Incident Response

In cybersecurity, incident response refers to the tools and techniques through which an organization detects, analyzes, and remediates cyberattacks. Incident response typically includes multiple stakeholders, including IT, security, corporate communications, finance, and legal. The core goal of incident response is twofold.

First, it aims to minimize the impact of disruptive cyber events by detecting and repelling threat actors before they fulfill their objectives—or, failing that, by ensuring that an organization is resilient enough to avoid lasting damage from an attack. An incident response program also analyzes each disruptive event to determine how an organization might prevent similar incidents in the future.

Picture two organizations targeted by the same strain of ransomware.

The first organization has a clear strategy for dealing with the threat. Its security team immediately isolates infected systems, identifies the ransomware strain, then determines whether those systems should be sanitized or wiped entirely. The attack is resolved almost as soon as it begins, and the company immediately communicates what transpired to customers and stakeholders.

After the attack, the organization examines what transpired and applies what it learned to improve its security.

Lacking an incident response plan, the second organization takes considerably longer to mobilize and respond to the threat. As a result, the ransomware has the opportunity to spread through significantly more of its infrastructure, locking down multiple business-critical systems in the process. Communication with stakeholders—if it occurs at all—is vague and inconsistent.

These examples make it clear why you need an incident response plan. Without one, whether or not your team can respond efficiently and effectively to a cyberattack is primarily a matter of luck. Given the lasting impact these incidents can have on your business’s reputation, that’s a risk you cannot afford to take.

Put another way, an incident response plan helps your organization minimize reputational and financial damage, comply more effectively with industry regulations, decrease its incident response time, and improve its overall security posture.

Incident response is part of incident management, though many organizations use the terms interchangeably. The primary difference between the two is that incident management has a broader and more strategic focus. Incident response, on the other hand, is more technical and immediate, focused on directly addressing a cyberattack as it happens.

An incident management strategy typically covers the following:

• Preparing management and response plans before cyber incidents
• Overseeing incident response efforts during disruptive events
• Calling on third-party expertise as necessary
• Managing crisis communication channels and plans
• Defining the chain of command that should be followed in an incident
• Post-incident forensics and follow-up

Incident response, on the other hand, encompasses the following:

• Monitoring and initial identification of a potential cyberattack
• Notifying relevant personnel of the incident—either internally, via an MSSP, or through an automated threat detection platform
• Determining an attack’s specific nature and objective and the most effective way to shut it down
• Restoring any compromised systems and data from backups

• Ensure your incident response plan is clearly defined and flexible enough to adapt to unexpected cyber events
• IR documentation should be readily available to all personnel and lay out all policies, strategies, and processes
• Deploy IR tools wholly isolated from your business’s ecosystem and regularly test them for efficacy
• Incorporate incident response training and preparedness into organizational culture

• Maintain consistent, real-time visibility into your attack surface through solutions such as Extended Detection and Response (XDR)
• Proactively hunt down threats and vulnerabilities within your ecosystem
• Embrace Zero Trust Network Access (ZTNA) along with some form of intrusion detection and prevention

• Leverage technology such as advanced Endpoint Protection Platforms (EPPs) that can swiftly and effectively identify and isolate threats
• Ensure every system, asset, and device can be swiftly air-gapped from your ecosystem
• Maintain comprehensive logfiles for potential use as digital forensics

• Sanitize or wipe clean all infected systems
• Before you restore from backup, make absolutely certain your backups don’t contain the just-eliminated threat 
• Lock down any potential avenues through which a threat actor might regain access to your organization

• As you restore operations, continue to monitor, test, and validate all assets and data for signs of compromise
• Set a realistic roadmap for full recovery; communicate this to your stakeholders with the potential short- and long-term impacts

• Review the entire incident to answer the following questions:
  • What happened?
  • How did it happen?
  • How can we prevent this from happening in the future?
• Evaluate the effectiveness of your incident response plan and identify any potential areas that may be improved for future incidents