What is an Incident Response?

The incident response steps that organizations need to take have been summarized in a six-step plan by the SANS Institute. The Incident Handler’s Handbook outlines the basic foundation for businesses to create their own incident response policies, standards, and teams. It also includes a checklist that ensures each of the incident response steps is followed in the event of an incident.

For starters, SANS Institute defines an incident as when, not if, a compromise or violation of an organization’s security happens. Every phase of the six-step plan needs to be followed in sequence, as each builds upon the previous phase.

Preparation is the most crucial phase in the incident response plan, as it determines how well an organization will be able to respond in the event of an attack. It requires several key elements to have been implemented to enable the organization to handle an incident:

1. Policy: Provides a written set of principles, rules, or practices within an organization and is a crucial action that offers guidance as to whether an incident has occurred.
2. Response plan/strategy: The response plan needs to include the prioritization of incidents based on organizational impact, from minor incidents like a single workstation failing to a medium risk like a server going down, and high-risk issues like data being stolen from a department. This can help build the case for management buy-in and gain resources required to handle an incident effectively.
3. Communication: Having a communication plan is vital to ensuring the entire CSIRT knows who to contact, when, and why. Not having a plan will likely delay the response time and result in the wrong people being contacted.
4. Documentation: This is a vital step in an incident response plan. Documenting the incident assists the organization in providing evidence in the event the incident is considered a criminal act. It also facilitates learning lessons for the future. Everything the CSIRT does must be documented and be able to answer any potential who, what, when, where, and why questions.
5. Team: The CSIRT needs to be comprised of people from different disciplines and departments across the organization, not just technical or security teams.
6. Access control: The CSIRT also needs to have the appropriate permissions to perform their roles. For example, having permission to access networks and systems to mitigate problems and having that permission removed when it is no longer needed.
7. Tools: Software and hardware are crucial to helping the CSIRT investigate an incident. This can range from anti-malware programs and laptops to screwdrivers. All of the tools required must be contained in a "jump bag."
8. Training: Training is crucial to ensuring a team is prepared to tackle a security incident. It is recommended to have regular drills so all CSIRT members know their duties as and when an incident occurs.

The second phase deals with detecting and determining whether an incident has occurred. Information such as error messages and log files must be gathered from various sources, including intrusion detection systems and firewalls, to make this decision. If an incident has occurred, it should be reported as quickly as possible to give the CSIRT enough time to collect evidence and prepare for the next steps. CSIRT members also need to be notified and begin the incident response plan process.

For example, the Fortinet FortiGuard solution analyzes over 100 billion security events per day to detect and defend against the evolving threat landscape. It offers real-time threat intelligence that protects customers from new advanced threats and detects and prevents breaches as and when they happen.

Once a threat has been identified, the organization must limit and prevent any further damage. There are several necessary steps to help them mitigate an incident and prevent the destruction of evidence.

1. Short-term containment: This aims to limit the damage as quickly as possible. It can be as simple as isolating infected machines to taking down production servers and routing all traffic to failover servers. 
2. System backup: Forensic software must capture an image of affected systems as they were during the incident to preserve evidence and understand how they were compromised. 
3. Long-term containment: This step sees the affected systems temporarily fixed to ensure they can continue to be used while rebuilding clean systems. The primary focus is for accounts or backdoors left by attackers to be removed and security patches to be installed. 

This phase sees the removal and restoration of systems affected by the security incident. As in all phases of the plan, documentation is crucial to determining the cost of man-hours, resources, and overall impact of the attack. The organization also must ensure that malicious content has been removed from affected systems and systems have been thoroughly cleaned to prevent the risk of reinfection.

The eradication phase is also crucial to helping businesses improve their defenses and fix vulnerabilities based on the lessons they learned to make sure their systems do not get compromised again.

This phase helps organizations carefully bring affected systems back into the production environment and ensures another incident does not occur. Systems must be tested, monitored, and validated as they move back into production so they are not reinfected by malware or compromised. Important decisions here include:

1. The time and date that operations are restored. System operators and owners must make the final decision based on the CSIRT’s advice
2. How to test and verify that compromised systems are clean and fully functional
3. The duration that abnormal behaviors are monitored
4. Tools used to test, monitor, and validate system behavior

It is vital for organizations to review their incident response and adapt their approach for future attacks. All documentation that was not completed during the incident now needs to be compiled, along with additional information that may benefit future incidents. 

The report must provide a play-by-play review of what happened throughout the entire incident. This will help the CSIRT improve its performance, learn from the events that occurred, and provide reference materials for future events. The report can also be used as training material for new employees and to guide any drills that teams hold.

After an event, a lessons learned meeting should take place as soon as possible. Your report should cover:

1. When the problem was first detected, how, and by whom
2. The root cause of the incident
3. How the problem was contained and eradicated
4. Actions performed throughout the recovery process
5. Areas where the CSIRT was effective and areas for improvement
6. Suggestions and discussion around how to improve the CSIRT