When faced with an external attack or data breach, an organization is helpless unless it has an incident response plan firmly in place. The goal of such a plan is to minimize the damage of an attack, meaning that the recovery effort should take as little time as possible and avoid unnecessary costs, which include more than just money. In fact, sometimes the greatest cost of a data breach is reputational damage and the erosion of customer trust.
An incident response plan typically includes a list of processes that must be completed when a breach occurs and defines what activity actually constitutes a security incident. It also determines who is responsible for carrying out these processes. This team, usually called a cyber incident response team (CIRT), consists of security and IT professionals as well as members of the human resources, public relations and legal departments. Such a wide range of talent is necessary because, in addition to securing the technology environment, the incident response team must advise executives and communicate effectively with the public.
Six Steps to Continuously Improve Your Incident Response Strategy
The SANS Institute developed a six-step framework to help organizations respond to security incidents, from the initial discovery of a breach to post-incident investigations.
- The first step is Preparation, which covers establishing and applying security policies, defining a detailed response strategy, determining who serves on the CIRT and developing the necessary tools.
- Next is Identification and Scoping, which is where incidents are detected. Prompt discovery makes it easier to control the damage and costs that result from a breach. This is usually performed by IT employees, who use log files, error messages and monitoring tools to determine how, where and when the incident occurred. Dwell time — the time between an incident’s discovery and its remediation — may vary across organizations in different locations. Since prompt identification is vital to a positive outcome, companies located in disparate global regions may need to factor this in when designing their incident response plans.
- The Containment/Intelligence Gathering phase focuses on stopping the threat to prevent future damage and preserving any evidence that may prove useful in a potential legal prosecution. This step also includes system backup and the short- and long-term containment measures outlined during the Preparation phase.
- The bulk of the Eradication/Remediation step centers on removing the actual threat from the network and restoring the system to its pre-incident state. This can be particularly challenging since data may have been lost during the incident. Any compromised credentials need to be reset at this point. Care must be taken to make sure the reset is effective and well-communicated to affected parties. After the eradication step, the system should be clear of the threat as well as any newly created files or code modifications.
- Recovery comes next. During this stage, the systems are put back into production and then monitored to make sure they are working properly. This phase also addresses dependencies across the system and verifies output using validation tools.
- The last step, Follow Up/Lessons Learned, may be the most important. The CIRT should double-check all the previous steps to confirm that they were executed correctly and itemize tasks for the next incident. Insights gleaned from a thorough review of what occurred during the incident response process can serve as CIRT training materials and comparison benchmarks for the future.
The Big Picture
While considering these individual incident response steps, it is crucial to examine how they function together as a whole. Each step has its own quirks and challenges, but the overall process should be flexible enough to influence a positive outcome.
Preparation before an incident occurs is critical to the security of any organization, but no amount of preparation can address every possible type of breach. CIRTs must be able to adapt to numerous variables during and after an attack. In addition, it may be necessary to repeat some of the steps described above once the process is complete to remove all traces of the threat.
How the entire cycle functions after all the phases are executed makes the difference between success or failure in an incident response plan. There will always be room for improvement, but this process can help organizations minimize the damage of a security breach and return to normal operations as quickly as possible.