Creating an incident response plan is mission-critical for modern organizations. As threat actors continuously evolve their attack methodologies, organizations need the people, processes, and technologies that allow them to rapidly respond to a security incident.

According to research, attacks have increased by 15% since 2019. To be cyber resilient, organizations need to ensure that they create consistent incident response programs that allow them to rapidly investigate and respond to potential and actual attacks. By understanding what incident response is, companies can begin to mature their security postures effectively.

What is Incident Response (IR)?

Incident response is a complex set of activities for managing security incidents with policies, processes, and procedures that include:

• Detection

• Investigation

• Containment

• Remediation

• Recovery

What are the steps involved in incident response?

Since incident response is a way to create repeatable, consistent processes, the first thing to do is decide on a framework. You can follow the steps set out in the National Institute of Standard and Technology “Computer Security Incident Handling Guide” which takes a four-step approach. On the other hand, you might choose to follow the best practices set out by the SANS Institute “Incident Handler’s Handbook” which has six steps.

Although NIST might seem shorter, it really just consolidates containment, eradication, and recovery into one step while SANS leaves them separate.

Preparation

During the preparation stage, think like a cybercriminal and figure out the high-value targets that you have. Look at all your high-risk data, applications, users, devices, networks, and systems and figure out if you were looking to attack what you would go after..

Another thing you should take into consideration is other attack scenarios, including credential theft, Distributed Denial of Service (DDoS), and ransomware.

Identification/Detection

This is often the most difficult step for a few reasons. First, your security team needs to be able to detect abnormal activity in your environment. For example, to detect a brute force attack, they need to have alerts indicating failed login attempts within a certain time frame. To reduce the impact of the threat, your security team needs to be able to investigate the security incident fast so they can contain the threat and keep it doing additional damage.

Containment

If the security team finds a real threat, they need to limit the impact by containing the threat to prevent further damage. In addtion, they need to remediate any security vulnerabilities, locate the threat actor, and find a way to prevent additional damage.

Companies need to consider the two types of containment activities:

• Short term: rapid responses, like isolating network segments, shutting down systems, or taking servers offline

• Long term: preventing lateral movement within systems and networks, like eliminating back doors, deleting accounts, or patching software

Eradication

Eradication is a complete destruction of something. In this step the security team removes anything the attacker used to transmite the attack and restores any systems that were affected.

As part of eradication, companies might take the following steps:

• Malaware deletion

• Vulnerability remediation

• System hardening

• File deletions

Recovery

Once any remains of the attack have been removed, the recovery phase is responsible for testing the impacted systems, sets monitors in place to find any remaining threat, and makes sure that what happened doesn’t occur again and further compromise the system.

Lessons Learned

Once your team recovers from the incident, it should be able to provide a report as to what worked and what didn’t to prevent and recover from the attack. In addition, they need to provide you with action steps to prevent any further events of the same nature.

The team should be monitoring the systems on a continuous basis and implement improvement plans to keep up with the changing times. They should always be learning so they can continue to improve the company’s security posture.