Incident Response Process
We live in a digital age, where cyberthreats are constantly evolving. Businesses across the globe have lost millions of dollars to ransomware attacks and data breaches. While you can’t stop the cyberthreats from evolving, you can certainly build and keep updating your cyber defenses.
One of the best ways to keep your business safe from cyberthreats is to create and implement an Incident Response (IR) plan. According to a recent survey, organizations with incident response teams and tested IR plans averaged data breach costs of $3.29 million in 2020, compared to $5.29 million for organizations with neither incident response teams nor tested IR plans. The bedrock of a successful IR plan is the Incident Response Process. You will need to know as much about it as possible to ensure round-the-clock protection for your business. Let’s see what is incident response process and how it works.
A. What is Incident Response Process?
In a nutshell, an incident response process is a strategy comprising steps or procedures for identifying, analyzing, and addressing potential cybersecurity threats or incidents. It is a critical part of an Incident Response (IR) plan. The more detailed and carefully planned your incident response process is, the better your IR plan will be.
An incident response process offers the following benefits.
- It provides a firm foundation to design a robust IR plan, which, in turn, helps you build a reliable business continuity plan.
- An updated and well-planned incident response process can proactively protect your data.
- It can help protect your brand reputation and customer trust.
- It minimizes your unplanned downtime, which protects your business from a potential loss of revenue.
- It helps you comply with the increasingly stringent cybersecurity regulations.
Usually, a Computer Incident Response Team (CIRT), also known as a Cyber Incident Response Team, is tasked with handling an incident response.
B. Understanding the Incident Response Process
As the incident response process is business-specific, you can create it based on your business needs, IT environment, and budget. However, the incident response steps created by NIST (National Institute of Standards and Technology) and SANS (SysAdmin Audit Network and Security) have become industry standards.
At its core, a typical incident response process consists of the following steps.
1 . Preparation for Handling an Incident Response
Before you even think about setting up the incident response process, you must first prepare a list of activities required to handle the incident response. Preparation ensures a swift and accurate response.
It includes the following steps.
a – Compile a List of All Your Assets
- Make a list of all your assets, such as applications, networks, databases, critical end-point devices, and other essential devices.
- Rank these assets by their level of importance to help you outline your response plan.
- Monitor the traffic levels for each asset to create a baseline for incidence response.
b – Create a Policy
- Create a set of rules and procedures to ensure a swift and accurate incident response.
- Make sure the policy covers all elements of your incident response process.
c – Create a Communication Plan
- Your entire CIRT needs to know to whom, when, and why they should contact during the emergency.
- Create a contact list and keep it updated.
- Set communication rules with contingencies wherever necessary.
d – Create a Response Plan or Strategy
- Create a response plan or strategy that prioritizes incidents based on their potential impact.
- Determine who and how CIRT members are going to respond to the incident.
- Ensure the CIRT members have appropriate access during the emergency.
- Create an action plan to update or rescind access during the incident as and when required.
e – Build and Train a Computer Incident Response Team
- Create a CIRT to handle the incident.
- This team should include employees from different departments, including IT, legal, HR, production, marketing, and public relations, among others.
- Training is a must for your CIRT. You can use security event simulations for enhanced training.
- Also, make sure to provide them with the tools they would need during an incident.
f – Document Incident Response Actions
- Documentation is a critical but often overlooked step.
- It can help you document the evidence required to nail and punish the cybercriminals involved in the incident.
- It can also help you improve your IR plan in future.
- Document every action and procedure taken during the incident.
2. Detection and Determination of an Incident
At this stage, your CIRT will need to identify and determine whether or not the anomaly is an incident. If it is, they can swing into action.
You can use the following tools or applications to detect an event.
- Intrusion Detection System (IDS)
- Enterprise-Grade Antivirus
- Enterprise-Grade Firewalls
- Security Information and Event Monitoring (SIEM)
You can also hire a Managed Service Provider (MSP) who will identify an incident and alert your IT team.
Once you have identified an incident, you will need to analyze it immediately. The more thorough your analysis is, the more accurate your response would be.
- Collect all data and information you can on the incident.
- Analyze it using appropriate tools and human intervention.
- Determine where the incident began and its reach in your system.
3. Containment to Prevent Further Damage
At this stage, you already know what the issue is. Before addressing the incident, you first need to make sure it doesn’t cause more damage than it already has.
Depending on the type of incident, you can use different ways to contain the damage. For example, if the hackers are targeting a particular server, disconnecting it from the rest of your network can help limit the damage.
However, such containment measures won’t last long. You will need to
- Set up new firewall rules.
- Run forensics to capture the affected areas.
- Backup the data and applications.
- Remove any backdoors or traces left by attackers.
- Install patches.
These steps will ensure a long-lasting containment.
4. Eradication (Removal) Of the Threat or Issue
As the title says, this step involves removing the consequences of the attack from your network and IT environment. For example, if it’s malware, make sure to remove it from your network.
It typically involves:
- Reimaging hard drives completely.
- Installing patches to fix vulnerabilities.
- Enhancing cybersecurity measures like firewall and antivirus.
Depending on how serious the threat was, it may take a few days or even weeks to completely eradicate its effects.
5. Recovery and Restoration of Data Devices and the System
As you would have probably guessed, you will need to recover and restore the network after removing the threat. This step involves the following.
- Restoring devices or data from the secured backups.
- Rebuilding your network systems.
- Reinstalling applications, operating systems, and patches.
- Reconfiguring your hardware and accessories.
Furthermore, you will need to test, monitor, and validate the restored systems to prevent reinfection. Create a procedure to test and verify the restored systems. Also, set the duration for monitoring the restored systems before making them live.
6. Post Incident Action Plan
Often overlooked, post incident action plan is a critical step in the incident response process. This step is nothing but a thorough investigation and documentation of the entire incident.
It should answer the following questions.
- What caused the incident?
- How was the anomaly detected?
- How did the CIRT mitigate the damage?
- Who responded to the incident?
- How long did it take to contain the damage, eradicate the issue, and recover the system?
- What steps can you take to prevent a similar attack in the future?
Remember, the purpose of this step is to prevent such an incident from hitting your business network again. So, instead of pointing fingers, focus on creating a report that offers a step-by-step review of the entire incident.
C. Provide a Jump Bag to Each CIRT Member
SANS recommends providing each CIRT member with a jump bag containing various tools required for immediate response. It consists of the following items, placed in a protective bag.
- An Incident Handlers Journal. The CIRT members can use this to document the who, what, where, why, and how during an incident.
- The list of all CIRT members with contact details.
- USB Drives.
- A bootable USB drive or Live CD with the latest anti-malware and other software tools. These tools can read and/or write file systems of the affected computing environment.
- A laptop with forensic software, anti-malware, and internet access.
- Computer and network tool kits.
- Hard duplicators with write-block capabilities to create forensically sound copies of hard drive images.
D. Create Incident Response Process Checklists
Given the complexity of an incident response process, you are better off creating checklists for everything. You can create different checklists depending on your business operation and IT network size. However, for your information, here are a few common types of incident response process checklists.
1 . Communication Checklist
As mentioned before, communication plays a critical role in effective and timely incident response. Creating this checklist can help you facilitate communication in the most chaotic time in your workplace.
A typical communication checklist includes the following.
- Whom to contact.
- When it is appropriate to contact them.
- Why contact that CIRT member.
- Changes in communication policy.
- Communication red flags.
- Do all CIRT members have access to the incident handlers journal?
2 System Backup Checklist
This list will outline the critical points in backing up the systems. Remember, each system will have a unique backup checklist based on its components. However, a typical system backup checklist includes the following.
- Did CIRT create forensic copies of the affected system?
- Since the incident hit, are all commands and documentation up-to-date? If not, who, when and how will you update it?
- Is all the forensic evidence secured? If not, who, when, and how will you secure it?
- Are the backups safe from the containment area? If not, who, when, and how will you keep them in a protected area?
In today’s increasingly digitized work environment, cybersecurity is of utmost importance. The very survival of your business depends on a robust and proactive cybersecurity plan. A thoroughly designed incident response process will lay down a strong foundation for your overall cybersecurity and business continuity plans. The sooner you can create and implement it, the better. Hopefully, this short guide will hit the ground running for you in this regard.