Incident Response Defined
Incident response is the methodology an organization uses to respond to and manage a cyberattack. An attack or data breach can wreak havoc potentially affecting customers, intellectual property company time and resources, and brand value. An incident response aims to reduce this damage and recover as quickly as possible. Investigation is also a key component in order to learn from the attack and better prepare for the future. Because many companies today experience a breach at some point in time, a well-developed and repeatable incident response plan is the best way to protect your company.
Why is Incident Response Important?
As the cyberattacks increase in scale and frequency, incident response plans become more vital to a company’s cyber defenses. Poor incident response can alienate customers and trigger greater government regulation. Target's repeated failure to develop effective internal security infrastructure made its 2013 hack considerably worse. Equifax's decision not to share information with the public following its 2017 hack significantly hurt its brand. Effective incident response is critical, regardless of your industry.
Who is the Incident Response Team?
According to the SANS Institute, the company should look to their “Computer Incident Response Team (CIRT)” to lead incident response efforts. This team is comprised of experts from upper-level management, IT, information security, IT auditors when available, as well as any physical security staff that can aid when an incident includes direct contact to company systems. Incident response should also be supported by HR, legal, and PR or communications.
Incident Response Plan – Six Steps
According to the SANS Institute, there are six key steps to a response plan:
Preparation: Developing policies and procedures to follow in the event of a cyber breach. This will include determining the exact composition of the response team and the triggers to alert internal partners. Key to this process is effective training to respond to a breach and documentation to record actions taken for later review.
Identification: This is the process of detecting a breach and enabling a quick, focused response. IT security teams identify breaches using various threat intelligence streams, intrusion detection systems, and firewalls. Some people don't understand what threat intelligence is but it's critical to protecting your company. Threat intelligence professionals analyze current cyber threat trends, common tactics used by specific groups, and keep your company one step ahead.
Containment: One of the first steps after identification is to contain the damage and prevent further penetration. This can be accomplished by taking specific sub-networks offline and relying on system backups to maintain operations. Your company will likely remain in a state of emergency until the breach is contained.
Eradication: This stage involves neutralizing the threat and restoring internal systems to as close to their previous state as possible. This can involve secondary monitoring to ensure that affected systems are no longer vulnerable to subsequent attack.
Recovery: Security teams need to validate that all affected systems are no longer compromised and can be returned to working condition. This also requires setting timelines to fully restore operations and continued monitoring for any abnormal network activity. At this stage, it becomes possible to calculate the cost of the breach and subsequent damage.
Lessons Learned: One of the most important and often overlooked stages. During this stage, the incident response team and partners meet to determine how to improve future efforts. This can involve evaluating current policies and procedures, as well specific decisions the team made during the incident. Final analysis should be condensed into a report and used for future training. Forcepoint can help your team analyze previous incidents and help improve your response procedures. Protecting your organization requires a determined effort to constantly learn and harden your network against malicious actors.
Learn more by reading our blog post, "Data breach response plan: best practices in 2019."
Prevent Incidents Before You Need a Response
While cyberattacks can seem inevitable and it is always a good idea to have an incident response plan for your organization, Forcepoint can help prevent incidents from the inside. With Forcepoint’s Insider Threat tool, gain visibility into potential treats to critical systems.