Incident Response Response

Incident Response: A Guide to Planning, Steps and Roles

In an always-on, digital-first economy, organizations can ill afford the fallout from a cyberattack. Those that rely on ad hoc processes to respond to digital threats are left with slow, ineffective remediation. It’s estimated that a ransomware attack takes place every 11 seconds. Coupled with the average cost of a data breach reaching an all-time high

8 minute read

In an always-on, digital-first economy, organizations can ill afford the fallout from a cyberattack. Those that rely on ad hoc processes to respond to digital threats are left with slow, ineffective remediation. It’s estimated that a ransomware attack takes place every 11 seconds. Coupled with the average cost of a data breach reaching an all-time high of $4.24 million in 2021, the stakes have never been higher since even a minor security slip up has a major ripple effect across your organization and your customers. Therefore, it’s critical you prepare in advance for the inevitable.

This article sheds light on the incident response process to optimize your business continuity plan.

What is incident response?

Incident response (IR) is the methodology used to detect, contain and recover from an incident such as a cyberattack. It minimizes the direct and indirect costs like downtime, recovery costs and brand reputation.

Who handles incident response?

A computer incident response team (CIRT), aka cyber incident response team, manages the IR process. Gartner defines the CIRT as follows:

“The CIRT is responsible for responding to security breaches, viruses and other potentially catastrophic incidents in enterprises that face significant security risks. In addition to technical specialists capable of dealing with specific threats, it should include experts who can guide enterprise executives on appropriate communication in the wake of such incidents. The CIRT normally operates in conjunction with other enterprise groups, such as site security, public relations and disaster recovery teams.”

What is the purpose of incident response?

Lately, IR has taken center stage as cyberattacks increase in scale and frequency. Its popularity lies in the benefits offered:

  • Repairing cyber vulnerabilities efficiently
  • Restoring operations in a timely fashion to ensure business continuity
  • Minimizing financial and reputational losses
  • Improving security posture to avoid future attacks

What is incident response planning?

An incident response plan (IRP) is a set of instructions to help detect, respond and recover from cyberattacks, including, but not limited to, ransomware, business email compromise and data loss. There is instruction for each stage of the attack, which ensures businesses have the manpower and the structure to respond quickly to any threat.

The need for an incident response plan

Organizations of all sizes need to have a solid incident response plan in place. Here’s why:

Rapid response

Organizations acknowledge the importance of the incident response process. However, many lack a decent incident response plan. It takes an average of 197 days (and sometimes up to a year) for organizations to identify a breach, which leads to long periods of downtime. An IRP enables responders to take the necessary steps to counter an attack in the least amount of time.

Data protection by default

Backup files, privileged access and critical data in the wrong hands harm your business. An IRP leverages logs and security alerts to detect malicious activity and access management to avoid internal and external threats.

Reinforces reputation and revenue

The IDC found that 78% of consumers would take their business elsewhere if directly affected by a data breach. In other words, a breach affects consumer confidence and sales. An IRP demonstrates a brand’s commitment to security and privacy, making you a trustworthy brand.

What should an incident response plan include?

An incident that activates an IR plan also initiates the business continuity plan (BCP) for continuous business operations. Both incident handlers and BCP team leaders need timely and accurate information to take proper steps against an unanticipated event.

The following elements of incident management systems help in offering effective business continuity:

  • Plan statement: Gives directions on how personnel should respond to an attack.
  • Purpose: Outlines the scope of the plan by listing which systems or data are subject to the plan.
  • Definitions: Explains terms used in the incident response plan.
  • Incident response team: Lists names and contact details along with roles and responsibilities.
  • Plans of action and milestones: Minimize or mitigate risks and communicate your actions with other stakeholders.

The incident response team

The IR team is the first point of contact when a cyber incident occurs. The team is responsible for managing the incident and setting clear communication with internal and external stakeholders. The team should contain personnel from management, IT, legal, HR and public relations.

Incident Response Manager: Supervises and prioritizes actions during detection, containment and recovery from an incident.

CIRT Team: Offers specialized technical skills to provide the right advice and threat analysis.

Security Analysts: Supports and works directly with affected resources, implementing and maintaining technical and operational controls.

Threat Researchers: Provides threat intelligence and context around security incidents. They may use third-party tools to identify current and future threats.

Management: Brings top-level management buy-in, which is necessary for the provision of resources for incident response planning and execution.

Human Resources: HR is involved when it is a case of malicious insiders or employee error.

Audit and Risk Management Specialists: Develops threat metrics and vulnerability assessments while encouraging best practices across the organization.

Legal: Ensures any evidence collected maintains its forensic value if the company chooses to take legal action.

Public Relations: Enables communication with internal and external stakeholders.

What is the role of the incident response team?

The core responsibility of the IR team is:

  • Create and maintain an IR plan
  • Analyze the security incident
  • Manage internal communications and alerts whenever an incident occurs
  • Offer easy communication with stakeholders and the press whenever needed
  • Mitigate security incident
  • Create a summary report to document the incident and actions taken
  • Provide recommendations for improving the efficacy of the IR team

The incident response process: 6 steps to create an incident response plan

According to SANS Institute, there are six steps to create an IRP:* Preparation

  • Identification
  • Containment
  • Eradication
  • Recovery
  • Lessons Learned

Preparation

Preparation helps organizations determine how well their IR team will respond to an incident. It determines policy, response plan/strategy, communication, documentation, determining the CIRT members, access control, tools and training.

Questions to ask

  • Has everyone been trained in security policies?
  • Has the security policies and incident response plan been approved by management?
  • Is the IR team aware of their roles and responsibilities?
  • Did the IR team conduct mock drills?

Identification

Identification is the process of detecting a breach and enabling a rapid response. The IR team uses threat intelligence streams, intrusion detection systems and firewalls to classify an incident as a breach that requires prompt action.

Questions to Ask

  • When did the incident happen?
  • Who discovered the incident and how?
  • Have any other areas been impacted?
  • What is the scope of the incident?
  • Does it affect operations?
  • Has the source of the incident been discovered?

Containment

The process involves containing the damage and preventing further damage from occurring. It can be accomplished by taking specific sub-networks offline and spinning up system backups to ensure uninterrupted business operations.

Questions to ask

  • What’s been done to contain the breach short term?
  • What’s been done to contain the breach long term?
  • Has any discovered malware been quarantined from the rest of the environment?
  • What sort of backups are in place?
  • Have all access credentials been reviewed and changed?
  • Does the system have the latest security patches and updates?

Eradication

Eradication is the phased removal and restoration of systems affected by the security incident to their previous state. It might involve secondary monitoring to fix the vulnerabilities if any on the affected systems.

Questions to ask

  • Has the malware been securely removed?
  • Has the system been patched up?
  • Can the system be re-imaged?

Recovery

Test, monitor and validate systems, and bring those affected back into the production environment cautiously to ensure they don’t lead to another incident. This requires setting timelines for full restorations as well as continued monitoring for any abnormal network activity.

Questions to ask

  • When can systems be returned to production?
  • Have systems been tested and patched?
  • Can the system be restored from a trusted backup?
  • How long and what parts of the affected systems will be monitored?
  • What solutions will stop similar attacks from recurring?

Lessons Learned

This final step helps educate and improve future incident response efforts. The IRP is updated with information that may have been missing, omitted, or incomplete prior to the incident as well as complete documentation of remediation efforts to provide insight for a future response.

Questions to ask

  • What changes need to be made to security?
  • How should employees be trained differently?
  • What weakness did the breach exploit?
  • How will you ensure a similar breach doesn’t happen again?

Improve your incident response with Unitrends

Unitrends provides a range of backup and disaster recovery (BCDR) solutions that allow businesses to detect, prevent and mitigate security threats.

Backup & Disaster Recovery

Unitrends offers protection for more than 250 versions of operating systems, hypervisors and applications. Whether your infrastructure is physical machines or virtual servers, you can protect your digital assets with Unitrends locally and also replicate copies of data to alternate media (disk, tape, cloud) for secondary and tertiary copies.

Disaster Recovery Testing

Unitrends Recovery Assurance helps automate testing for your DR runbook by spinning up backups in an isolated lab environment and testing against services and applications. Server performance and compliance tracking (RTO, RPO actuals) are reported to provide full visibility into what recovery looks like.

Disaster Recovery as a Service

In the event your data center goes down or you’re unable to reach it, failover invisibly into the Unitrends Cloud with Disaster Recovery as a Service (DRaaS). The Unitrends team does all the heavy lifting, which includes implementation, onboarding, failover and recovery of service, and failback to your local data center once operations are ready to be resumed.

Learn more about how Unitrends can help you with your data security needs.

See Everything Unitrends Backup Appliances Have to Offer

Appliances range from 2-120TB and are available in high-performance desktop and robust rackmount formfactors. Regardless of the use case, there’s a backup appliance that caters to it.

Request a Demo