January 29, 2018 By Larry Loeb 3 min read

When faced with an external attack or data breach, an organization is helpless unless it has an incident response plan firmly in place. The goal of such a plan is to minimize the damage of an attack, meaning that the recovery effort should take as little time as possible and avoid unnecessary costs, which include more than just money. In fact, sometimes the greatest cost of a data breach is reputational damage and the erosion of customer trust.

An incident response plan typically includes a list of processes that must be completed when a breach occurs and defines what activity actually constitutes a security incident. It also determines who is responsible for carrying out these processes. This team, usually called a cyber incident response team (CIRT), consists of security and IT professionals as well as members of the human resources, public relations and legal departments. Such a wide range of talent is necessary because, in addition to securing the technology environment, the incident response team must advise executives and communicate effectively with the public.

Listen to the podcast: Get Smarter About Disaster Response — Five Resolutions for 2018

Six Steps to Continuously Improve Your Incident Response Strategy

The SANS Institute developed a six-step framework to help organizations respond to security incidents, from the initial discovery of a breach to post-incident investigations.

  1. The first step is Preparation, which covers establishing and applying security policies, defining a detailed response strategy, determining who serves on the CIRT and developing the necessary tools.
  2. Next is Identification and Scoping, which is where incidents are detected. Prompt discovery makes it easier to control the damage and costs that result from a breach. This is usually performed by IT employees, who use log files, error messages and monitoring tools to determine how, where and when the incident occurred. Dwell time — the time between an incident’s discovery and its remediation — may vary across organizations in different locations. Since prompt identification is vital to a positive outcome, companies located in disparate global regions may need to factor this in when designing their incident response plans.
  3. The Containment/Intelligence Gathering phase focuses on stopping the threat to prevent future damage and preserving any evidence that may prove useful in a potential legal prosecution. This step also includes system backup and the short- and long-term containment measures outlined during the Preparation phase.
  4. The bulk of the Eradication/Remediation step centers on removing the actual threat from the network and restoring the system to its pre-incident state. This can be particularly challenging since data may have been lost during the incident. Any compromised credentials need to be reset at this point. Care must be taken to make sure the reset is effective and well-communicated to affected parties. After the eradication step, the system should be clear of the threat as well as any newly created files or code modifications.
  5. Recovery comes next. During this stage, the systems are put back into production and then monitored to make sure they are working properly. This phase also addresses dependencies across the system and verifies output using validation tools.
  6. The last step, Follow Up/Lessons Learned, may be the most important. The CIRT should double-check all the previous steps to confirm that they were executed correctly and itemize tasks for the next incident. Insights gleaned from a thorough review of what occurred during the incident response process can serve as CIRT training materials and comparison benchmarks for the future.

The Big Picture

While considering these individual incident response steps, it is crucial to examine how they function together as a whole. Each step has its own quirks and challenges, but the overall process should be flexible enough to influence a positive outcome.

Preparation before an incident occurs is critical to the security of any organization, but no amount of preparation can address every possible type of breach. CIRTs must be able to adapt to numerous variables during and after an attack. In addition, it may be necessary to repeat some of the steps described above once the process is complete to remove all traces of the threat.

How the entire cycle functions after all the phases are executed makes the difference between success or failure in an incident response plan. There will always be room for improvement, but this process can help organizations minimize the damage of a security breach and return to normal operations as quickly as possible.

Listen to the podcast: Get Smarter About Disaster Response — Five Resolutions for 2018

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today