Incident response is an organization’s approach to handling a security breach or cyberattack and its consequences. The goal is to manage the situation in a way that reduces damage, limits recovery time and costs, and minimizes the impact to a company’s reputation.
As cyberattacks increase in sophistication and frequency, organizations must be prepared to act quickly and effectively when an attack strikes. The procedures in place — called an incident response plan (IRP) — help the organization detect, respond to and recover from security incidents. Without a plan, the consequences can be catastrophic: Organizations that lack a strong IRP suffer losses 2.8 times greater than their counterparts that have a plan, according to the Cyentia Institute. By 2021, the cost of breach-related damages is expected to top $6 trillion. Despite the high stakes, organizations today lag in incident response.
- 75% of companies do not have a formal, consistently applied plan in place.
- 57% say their response time to incidents has increased.
- 75% report difficulty hiring and retaining security staff to manage incidents.
To effectively respond to incidents, businesses need to develop and fine-tune an incident response plan. These procedures typically are the responsibility of a computer incident response team (CIRT), which is composed of security and IT staff as well as staff members from human resources, public relations and legal departments.
How incident response works
Every company needs an organized approach to addressing and managing the aftermath of a cyberattack or security breach. The IEEE Computer Society recommends six steps for handling incident response:
- Preparation. This is the most crucial step because it sets the tone for how well an organization’s CIRT responds to a crisis. The preparation phase should include developing and determining policies, response strategies, communication plans, documentation processes, CIRT membership, access controls, tools and training.
- Identification. This step determines when a security deviation should be considered an “incident.” Incident identification involves collecting evidence, determining incident priority and documenting any actions taken. During this step, the team should identify the appropriate time to contact stakeholders and relevant outside parties.
- Containment. Once an incident has been identified, it needs to be contained to prevent further damage. This step includes isolating affected parts of a network or disabling infected devices, as well as temporarily patching systems for use while affected systems or devices are being replaced with clean versions.
- Eradication. Eradicating threats involves the removal of any existing infections and eliminating remaining attackers. Teams should patch all exploited and new vulnerabilities. These should be applied to the clean copies of machine images and server configurations prepared during containment.
- Recovery. This phase brings systems and devices back into the production environment. As they’re being reactivated, they should be tested to ensure they’re no longer vulnerable. Staff should monitor these systems for an established period of time to ensure that attackers have been eliminated and to prevent reinfection.
- Lessons learned. It’s important to complete and review the documentation of the incident in order to learn from what happened. Lessons learned should cover when and how staff first detected the problem, the scope of the incident, containment and eradication steps, recovery work, affected areas and areas for improvement.
The benefits of modern incident response planning and solutions
While incident response teams aim to work quickly to mitigate the damage from a cyberattack, challenges sometimes arise that hinder their effectiveness. As threats grow in sophistication, it can be difficult to identify when an incident has occurred, especially when a security team dismisses unusual behavior patterns as a discrepancy. Data privacy laws — detailing specific notification requirements when a breach occurs — also constantly change, which makes it challenging for incident response teams to stay current.
Not all attacks originate from the outside — some come from perpetrators inside the organization. Disgruntled employees, contractors and staff who knowingly and unknowingly compromise security pose different challenges from external threats. Because these attacks can go undetected for a longer time, they have the potential to cause more damage.
Because security threats are constantly changing, the best plans and tools are frequently refined. In doing so, companies reap three benefits, according to the IEEE Computer Society.
- Simplification. A simple approach makes it easier for organizations to implement. Not only do the best tools eliminate confusion, they also avoid on-the-spot problem-solving that might happen during incident response.
- Preparation. Incident drills can uncover conflicting or missing instructions that may have been overlooked. This increases the confidence and speed with which the CIRT acts when a real incident occurs.
- Efficiency. Free templates and resources are available for organizations to help simplify planning. Organizations can incorporate their own existing policies wherever possible.
Incident response planning is a critical step for all businesses. This structured method of responding to security incidents, combined with available solutions, helps organizations reduce risk, improve recovery time and increase efficiency.