What Is Incident Response? 6 Steps for an Effective IR Plan

What Is Incident Response? 6 Steps for an Effective IR Plan

At a basic level, incident response is the way a company responds to and manages a cyberattack. Having a solid and comprehensive incident response plan in place is not just important, but mission critical for organizations in 2021. Cyber ransomware attacks are on the rise — up by 62% worldwide and 162% in North America alone when comparing 2020 to 2019. Companies need to be prepared to defend against, contain, and control any and all incoming threats. This article will advise you on how to create a comprehensive and effective incident response plan, from team building with key stakeholders through breach management, and into post-mortems for ongoing incident response plan improvements and refinement. 

What Is Incident Response?

Incident response is the term used to encompass the many steps that an organization takes regarding a data breach — from preparation and detection through containment and recovery from a breach. There are useful tips on how to prevent cybersecurity breaches, but all businesses still need to have a thorough incident response team and planning in place in the event that a cyberattacker executes a successful data breach and gains access to privileged company systems, data and information. 

Why Is Incident Response Important?

Cyberattacks in 2020 alone caused an estimated loss of $4 billion in just the United States. Companies need to be ready for an attack, and lack of preparation can lead to a slow or inadequate incident response that ends up being very bad for business. Faulty, late, or mismanaged incident response can not only lead to a loss in revenues, but can also create issues that significantly hurt a company’s culture and reputation, many times leading to brand management concerns and customer losses. A recent survey revealed that if customers and employees have their personal data stolen as a result of a company’s data breach, 85% will tell others about the experience and 33% will complain about it on social media. In order to avoid this, companies of all sizes need to have a solid incident response plan in place. 

Who Handles Incident Responses?

Incident response is typically handled by an organization’s Computer Incident Response Team (CIRT). The team — sometimes known as the Cyber Incident Response Team — is usually composed of experts from senior management, general IT staff, security team personnel, and members of the legal, human resources, and public relations departments. The CIRT group is responsible for responding to any data breach, virus, or other incidents that pose security risks. They should have technical experts that are able to deal with specific threats, as well as general experts that can guide executives on the organization’s recommended, appropriate next-steps for communication about the data breach outside of the company. If an organization does not have an internal Incident Response team, they should have arrangements in place with a third party that specializes in Incident Response.

How to Develop an Incident Response Plan?

What is incident response at the most fundamental level? A thorough and detailed incident response plan. This includes the formation of the CIRT team’s structure and planning for handling cyberattacks, followed by the creation of a detailed outline on how to proceed when a data breach threat occurs. The best way to develop your organization’s plan is to determine who will be on the CIRT team, and then talk through the group’s next steps and response phases to make sure the team has all of the tools that it needs. Make sure to do a thorough assessment of risk exposure, and fill in any support or technology gaps before you get started. 

Six Steps for an Effective Incident Response Plan

Industry standards recommend six key phases for an effective and thorough response when reacting to a data breach. If you’re still wondering, “what is incident response and how do I plan for it?” — guidance for best practices starts at a response team’s formation and ends with the evolution of a constantly updated plan. The plan should be considered a living document that updates when different threats are met and new incident responses are accounted for. The six steps for an effective incident response plan take an organization from foundational preparation through real-time response and into post-mortems in order to continue to evolve and strengthen the team’s incident response capabilities.

Step 1: Preparation

Preparation is the most important phase of incident response, as companies must be prepared for an inevitable security breach that can happen from a wide range of threats. Preparation helps organizations understand what their CIRT team’s response capabilities are. It should involve company policy, response planning, routine testing, internal and external communication plans, plus documentation capabilities. This phase also determines who all CIRT members will be, and outlines the appropriate access controls for team members, plus the required tools and training.

Step 2: Identification

In the Identification phase, the IT security team identifies a breach and quickly enables a focused response. Breaches are detected through multiple threat intelligence streams, intrusion detection systems, and firewalls. IT staff also gathers event information from log files, monitoring tools, and error messages to determine the affected systems and the full scope of the intrusion.

Step 3: Containment

After incident Identification, Containment is the top priority to fully stop the breach and prevent further exposure. This phase of incident response can usually be accomplished by taking the impacted sub-networks offline and using system backups to maintain operations. Companies should remain in a state of emergency until the data breach is completely contained. Key to this phase is taking care not to destroy information in order to prevent possible destruction of evidence that may be needed later for prosecution if the culprits are caught. The Containment phase includes short-term containment, system back-up, and long-term containment. 

Step 4: Eradication

The Eradication phase of incident response involves removing the threat and restoring affected systems to their pre-attack state while simultaneously minimizing data loss. The threat is completely neutralized and removed from internal systems, restoring them to as close to their previous state as possible. Secondary monitoring is used here to confirm that no lingering threat or attack remains in the system.

Step 5: Recovery

During Recovery, security teams validate that all impacted systems are no longer compromised. Testing, monitoring, and validating affected systems as they are brought back online and into production is necessary to verify that they are not still compromised or re-infected. CIRT teams then supervise system behavior. Teams typically establish timelines in this phase, determining when systems will be fully operational again. At this point in data recovery, it’s often possible to calculate the cost of the data breach — excluding, of course, the secondary impacts of longer-term customer response and reputation management.

Step 6: Lessons Learned

This phase of incident response is all about future-proofing. Reviewing Lessons Learned allows a team to educate themselves on overall cause and update their incident response plan with the details needed to ensure a similar attack is not successful again in the future. Resultant reviews and reports allow teams to have a full understanding of the entire incident and can be used in post-mortems, recap meetings with or without senior management, as training materials for new team members, or as data points for comparison with other incident response protocols. Reviewing Lessons Learned is the best way to ensure that your company is updating and adhering to best practices in incident response. 

Start Preventing Incidents Before You Need a Response 

So, what is incident response? In essence, it’s your company’s best early protection and defense against a cyberattack and data breach. Having a proper plan in place helps prevent incidents before they happen. Having the right technology — like AuditBoard’s risk management software — will assist you throughout this process.