Incident response is critical for responding to, managing and mitigating security incidents in order to limit the potential disruption of attacks.
The success of incident response relies on a comprehensive and robust incident response plan. In this blog post, we give an overview of what incident response planning involves and the key steps that make up an effective incident response plan.
What is incident response?
Incident response is the approach an organisation takes to plan for, respond to, manage and mitigate cyber security incidents. The overarching aim of incident response is to minimise the damage and disruption of attacks and, where necessary, restore operations as quickly as possible.
What is an incident response plan?
An incident response plan (IRP) is a document which establishes a strategy to guide your organisation’s actions following a security incident.
Your incident response plan should clearly and comprehensively communicate the actions your organisation needs to complete after a cyber-attack. It should identify and set out tasks, procedures and responsibilities relating to each stage of the incident and include defined roles for specific activities.
Why is an incident response plan important?
As the National Cyber Security Centre (NCSC) states:
“Incident response (IR) is complicated by two factors. Firstly, no two incidents are ever the same. Secondly, all responses require people, process and technical elements to work together in order to be successful.
Planning your incident response ahead of time is essential. This will be a major determining factor in the final outcome of any real world incident.”
Your incident response plan is your strategic roadmap outlining the steps your organisation should take in the event of different types of attacks. It ensures that you are able to take fast, decisive action to defend your organisation’s reputation and financial well-being.
Set out clearly and executed in a timely way, it can make the difference between responding effectively to an incident and experiencing significant organisational disruption. An incident response plan also communicates to stakeholders and regulators that your organisation is fully committed to addressing new and emerging threats.
What are the incident response steps?
While the nuances of an incident response plan will vary according to the nature and scale of your organisation, the process is generally based on the following key steps:
1. Preparation of systems and procedures
This is a critical step in the incident response planning process as it ensures that every aspect of the plan, from execution to resources, is approved and organised in advance. It involves the creation of key processes, the development of incident response drill scenarios and the assessment of your incident response plan. This stage also involves ensuring that your employees are properly prepared and trained for their incident response roles and responsibilities.
2. Identification of incidents
This is the stage of incident response at which you identify whether your organisation has been breached and the level, if any, of the compromise of your systems. If a breach has occurred, it should be documented and reported as quickly as possible, as part of your formal breach notification process. Following your breach notification protocol will enable you to respond quickly and effectively to data breaches. You should also gather evidence in preparation for the next stage of the process and ensure that all the relevant people are prepared to take action. In the event of a breach, you should look to address key aspects such as who discovered it, its scope, its impact on operations and the potential source.
3. Containment of attackers and incident activity
This is the incident response stage at which an organisation takes action to limit any additional damage from the incident, as well as prevent the destruction of evidence. It involves three key aspects:
- Short-term containment: The actions taken to limit any potential damage as quickly as possible
- System back-up: The use of forensic software to capture a snapshot of the affected systems as they were during the incident in order to preserve evidence and provide insights into the nature of the compromise
- Long-term containment: Temporarily repairing the affected systems so that they can continue to be used, alongside rebuilding clean systems to ensure the removal of accounts or backdoors left by attackers and installing security patches
4. Eradication of attackers and re-entry options
The eradication stage of incident response involves identifying the cause of the incident and removing malware or other threats introduced by the attacks, as well as restoring all the affected systems. Its core aim is to ensure the prevention of similar attacks in the future.
5. Recovery from incidents, including the restoration of systems
This stage involves restoring and returning affected systems and devices to their past status. As the phase in which organisations can begin operating again without creating the risks of further incidents, it involves checking whether systems have been patched, hardened and tested, if they are being restored from trustworthy back-ups and adopting tools to help prevent similar attacks.
6. Lessons learned and the application of feedback to the next round of preparation
The final stage of the incident response process takes place once the investigation is complete. All incident response team members should discuss learning points from the specific incident, alongside analysing and documenting everything about the breach. This is the opportunity to understand what was successful in an incident response plan and what was perhaps less effective.
How Kroll can help
Kroll is a leading provider of end-to-end cybersecurity, digital forensics and breach response services – responding to over 3,200 security events every year. Kroll is well-placed to help you respond effectively to many types of incidents and enhance your organisation’s incident response procedures, with experts on hand 24/7 to assist across the entire incident lifecycle.