Incident Response: A Comprehensive Guide

What is an Incident Response Plan (IRP)?

An Incident Response Plan (IRP) is a set of written policies and procedures that help organizations effectively respond to security incidents. It outlines the steps taken in response to a breach, from identifying and assessing a threat to documenting evidence and recovering. This plan helps ensure that a company spot patterns in malicious behavior, minimize the risk of further damage, and guides workers dealing with an attack.

The IRP should include the following:

• Policies on identifying threats.
• Assessing the impact of attacks.
• Investigating potential breaches.
• Containing an attack’s effects.
• Recovering systems or data affected by an incident.

It should also include information regarding communication protocols and systems inside and outside the organization. An IRP should be regularly reviewed and tested to maintain current effectiveness standards.

Incident Response Frameworks

Incident response frameworks exist to enable organizations to formulate standardized response plans. Large organizations with considerable security knowledge and experience usually create these frameworks. Two commonly used frameworks are those established by NIST and SANS.

NIST Framework

The National Institute of Standards and Technology (NIST) is a U.S. government agency that has created the NIST incident response framework for cybersecurity efforts. This comprehensive framework outlines how to create an IRP, an incident response team, and a communication plan and provides for various training scenarios.

In this framework, incident response is condensed into four steps:

1. Preparation
2. Detection and Analysis
3. Containment, Eradication, and Recovery
4. Post-Incident Activity

NIST believes that containment, eradication, and recovery are all intertwined. You should aim to identify and remove threats within your systems on time, not waiting for all threats to be discovered first.

Recovery also takes on different forms depending on the recovered asset, with some having priority over others. Depending on the severity of the attack, it may be prudent to defer recovering certain high-priority assets.

SANS Framework

System Admin, Audit, Network, and Security (SANS) is a private research and education organization. The SANS incident response framework is one of their significant contributions to cybersecurity.

Each of the six phases in the SANS framework is called a phase, and they are as follows:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

The SANS framework provides basic descriptions of the phases and an IR checklist for each stage. Additionally, two templates with system commands are included for the preparation and identification phases.

Who is Responsible for Incident Response?

An incident response program needs a coordinated cross-functional team from different parts of the organization to effectively implement and execute security policies, processes, and tools. It’s their responsibility to complete the steps and processes involved in incident response.

Types of Incident Response Teams

Typically, incident response teams fall into three categories:

• Computer Security Incident Response Team (CSIRT)
• Computer Incident Response Team (CIRT)
• Computer Emergency Response Team (CERT)

Typically, the objectives and roles of these acronyms are the same. However, CERT is a Carnegie Mellon University registered trademark, so companies must obtain authorization.

Security Operations Center (SOC)

Another term frequently used during incident response team conversations. SOC covers the personnel, technology, and processes responsible for an organization’s security program.

SOC teams are primarily responsible for incident response, but they may have other tasks within an organization. Other responsibilities of SOC teams are asset discovery and management, maintaining activity records, and ensuring adherence to regulations.

What Does an Incident Response Team Do?

An incident response team’s primary objective is to detect and respond to security incidents and minimize their business impact. Therefore, team responsibilities typically align with phases outlined in incident response plans and frameworks. Among the team’s tasks are:

• Prevent and prepare for security incidents
• Prepare an incident response plan
• Manage, update, and test the incident response plan before implementing it
• Conduct tabletop exercises on incident response
• Analyze program initiatives based on metrics
• Analyze security events
• Isolate systems, quarantine threats, and contain security events
• Find root causes of threats, eliminate them, and remove them from production environments
• Assist in the recovery of affected systems after threats
• Document and analyze the incident, as well as identify ways to prevent similar events in the future and improve future response efforts
• Regularly review and update the incident response plan

Building an IR Team in Your Organization

When it comes to incident response, having an effective incident response is vital. Here are the key aspects to consider when building an incident response team in your organization:

Incident Response Team Models

• Central – A centralized team manages IR for the whole organization.
• Distributed – Multiple teams coordinate their efforts as needed. Typically, each unit is responsible for one part of the IT infrastructure, one location, or one department.
• Coordinated – The central team serves as a command center or knowledge base for distributed teams. Often, central teams monitor systems and assist distributed teams when necessary.

Selecting a Team Model

Use the questions below to guide you on which team model is best for your organization.

• What availability do you need? – Determine whether you would like 24/7 response availability and at what level. For example, can teams respond remotely, or must they be present on-site? Ideally, your team is available in real-time and in person.
• What level of staffing do you want? – You should decide whether you want full-time or part-time staff for your team. A part-time team is best for boosting response time. On the other hand, having a full-time team ensures a consistent, organized, and timely response.
• How much expertise is needed? – Companies should consider having external security specialists available to support their internal teams, as additional knowledge can improve response operations.
• What is your budget? – Establishing a realistic budget for your IR team is critical to address the issues mentioned above adequately. Allocation of funds should also be taken into consideration when forming the team.

Incident Response Team Members

The composition of an incident response team and the roles of its members depend on the organization’s requirements. Some members may have more than one role. However, a typical incident response team consists of the following members:

• Technical team – This incident response team comprises IT and security members with technical proficiency across company systems. It usually has a manager, coordinator, lead, analysts, responders, researchers, and forensics analysts.
• Executive sponsor – In most cases, this is the company’s Chief Security Officer (CSO) or Chief Information Security Officer (CISO).
• Communications team – PR representatives and others in charge of internal and external communications are included in this category.
• External stakeholders – May include employees from different organizational departments, such as IT, the legal department, HR, PR, security, and facilities.
• Third parties – These external members are consultants, external legal representation, Managed Service Providers (MSPs), managed security service providers, cloud service providers (CSPs), vendors, and partners.

Steps in Creating an Incident Response Plan

Prepare

The first preparation phase includes a risk assessment to determine any potential vulnerabilities and the priority of assets. Incident responses will be based on this information, and systems can be configured to address identified vulnerabilities and focus protection on high-priority assets. Policies and procedures should then be revised or created, including a communication plan with roles and responsibilities during an incident.

Identify

When preparing for an incident, teams must determine what tools and procedures they will use to identify suspicious activity. If an incident happens, they must establish the type of attack, source, and attacker’s motives. Keep a record of all evidence collected throughout an investigation and any information you may need to locate an intruder.

Contain

When an incident happens, steps are taken to contain it and minimize any possible harm. There are usually several subphases involved in containment:

• Short-term containment – Threats can be isolated, e.g., by isolating the attacker’s current network area or taking infected servers offline and redirecting traffic to a failover.
• Long-term containment – Unaffected systems are subject to extra access controls. Newly clean and patched systems and resources are prepared for recovery.

Eradicate

When all necessary containment steps are taken, the full scope of an attack is made visible. Teams must then identify all compromised systems and resources to remove attackers and malware. This process should continue until no traces of the attack remain. Some cases may require restarting systems with clean versions to recover fully.

Recover

In this phase, teams attempt to restore any lost data while bringing updated replacement systems online. If that is not possible, they must identify when the last clean copy of data was created and restore it. This phase ends with monitoring systems for some time to detect if attackers return.

Learn

The assessment of an incident is crucial for identifying and eliminating any security vulnerabilities. It could include patch management, staff training, and introducing technologies to detect internal threats. These procedures should be put in place to prevent another similar incident from taking place. Incorporate all these preventative measures into your security incident response plan.