What Is Incident Response?
Incident response is a plan used following a cyberattack. IT professionals use it to respond to security incidents. Having a clearly defined incident response plan can limit attack damage, lower costs, and save time after a security breach.
A cyberattack or data breach can cause huge damage to an organization, potentially affecting its customers, brand value, intellectual property, and time and resources. Incident response aims to reduce the damage an attack causes and help the organization recover as quickly as possible.
Why Incident Response Planning Is Important
With cyberattacks increasing in frequency, scale, and sophistication, an incident response plan plays an increasingly important role in organizations’ information security defense. It is vital for organizations to be fully prepared before an incident occurs to limit the success and damage of a potential attack and maximize their response.
However, recent Immersive Labs research found that nearly 40% of organizations are not confident their teams could handle a data breach. And while 61% of respondents thought having an incident response plan was the most effective way to prepare for a security incident, 40% said the last exercise generated no action.
Cyberattacks can have a damaging effect on brand reputation, leading to an organization losing customers and suffering huge fines. Having a response plan in place and taking action based on the findings is vital to learning lessons and avoiding stringent punishments for suffering data loss.
CSIRT: Computer Security Incident Response Team
The computer or cybersecurity incident response team (CSIRT) is formed by the people responsible for leading or handling the response to an incident. The team is crucial to running incident response exercises, providing staff training, and maintaining security awareness.
A CSIRT involves several core roles, which can be played by one or more people. These include senior and executive management, who are responsible for making critical decisions, and an incident manager, who ensures all actions are tracked and the incident is clearly documented, communicated to stakeholders, and escalated.
The CSIRT also includes leaders from customer service, human resources, legal, and public relations departments. It requires analysts, investigators, and IT infrastructure experts, who will typically be from an external organization, to explore, contain, and remediate the incident.
6 Steps of an Incident Response Plan
The incident response steps that organizations need to take have been summarized in a six-step plan by the SANS Institute. The Incident Handler’s Handbook outlines the basic foundation for businesses to create their own incident response policies, standards, and teams. It also includes a checklist that ensures each of the incident response steps is followed in the event of an incident.
For starters, SANS Institute defines an incident as when, not if, a compromise or violation of an organization’s security happens. Every phase of the six-step plan needs to be followed in sequence, as each builds upon the previous phase.
Step 1: Prepare
Preparation is the most crucial phase in the incident response plan, as it determines how well an organization will be able to respond in the event of an attack. It requires several key elements to have been implemented to enable the organization to handle an incident:
- Policy: Provides a written set of principles, rules, or practices within an organization and is a crucial action that offers guidance as to whether an incident has occurred.
- Response plan/strategy: The response plan needs to include the prioritization of incidents based on organizational impact, from minor incidents like a single workstation failing to a medium risk like a server going down, and high-risk issues like data being stolen from a department. This can help build the case for management buy-in and gain resources required to handle an incident effectively.
- Communication: Having a communication plan is vital to ensuring the entire CSIRT knows who to contact, when, and why. Not having a plan will likely delay the response time and result in the wrong people being contacted.
- Documentation: This is a vital step in an incident response plan. Documenting the incident assists the organization in providing evidence in the event the incident is considered a criminal act. It also facilitates learning lessons for the future. Everything the CSIRT does must be documented and be able to answer any potential who, what, when, where, and why questions.
- Team: The CSIRT needs to be comprised of people from different disciplines and departments across the organization, not just technical or security teams.
- Access control: The CSIRT also needs to have the appropriate permissions to perform their roles. For example, having permission to access networks and systems to mitigate problems and having that permission removed when it is no longer needed.
- Tools: Software and hardware are crucial to helping the CSIRT investigate an incident. This can range from anti-malware programs and laptops to screwdrivers. All of the tools required must be contained in a "jump bag."
- Training: Training is crucial to ensuring a team is prepared to tackle a security incident. It is recommended to have regular drills so all CSIRT members know their duties as and when an incident occurs.
Step 2: Identify
The second phase deals with detecting and determining whether an incident has occurred. Information such as error messages and log files must be gathered from various sources, including intrusion detection systems and firewalls, to make this decision. If an incident has occurred, it should be reported as quickly as possible to give the CSIRT enough time to collect evidence and prepare for the next steps. CSIRT members also need to be notified and begin the incident response plan process.
For example, the Fortinet FortiGuard solution analyzes over 100 billion security events per day to detect and defend against the evolving threat landscape. It offers real-time threat intelligence that protects customers from new advanced threats and detects and prevents breaches as and when they happen.
Step 3: Contain
Once a threat has been identified, the organization must limit and prevent any further damage. There are several necessary steps to help them mitigate an incident and prevent the destruction of evidence.
- Short-term containment: This aims to limit the damage as quickly as possible. It can be as simple as isolating infected machines to taking down production servers and routing all traffic to failover servers.
- System backup: Forensic software must capture an image of affected systems as they were during the incident to preserve evidence and understand how they were compromised.
- Long-term containment: This step sees the affected systems temporarily fixed to ensure they can continue to be used while rebuilding clean systems. The primary focus is for accounts or backdoors left by attackers to be removed and security patches to be installed.
Step 4: Eradicate
This phase sees the removal and restoration of systems affected by the security incident. As in all phases of the plan, documentation is crucial to determining the cost of man-hours, resources, and overall impact of the attack. The organization also must ensure that malicious content has been removed from affected systems and systems have been thoroughly cleaned to prevent the risk of reinfection.
The eradication phase is also crucial to helping businesses improve their defenses and fix vulnerabilities based on the lessons they learned to make sure their systems do not get compromised again.
Step 5: Recover
This phase helps organizations carefully bring affected systems back into the production environment and ensures another incident does not occur. Systems must be tested, monitored, and validated as they move back into production so they are not reinfected by malware or compromised. Important decisions here include:
- The time and date that operations are restored. System operators and owners must make the final decision based on the CSIRT’s advice
- How to test and verify that compromised systems are clean and fully functional
- The duration that abnormal behaviors are monitored
- Tools used to test, monitor, and validate system behavior
Step 6: Learn
It is vital for organizations to review their incident response and adapt their approach for future attacks. All documentation that was not completed during the incident now needs to be compiled, along with additional information that may benefit future incidents.
The report must provide a play-by-play review of what happened throughout the entire incident. This will help the CSIRT improve its performance, learn from the events that occurred, and provide reference materials for future events. The report can also be used as training material for new employees and to guide any drills that teams hold.
After an event, a lessons learned meeting should take place as soon as possible. Your report should cover:
- When the problem was first detected, how, and by whom
- The root cause of the incident
- How the problem was contained and eradicated
- Actions performed throughout the recovery process
- Areas where the CSIRT was effective and areas for improvement
- Suggestions and discussion around how to improve the CSIRT
Start Planning for Your Next Security Incident
Having a tried-and-tested incident response plan is vital for organizations to be as prepared as possible for security incidents. In addition to involving the right people in the CSIRT and knowing who is responsible for what in the event of an incident, businesses also need to have the right tools in place. Fortinet provides a range of tools and technologies that allow businesses to detect, prevent, and mitigate security threats.
This includes the powerful FortiSIEM, Fortinet's security information and event management tool, which helps organizations manage and secure their increasingly complex infrastructure and attack surface. Another is the streamlined FortiSOAR, Fortinet's comprehensive security orchestration, automation, and response tool, which remedies the biggest security challenges and optimizes processes. Organizations can also use network security solutions, such as an intrusion prevention system (IPS) or next-generation firewall (NGFW), to identify suspicious activity and protect themselves from malicious attacks.
Discover how Fortinet can help your organization be better prepared for a cyberattack. Manage security incidents with FortiSIEM.