forms including viruses, ransomware, spyware, and trojan horses. Bad actors install malware by taking advantage of hardware and software vulnerabilities or by convincing an employee to do it using a social engineering technique.
In a ransomware attack, bad actors use malware to encrypt critical data and systems and then threaten to make the data public or destroy it if the victim doesn’t pay a ransom.
In a denial-of-service attack (DDoS attack), a threat actor overwhelms a network or system with traffic until it slows or crashes. Typically, attackers target high-profile companies like banks or governments with the goal of costing them time and money, but organizations of all sizes can be victims of this type of attack.
Another method that cybercriminals use to steal personal data is to insert themselves in the middle of an online conversation between people who believe they are communicating privately. By intercepting messages and copying them or changing them before sending them to the intended recipient, they try to manipulate one of the participants into giving them valuable data.
Although most attacks are conducted by people outside an organization, security teams also need to be on the lookout for insider threats. Employees and other people who legitimately have access to restricted resources may inadvertently or in some cases intentionally leak sensitive data.
A lot of security breaches start with stolen account credentials. Whether bad actors acquire passwords via a phishing campaign or by guessing a common password, once they gain access to a system they can install malware, do network reconnaissance, or escalate their privileges to allow them access to more sensitive systems and data.
Responding to an incident requires a team to work together efficiently and effectively to eliminate the threat and satisfy regulatory requirements. In these high-stress situations, it’s easy to become flustered and make mistakes, which is why many companies develop an incident response plan. The plan defines roles and responsibilities and includes the steps needed to properly resolve, document, and communicate about an incident.
A significant attack doesn’t just damage the operations of an organization, it also affects the business’s reputation among customers and the community, and it may have legal ramifications too. Everything, including how quickly the security team responds to the attack and how executives communicate about the incident, influences its overall cost.
Companies that hide the damage from customers and governments or who don’t take a threat seriously enough may run afoul of regulations. These types of mistakes are more common when participants don’t have a plan. In the heat of the moment, there’s a risk that people will make rash decisions driven by fear that wind up hurting the organization.
A well-thought-out plan lets people know what they should be doing at each phase of an attack, so they don’t have to make it up on the fly. And after recovery if there are questions from the public, the organization will be able to show exactly how it responded and give customers peace of mind that it took the incident seriously and implemented the steps necessary to prevent a worse outcome.
There’s more than one way to approach incident response, and many organizations rely on a security standards organization to guide their approach. SysAdmin Audit Network Security (SANS) is a private organization that offers a six-step response framework, which is outlined below. Many organizations also adopt the National Institute of Standards and Technology (NIST) incident recovery framework.
An incident response team, which is also called a computer security incident response team (CSIRT), a cyber incident response team (CIRT), or a computer emergency response team (CERT), includes a cross-functional group of people in the organization who are responsible for executing the incident response plan. This includes not only the people who remove the threat but also those who make business or legal decisions related to an incident. A typical team includes the following members:
An incident response team may be a subset of a security operations center (SOC), which handles security operations beyond incident response.
In most organizations, networks and security solutions generate far more security alerts than the incident response team can realistically manage. To help it focus on legitimate threats, many businesses implement incident response automation. Automation uses AI and machine learning to triage alerts, identify incidents, and root out threats by executing a response playbook based on programmatic scripts.
Security orchestration automation and response (SOAR) is a category of security tools that businesses use to automate incident response. These solutions offer the following capabilities:
Developing an incident response plan may seem daunting, but it can significantly reduce the risk that your business will be unprepared during a major incident. Here’s how to get started:
The first step in an incident response plan is knowing what you’re protecting. Document your organization’s critical data, including where it lives and its level of importance to the business.
Every organization has different risks. Become familiar with your organization’s greatest vulnerabilities and evaluate the ways an attacker could exploit them.
During a stressful incident, clear procedures will go a long way toward making sure the incident is addressed quickly and effectively. Start by defining what qualifies as an incident and then determine the steps your team should take to detect, isolate, and recover from the incident, including procedures for documenting decisions and collecting evidence.
Build a cross-functional team that is responsible for understanding the response procedures and mobilizing if there’s an incident. Be sure to clearly define roles and account for nontechnical roles that can help make decisions related to communication and liability. Include someone on the executive team who will be an advocate for the team and its needs at the highest levels of the company.
A communication plan will take the guesswork out of when and how to tell others inside and outside the organization what’s happening. Think through various scenarios to help you determine under what circumstances you need to inform executives, the entire organization, customers, and the media or other external stakeholders.
Bad actors target employees at all levels of the organization, which is why it’s so important that everyone understands your response plan and knows what to do if they suspect that they’ve been the victim of an attack. Periodically, test your employees to confirm they can recognize phishing emails and make it easy for them to notify the incident response team if they accidentally click on a bad link or open an infected attachment.