What is Incident Response?
Incident response (IR) is the systematic approach taken by an organization to prepare for, detect, contain, and recover from a suspected cybersecurity breach. An incident response plan helps ensure an orderly, effective response to cybersecurity incidents, which in turn can help protect an organization’s data, reputation, and revenue.
How an organization responds to an incident can have tremendous bearing on the ultimate impact of the incident. Becoming the victim of a cyber attack is bad enough, but organizations that fail to take appropriate steps may find themselves vulnerable to employee or shareholder lawsuits or penalties from regulators. They may also find that their insurance company will not accept their claim if they did not take certain predetermined steps.
An incident response plan helps ensure the proper steps are taken. It often includes the following elements:
- how incident response supports the organization’s broader mission
- the organization’s approach to incident response
- activities required in each phase of incident response
- roles and responsibilities for completing IR activities
- communication pathways between the incident response team and the rest of the organization
- metrics to capture the effectiveness of its IR capabilities
It’s important to note that an IR plan’s value doesn’t end when an incident is over; it continues to provide support for successful litigation, documentation to show auditors, and historical knowledge to feed into the risk assessment process and improve the incident response process itself.
2021 CrowdStrike Global Threat Report
Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.
Download NowWhy is an Incident Response Plan Important?
Cyber incidents are not just technical problems – they’re business problems. The sooner they can be mitigated, the less damage they can cause.
Think of recent breaches that lingered in the headlines for weeks. Was the company notified far in advance but failed to address the issue? Did their public communications downplay the severity of the incident, only to be contradicted by further investigation? Were communications with affected individuals poorly organized, resulting in greater confusion? Were executives accused of mishandling the incident — either by not taking it seriously or by taking actions, such as selling off stock, that made the incident worse? These are telltale signs that the organization didn’t have a plan.
Because an incident response plan is not solely a technical matter, the IR plan must be designed to align with an organization’s priorities and its level of acceptable risk.
Incident response leaders need to understand their organizations’ short-term operational requirements and long-term strategic goals in order to minimize disruption and limit data loss during and after an incident.
The information gained through the incident response process can also feed back into the risk assessment process, as well as the incident response process itself, to ensure better handling of future incidents and a stronger security posture overall. When investors, shareholders, customers, the media, judges, and auditors ask about an incident, a business with an incident response plan can point to its records and prove that it acted responsibly and thoroughly to an attack.
Most Organizations Lack a Plan
Although the need for incident response plans is clear, a surprisingly large majority of organizations either don’t have one, or have a plan that’s underdeveloped.
According to a survey by Ponemon, 77 percent of respondents say they lack a formal incident response plan applied consistently across their organization, and nearly half say their plan is informal or nonexistent. Among those that do have IR plans, only 32 percent describe their initiatives as “mature.”
These figures are concerning, especially when you consider that fifty-seven percent or organizations say the length of time to resolve cyber incidents in their organizations is lengthening, and 65 percent say the severity of the attacks they’re experiencing is increasing.
Those two statements are tightly coupled: in cybersecurity, speed is the essential factor in limiting damage. The more time attackers can spend inside a target’s network, the more they can steal and destroy. An IR plan can limit the amount of time an attacker has by ensuring responders both understand the steps they must take and have the tools and authorities to do so.
What are the Four Steps of an Incident Response Plan?
According to the National Institute of Standards and Technology (NIST), there are four key phases to IR:
- Preparation
- Detection and analysis
- Containment and eradication
- Post-incident recovery
Step #1: Preparation
No organization can spin up an effective incident response on a moment’s notice. A plan must be in place to both prevent and respond to events.
Define the IR Team
To act quickly and completely while an incident is unfolding, everyone on the IR team needs to know their responsibilities and the decisions that are theirs to make.
The IR team should include a cross section of business and technical experts with the authority to take action in support of the business. Members should include representatives from management, technical, legal, and communications disciplines, as well as security committee liaisons. All departments affected by an incident should be in the loop and everyone should have a decision matrix to guide their actions during and after the incident.
The plan should also define who is in charge and who has the authority to make certain critical decisions. Those aren’t things to figure out–let alone argue over–in the heat of the moment.
Develop and update a plan
Ensure plans and other supporting documents exist and are updated periodically to remain current. All relevant personnel should have access to the parts of the plan that pertain to their responsibilities and should be alerted when the plan is revised. There should be a feedback loop that is enacted after every significant incident in order to improve the plan continuously.
Acquire and Maintain the Proper Infrastructure and Tools
Have the capabilities to detect and investigate incidents, as well as to collect and preserve evidence. To determine if an attacker is in your environment, it’s critical that you have endpoint security technology that provides total visibility into your endpoints and collects incident data.
Without the right tools, and processes to guide their use, you’ll be ill-equipped to investigate how attackers are accessing your environment, how to mitigate an attacker’s existing access, or how to prevent future access.
Always Improve Skills and Support Training
Ensure the IR team has the appropriate skills and training. This includes exercising the IR plan from time to time. It also includes staffing the IR team, with either in-house staff or through a third-party provider, to accommodate the time away from the job necessary in order to maintain certifications and leverage other educational opportunities.
Possess Up-to-Date Threat Intelligence Capabilities
Threat intelligence capabilities help an organization understand the kinds of threats it should be prepared to respond to. Threat intelligence should integrate seamlessly into endpoint protection and use automated incident investigations to speed breach response. Automation enables a more comprehensive analysis of threats in just minutes, not hours, so an organization can outpace advanced persistent threats (APTs) with smarter responses.
Step #2. Detection & Analysis
The second phase of IR is to determine whether an incident occurred, its severity, and its type. NIST outlines five steps within this overall phase:
- Pinpoint signs of an incident (precursors and indicators): Precursors and indicators are specific signals that an incident is either about to occur, or has already occurred.
- Analyze the discovered signs: Once identified, the IR team has to determine if a precursor or indicator is part of an attack or if it is a false positive.
- Incident documentation: If the signal proves valid, the IR team must begin documenting all facts in relation to the incident and continue logging all actions taken throughout the process.
- Incident prioritization: NIST designates this step as the most critical decision point in the IR process. The IR team can’t simply prioritize incidents on a first come, first serve basis. Instead, they must score incidents on the impact it will have on the business functionality, the confidentiality of affected information, and the recoverability of the incident.
- Incident notification: After an incident has been analyzed and prioritized, the IR team should notify the appropriate departments/individuals. A thorough IR plan should already include the specific reporting requirements.
Don’t let the simplified list above fool you. The detection and analysis phase can be extremely challenging. Here are a few reasons why:
- Incidents may be detected by many means, ranging from automated detection systems to user reports. The level of fidelity and detail will vary according to how or who made the report, and some incidents are nearly impossible to detect no matter how they were reported.
- The volume of indicators of potential compromise (IOCs) can be extremely high. Some organizations may even receive millions per day. Separating the signal from the noise is a massive task.
- Analyzing incident-related data with accuracy requires deep and specialized technical knowledge, as well as a great deal of experience. Automation helps, but people are the ultimate arbiters of determining whether an incident is occurring or not. Many organizations struggle to acquire the level of expertise necessary to recognize incidents in progress.
CrowdStrike’s Falcon platform is used extensively for incident response – especially during the detection and analysis phase. Its cloud-based architecture enables significantly faster incident response and remediation times and provides remote visibility across endpoints throughout the environment, enabling instant access to the “who, what, when, where, and how” of an attack. Services like Falcon Complete streamline the detection and analysis phase by combining CrowdStrike’s endpoint security technology with the people, expertise and processes necessary to remediate an incident quickly.
Phase #3. Containment, Eradication, & Recovery
The purpose of the containment phase is to halt the effects of an incident before it can cause further damage. Once an incident is contained, the IR team can take the time necessary to tailor its next steps. These should include taking any measures necessary to address the root cause of the incident and restore systems to normal operation.
These decisions have the potential to impact productivity, and IR teams must approach them with caution. An IR plan will ease their decision-making process by having a set of predetermined strategies and procedures for containment that are based on the organization’s level of acceptable risk.
Develop containment, eradication, and recovery strategies based on criteria such as:
- the criticality of the affected assets
- the type and severity of the incident
- the need to preserve evidence
- the importance of any affected systems to critical business processes
- the resources required to implement the strategy
At all times, these processes should be documented and evidence should be collected. There are two reasons for this: one, to learn from the attack and increase the security team’s expertise, and two, to prepare for potential litigation.
Front Lines Report
Every year our services team battles a host of new adversaries. Download the Cyber Front Lines report for analysis and pragmatic steps recommended by our services experts.
Download NowPhase #4. Post-Incident Activity
Every incident should be an opportunity to learn and improve, but many organizations give short shrift to this step. Adversaries are always evolving, and IR teams need to keep up with the latest techniques, tactics, and procedures.
A lessons learned meeting involving all relevant parties should be mandatory after a major incident and desirable after less severe incidents with the goal of improving security as a whole and incident handling in particular. In the case of major attacks, involve people from across the organization as necessary and make a particular effort to invite people whose cooperation will be needed during future incidents.
During the meeting, review:
- what happened and when
- how well the IR team performed
- whether documented procedures were followed
- whether those procedures were adequate
- what information was missing when it was needed
- what actions slowed recovery
- what could be done differently
- what can be done to prevent future incidents
- what precursors or indicators can be looked for in the future
Document the important points made during the meeting, assign action items, and follow up with an email record to those who could not attend.
The results of these meetings can become an important training tool for new hires. They can also be used to update policies and procedures and create institutional knowledge that can be useful during future incidents.
Developing an Incident Response Plan
Organizations often lack the in-house skills to develop or execute an effective plan on their own. If they are lucky enough to have a dedicated team, they are likely exhausted by floods of false positives from their automated detection systems or are too busy handling existing tasks to keep up with the latest threats.
CrowdStrike prides itself on being a leader in incident response and brings control, stability, and organization to what can become a chaotic event. CrowdStrike works closely with organizations to develop IR plans tailored to their team’s structure and capabilities.
Through this guidance, we help companies improve their incident response operations by standardizing and streamlining the process. We’ll also analyze an organization’s existing plans and capabilities, then work with their team to develop standard operating procedure “playbooks” to guide your activities during incident response. Lastly, our services team can help battle-test your playbooks with exercises like penetration testing, red team blue team exercises, and adversary emulation scenarios.
Learn how CrowdStrike can help you respond to incidents faster and more effectively: