January 29, 2018 By Larry Loeb 3 min read

When faced with an external attack or data breach, an organization is helpless unless it has an incident response plan firmly in place. The goal of such a plan is to minimize the damage of an attack, meaning that the recovery effort should take as little time as possible and avoid unnecessary costs, which include more than just money. In fact, sometimes the greatest cost of a data breach is reputational damage and the erosion of customer trust.

An incident response plan typically includes a list of processes that must be completed when a breach occurs and defines what activity actually constitutes a security incident. It also determines who is responsible for carrying out these processes. This team, usually called a cyber incident response team (CIRT), consists of security and IT professionals as well as members of the human resources, public relations and legal departments. Such a wide range of talent is necessary because, in addition to securing the technology environment, the incident response team must advise executives and communicate effectively with the public.

Listen to the podcast: Get Smarter About Disaster Response — Five Resolutions for 2018

Six Steps to Continuously Improve Your Incident Response Strategy

The SANS Institute developed a six-step framework to help organizations respond to security incidents, from the initial discovery of a breach to post-incident investigations.

  1. The first step is Preparation, which covers establishing and applying security policies, defining a detailed response strategy, determining who serves on the CIRT and developing the necessary tools.
  2. Next is Identification and Scoping, which is where incidents are detected. Prompt discovery makes it easier to control the damage and costs that result from a breach. This is usually performed by IT employees, who use log files, error messages and monitoring tools to determine how, where and when the incident occurred. Dwell time — the time between an incident’s discovery and its remediation — may vary across organizations in different locations. Since prompt identification is vital to a positive outcome, companies located in disparate global regions may need to factor this in when designing their incident response plans.
  3. The Containment/Intelligence Gathering phase focuses on stopping the threat to prevent future damage and preserving any evidence that may prove useful in a potential legal prosecution. This step also includes system backup and the short- and long-term containment measures outlined during the Preparation phase.
  4. The bulk of the Eradication/Remediation step centers on removing the actual threat from the network and restoring the system to its pre-incident state. This can be particularly challenging since data may have been lost during the incident. Any compromised credentials need to be reset at this point. Care must be taken to make sure the reset is effective and well-communicated to affected parties. After the eradication step, the system should be clear of the threat as well as any newly created files or code modifications.
  5. Recovery comes next. During this stage, the systems are put back into production and then monitored to make sure they are working properly. This phase also addresses dependencies across the system and verifies output using validation tools.
  6. The last step, Follow Up/Lessons Learned, may be the most important. The CIRT should double-check all the previous steps to confirm that they were executed correctly and itemize tasks for the next incident. Insights gleaned from a thorough review of what occurred during the incident response process can serve as CIRT training materials and comparison benchmarks for the future.

The Big Picture

While considering these individual incident response steps, it is crucial to examine how they function together as a whole. Each step has its own quirks and challenges, but the overall process should be flexible enough to influence a positive outcome.

Preparation before an incident occurs is critical to the security of any organization, but no amount of preparation can address every possible type of breach. CIRTs must be able to adapt to numerous variables during and after an attack. In addition, it may be necessary to repeat some of the steps described above once the process is complete to remove all traces of the threat.

How the entire cycle functions after all the phases are executed makes the difference between success or failure in an incident response plan. There will always be room for improvement, but this process can help organizations minimize the damage of a security breach and return to normal operations as quickly as possible.

Listen to the podcast: Get Smarter About Disaster Response — Five Resolutions for 2018

More from Incident Response

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today