DEV Community

Cover image for A Gentle Introduction to Incident Response

Posted on

A Gentle Introduction to Incident Response

An incident response plan can identify vulnerabilities, and detect and respond to security incidents. The goal of an incident response plan is to facilitate and standardize effective response to incidents and reduce potential damage. In this article, you will learn what is incident response, incident response steps and what components are critical to include in the plan.

What Is an Incident Response Plan?

Incident response refers to the actions you take when a cyber attack occurs, and during events of data loss or service outage. Without a solid incident response plan, you are likely to suffer the full effects of a data loss incident These incidents can lead to loss of customer data, intellectual property, trade secrets, and the resulting compliance fines. An incident response plan usually consists of a set of guidelines and instructions for responding to security incidents.

An incident response plan enables you to detect issues as fast as possible and minimize damages. A well-developed incident response strategy prevents cyber-criminals from attacking your system and stealing or manipulating your assets.

6 Incident Response Steps

An efficient incident response plan should include the following steps.

1. Preparation
The preparation stage includes the review and assessment of the underlying security policy of your systems. Assess your potential risks and prioritize security issues. Identify the most sensitive assets, and define the most important incidents your team should focus on.

Prepare documentation that clearly states the roles, responsibilities and processes, and create a brief communication plan. However, note that planning is not enough. You also have to hire CIRST members and train them. Make sure they have access to all relevant tools, and systems they need to identify and respond to incidents.

2. Identification
The incident response team has to effectively identify anomalies in the normal behavior of organizational systems. The team also has to find out if those anomalies represent real security threats.

The team should immediately gather additional evidence, decide on severity and type, and document every action when they discover a potential incident. Proper documentation enables companies to prosecute attackers in court by providing answers to questions like Who, What, Where, Why, and How.

3. Containment
The immediate goal after a security incident identification is to prevent additional damage from occurring. This includes:

Short term containment—simple actions like isolation of a network segment that is under attack, or shutting down hacked servers and moving the traffic to backup servers.
Long term containment—creating new clean systems, and preparing to bring them online in the recovery stage, while implementing temporary fixes on affected systems in production.

4. Eradication
The team must find the main reason for the attack and prevent similar attacks in the future. For instance, if the authentication system was the root cause of the attack, you have to replace it with a stronger authentication mechanism. Any exploited vulnerability should be immediately patched.

5. Recovery
Incident response teams have to carefully bring affected production systems back online to prevent additional incidents. Teams need to decide from which date and time to restore operations, how to verify and test that the affected systems are back to normal, and how long to monitor the systems to ensure activity is back to normal.

6. Learning
The objective of this step is to document things that you could not document during the incident response process. You also need to identify the full scope of the incident with further investigation of how it was eradicated and contained, how the system was recovered, and incident response actions that require improvement. Teams should perform this phase no later than two weeks from the end of the incident, to ensure information is fresh.

Considerations for Incident Response Planning

An effective incident response plan should include the following elements:

  • Consistent testing—security teams must test the incident response plan before actually using it. Teams should conduct a planned or unplanned security drills. You should run through the plan and identify weak spots to ensure that the team is ready for a real incident.
  • Senior management support—support from management enables you to recruit the most qualified members for your incident response team. The right kind of support enables you to create processes and information flows for effective incident management.
  • Balance between detail and flexibility—the plan has to include specific, actionable incident response steps. However, creating rigid processes leads to complex processes and prevents flexibility in unexpected scenarios. You should create a detailed plan but allow a certain degree of flexibility to support different incidents. Frequent updates of the plan can also help with flexibility. You should review the plan approximately every six months to update the plan with new security issues and attacks that can affect your organization.
  • Define your stakeholders—the plan should define who should care and be involved in a security incident. This can change depending on the incident type and the targeted organizational resources. Stakeholders could include senior management, department managers, customers, and legal partners.
  • Clear communication—the plan should clearly define the communication channels of the incident response team. The team has to know what channels to use to transfer information. This part is often overlooked in incident response plans. For instance, the plan should describe what level of detail you can communicate to senior management, IT management, to affected customers, to affected departments, and to the press.
  • A simple plan—incident teams are not likely to follow a complicated plan in real time, even if the plan is very well thought out. Keep details, procedures and steps to a minimum. A simple plan ensures that the team can process and apply the steps as they enter the “fog of war”. ## Conclusion Cyber criminals use advanced technology and social engineering to hack systems, networks, and devices. They deploy bots, use Artificial Intelligence (AI) to imitate human behavior, and trick users into revealing information. Differentiating between regular user behavior and malicious activity is getting harder because hackers always improve their techniques.

Organizations must always update their incident response plans to ensure the safety of their systems and networks. Additional technologies like threat intelligence and UEBA can help keep organizations protected even during zero-day attacks.

Top comments (0)