What is Incident Response?
When a security team detects a threat, it’s essential organizations are ready for what comes next. That requires having a tightly coordinated incident response plan (IRP) and sequence of actions and events assigned to specific stakeholders on a dedicated IR team.
Some businesses may have their own in-house team, some may outsource their incident response services, while others might take a hybrid approach where they outsource technical analysis but manage the rest of the IRP in-house. Either way, this team should have trained and planned for these IR events well before any trouble. A well-coordinated IR effort should always include:
- High-level incident management and coordination
- Technical analysis of the incident
- Incident scoping to determine who or what was affected
- Crisis communications to ensure information is released in a coordinated and beneficial manner
- Legal response to determine any implications and prepare any needed response or action
- Remediation and mitigation recommendations and actions to ensure a smooth recovery
Who are the Key Players on an Incident Response Team?
The key players on an IR team are crucial and should tailor actions to the unique circumstances of a breach. Security organizations should identify specific individuals or teams for the following core functions:
- Incident management: This central role requires extensive technical knowledge and prior experience in management and IR. The person in this role acts as an overall project manager to oversee technical task completion, as well as information gathering for all involved stakeholders.
- Enterprise incident investigation: This is where the challenges of working at an enterprise can vary from smaller counterparts. A large breach at a bigger organization requires leveraging technologies and partnerships across teams to quickly assist in forensics across hosts (even remote ones) so that the team can find indicators of compromise – as well as potential scope – as quickly as possible.
- Technical analysis: These roles require technical know-how, and it's best to have analysts on the team who specialize in specific areas, such as malware analysis, forensics analysis, event log analysis, and network analysis. Any information these analysts find should be shared with the rest of the IR team.
- Incident scoping: What was the extent of the breach? That's a crucial question any IR team will need to know. The answer to this question may change over the course of the IR and investigation, especially as technical analysis continues.
- Crisis communications: Sharing the findings of the investigation, as well as the scope and potential outcomes, will need to happen both internally and externally. An experienced crisis communications team should communicate the right details to the right audiences. Their responsibilities may include breach notifications, regulatory notifications, employee and/or victim notifications, and press briefings, if needed.
- Legal, human resources, and regulatory concerns: If a breach has any regulatory or compliance considerations, it’s important to have someone on the team with knowledge of how to navigate disclosure requirements or work with law enforcement groups, such as a government representative. For teams that do not have in-house expertise for these requirements, specialized legal expertise on retainer is a worthwhile investment.
- Executive decision making: Any breach can potentially affect an organization's public image and financial standing, which is why executive leadership should always be involved. There will be crucial decision points over the course of an IR and investigation, and the team will need executive input on how to proceed at these crucial junctures.
- Reporting and remediation: While working on IR, it is important to document everything. With this information, teams should be able to piece together an entire story for the breach: what the attackers did, when and how they did it, and what they managed to compromise. This will make it possible to create a detailed response plan for remediation and mitigation recommendations to recover from the breach, and hopefully help the organization defend against any future attacks that are similar in nature.
What is an Incident Response Plan?
An IR plan delineates what steps need to be taken, and by whom, when a breach or security crisis occurs in an organization. A robust response plan should empower teams to leap into action and mitigate damage as quickly as possible. Every moment counts. That’s why emergency incident responders go through regular training simulations and process reviews, so when a situation arises they know how to act almost by muscle memory.
To prevent slow responses from occurring in your organization, responders should have a carefully mapped IR plan, rehearsed regularly for a variety of possible scenarios. Buy-in from key organizational stakeholders and C-level executives is also critical, so your team knows the support is in place for them to act quickly and efficiently.
After all, when a security incident occurs, it’s not just technical teams that need to act; non-technical resources – such as legal and communications – as well as outside parties will need to be involved, especially if you partner with a security service provider.
What are Managed Incident Response Services?
Managed IR services are provided by an external vendor and are intended to help organizations of any maturity, size, and skillset better prepare for and manage a breach. These managed services providers can help address strategic and tactical gaps by:
- Developing robust security programs: If you're unsure whether your incident detection program covers all possible contingencies relevant to your organization, managed IR services can help you improve your readiness to incidents and breaches.
- Conducting tabletop exercises: Put your internal IR team through their paces and verify their readiness with threat simulation exercises conducted by the provider.
- Conducting compromise and/or breach readiness assessments: An external IR team can assess the current state of your organization's environment and security processes, and identify any potential risks or gaps.
- Providing immediate breach remediation: If you suspect you're being breached and need immediate help, a managed services provider can jump into action to help stop further damage.
- Offering incident response retainers: A retainer ensures your team and the provider's teams are aligned to a plan and everyone is ready to go in case of a breach. Many retainers will include several of the services named above, and they will often guarantee a certain service level agreement on their response times.
It may sound repetitive, but the worst time to prepare for a breach is after its happened. Having a robust IR plan in place – and ensuring it's been communicated to all stakeholders – is the best way to prepare for a worst-case scenario.
The Post-Mortem
After successfully responding to an incident, it's not time to rest just yet. The internal IR team should conduct a post-mortem to learn from the experience and fine-tune response preparedness.
What worked, what didn't work, and what could work better or faster? There's no better teacher than experience, so it's important to glean as many lessons as possible from responding to an actual incident.
Read More on Incident Response
Prepare for Battle: Let's Build an Incident Response Plan (Part 1)
Prepare for Battle: Let's Build an Incident Response Plan (Part 2)
Incident Response New: Latest Rapid7 Blog Posts