January 29, 2018 By Larry Loeb 3 min read

When faced with an external attack or data breach, an organization is helpless unless it has an incident response plan firmly in place. The goal of such a plan is to minimize the damage of an attack, meaning that the recovery effort should take as little time as possible and avoid unnecessary costs, which include more than just money. In fact, sometimes the greatest cost of a data breach is reputational damage and the erosion of customer trust.

An incident response plan typically includes a list of processes that must be completed when a breach occurs and defines what activity actually constitutes a security incident. It also determines who is responsible for carrying out these processes. This team, usually called a cyber incident response team (CIRT), consists of security and IT professionals as well as members of the human resources, public relations and legal departments. Such a wide range of talent is necessary because, in addition to securing the technology environment, the incident response team must advise executives and communicate effectively with the public.

Listen to the podcast: Get Smarter About Disaster Response — Five Resolutions for 2018

Six Steps to Continuously Improve Your Incident Response Strategy

The SANS Institute developed a six-step framework to help organizations respond to security incidents, from the initial discovery of a breach to post-incident investigations.

  1. The first step is Preparation, which covers establishing and applying security policies, defining a detailed response strategy, determining who serves on the CIRT and developing the necessary tools.
  2. Next is Identification and Scoping, which is where incidents are detected. Prompt discovery makes it easier to control the damage and costs that result from a breach. This is usually performed by IT employees, who use log files, error messages and monitoring tools to determine how, where and when the incident occurred. Dwell time — the time between an incident’s discovery and its remediation — may vary across organizations in different locations. Since prompt identification is vital to a positive outcome, companies located in disparate global regions may need to factor this in when designing their incident response plans.
  3. The Containment/Intelligence Gathering phase focuses on stopping the threat to prevent future damage and preserving any evidence that may prove useful in a potential legal prosecution. This step also includes system backup and the short- and long-term containment measures outlined during the Preparation phase.
  4. The bulk of the Eradication/Remediation step centers on removing the actual threat from the network and restoring the system to its pre-incident state. This can be particularly challenging since data may have been lost during the incident. Any compromised credentials need to be reset at this point. Care must be taken to make sure the reset is effective and well-communicated to affected parties. After the eradication step, the system should be clear of the threat as well as any newly created files or code modifications.
  5. Recovery comes next. During this stage, the systems are put back into production and then monitored to make sure they are working properly. This phase also addresses dependencies across the system and verifies output using validation tools.
  6. The last step, Follow Up/Lessons Learned, may be the most important. The CIRT should double-check all the previous steps to confirm that they were executed correctly and itemize tasks for the next incident. Insights gleaned from a thorough review of what occurred during the incident response process can serve as CIRT training materials and comparison benchmarks for the future.

The Big Picture

While considering these individual incident response steps, it is crucial to examine how they function together as a whole. Each step has its own quirks and challenges, but the overall process should be flexible enough to influence a positive outcome.

Preparation before an incident occurs is critical to the security of any organization, but no amount of preparation can address every possible type of breach. CIRTs must be able to adapt to numerous variables during and after an attack. In addition, it may be necessary to repeat some of the steps described above once the process is complete to remove all traces of the threat.

How the entire cycle functions after all the phases are executed makes the difference between success or failure in an incident response plan. There will always be room for improvement, but this process can help organizations minimize the damage of a security breach and return to normal operations as quickly as possible.

Listen to the podcast: Get Smarter About Disaster Response — Five Resolutions for 2018

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today