Incident Response - Know What You Don't

By Haseeb Awan

The COVID-19 epidemic and businesses' quick shift to remote work in 2020 has given threat actors many chances to execute powerful cyberattacks with detrimental effects. According to statistics, remote employees have been responsible for security vulnerabilities in 20% of enterprises. Since the epidemic began, ransomware threats will account for over one-third of cyber incident response instances in 2020. Another analysis referred to 2020 as the "worst year in history" due to the nearly 3000 publicly announced security breaches that exposed an incredible 44+ billion records.

Security breaches will occur. However, an incident's final effects can be significantly influenced by how businesses react to it. Companies must take the necessary precautions to reduce their susceptibility to lessen the impact of an event on their data and eventually on their reputations and revenues. Incident response (IR) may change the game by helping organizations prepare for and defend against potential threats. When thinking about Incident Response Plans, we need to consider four questions:

  • What exactly is incident response, and why is it crucial?
  • What are the incident response's 4 phases?
  • What is an incident response?

We will address each of those crucial details in this comprehensive guide. Additionally, we'll discuss small business incident response strategies and provide examples of flowcharts for these plans.

Let's begin with the most fundamental issue: What exactly is incident response?

What is Incident Response?

"Incident Response" (IR) includes more than simply reacting to a security incident. IR is a proactive, reactive, systematic, and preventative technique that allows businesses to identify, plan for, and recover from cybersecurity issues. It includes planning and implementation and enables businesses to react to an event in a planned and efficient way to lessen its effects and safeguard their assets, reputation, and financial well-being. An IR program strengthens the company's continual risk analysis and incident management process. It enables legal teams to comprehend the relevant notification and reporting needs under security breach regulations and enables documentation, knowledge-sharing, and litigation.

Why is Incident Response Crucial?

It can be catastrophic if an IR Plan (IRP) not implement. The company's security strategy is weakened, which leaves them more open to the adverse effects of attacks on its operations, finances, and legal standing. Their bottom line, continuity planning, and long-term viability may all negatively impact if their insurance claims are not accepted.

However, formal IRPs are rare in most businesses. IBM discovered that although firms implementing an IRP saw reduced business disruption and improved cybersecurity, 51% only have a loosely structured or ad hoc strategy. The great news is that enterprises with IRPs experience security breaches at a cost roughly $1.2 million lower than those experienced by those without such measures.

It takes an average of 280 days for several cybersecurity concerns to be discovered, which presents many operational difficulties for businesses. A structured IRP with specific metrics can assist in promptly resolving these issues and lessen their effects since it emphasizes anticipating, speed, agility, and adaptation.

The Four Phases Of Incident Response Are, What Are They?

The Incident Response Life Cycle developed by the NIST provides a clear explanation of the four incident response phases.

Preparation

At the drop of a hat, it is impossible to address incidents, much less avoid them adequately. So, planning when building IR capacity and guaranteeing the security of the company's networks, systems, and applications is essential. It would help if you did all of the following in advance:

  • Build an IR team, spell out each member's duties, and specify how they will make decisions.
  • Establish several channels for communication and collaboration, including tools, programs, and incident evaluation resources.
  • Prepare a jump kit with the resources required during an inquiry to enable quicker answers.
  • Periodically evaluate the risks associated with applications and systems.
  • Using industry-standard setups and the "least privilege" approach, hardened hosts
  • Set the network border to prohibit any unapproved activity.
  • At the host, application client levels, and application server deploy anti-malware solutions.

Provide awareness training to ensure users are adequately conscious of using apps, networks, and systems.

Detection and Analysis

The second stage assists in determining whether a security event took place and analyzes the kind and intensity of the incident. The NIST provides the following steps:

  • Determine the most typical attack methods to establish particular handling techniques.
  • Identify current (indicators) and potential (precursors) signals of an incident to ascertain the issue's nature, scope, and severity and filter out false alarms.
  • Identify the scope, locations of source, and possible attacks of occurrences by analyzing and validating them.
  • All events should document and timestamp, including critical systems, chats, and observed file modifications.
  • Set incident priorities depending on pertinent incident-specific factors, such as:
  • Information Impact
  • Functional impact
  • The type of resources affected.
  • Size
  • Inform the necessary parties so they can carry out their particular duties and responsibilities.

This stage may be difficult for a variety of reasons. One is that there are numerous ways to detect occurrences, keeping the detection method quite complicated. Then there are those occurrences that are almost impossible to find. Third, it is challenging to distinguish between real problems and "noise" due to the enormous indications of possible compromise (IOCs). Finally, even with technology, incident assessment is a human-dependent activity. Thus, a need for more human experience could compromise the company's detection/analysis capacity.

Containment, Eradication, and Recovery

The objective is to reduce the impact of a security incident before it depletes assets or causes excessive harm. But it's essential to plan out strategy and tactics in advance. Furthermore, it's critical to establish containment techniques based on parameters and tolerable risks, such as:

  • Impact on asset value and business
  • Possible damage to resources
  • Need to maintain evidence/volatility order
  • Service continuity
  • Resources and execution time needed for the strategy

Other essential measures include:

  • Gathering, managing, and keeping evidence: To resolve incidents and (potentially) legal processes.
  • Determining the host(s) under attack: By verifying the IP address of the attacker's host, utilizing incident databases, and keeping an eye on any potential attacker communication connections
  • Recovery and eradication: By locating all vulnerable hosts and exploited security flaws and removing incident-related aspects (e.g. malware)
  • Restore things to normal operating conditions: By addressing weaknesses to stop future occurrences of similar instances

Post-Incident Activity

Cybersecurity mishaps cost businesses $3.86 million on average (IBM), but they also bring growth opportunities. For this reason, NIST advises that any IR project should have a "lessons learned" component based on conferences and follow-up analyses that generate a set of valuable data, such as:

  • Time spent per incident
  • Incident count
  • Subjective assessment of outcomes and performance
  • Objective assessment via reports, forms, logs, etc.

These measures can assist in risk analysis, adopting new safeguards, and enhancing security protocols and incident response procedures.

What Are the Five Stages of Incident Response?

The five incident response stages according to this model are:

  1. Planning: Create IR policies and procedures, run cyber hunting drills, evaluate threat recognition capacity, and integrate threat intelligence streams.
  2. Detection and Reporting: Detecting security incidents, generating tickets, and reporting issues.
  3. Triage and analysis: Gather information from devices and systems for additional examination.
  4. Neutralization and Containment: Restore systems and carry on with operational processes
  5. Post-incident Activity: Document all details to help stop similar incidents in the future.

What is an Organization's Incident Response Plan, and What are its Primary Actions?

Incident Response Plan

An IR plan is a collection of specified guidelines that outlines the actions to be followed across the various incident response stages. It needs to include the IR team's responsibilities and duties, communication strategies, and systematic response methods.

Your IRP needs to be in simple, unambiguous language. The following are three frequently misunderstood terms found in IRPs.

Event: An event is a routine device, system,  or process variation. Events believe to be all logs. Events include when a router admin logs in and when a firewall policy is issued.

Alert: An alert is a critical message issued to responsible parties to execute measures in response to a suspicious incident or set of such incidents. Repeated failed attempts to get into an account or a connection from an unidentified IP address are two notification instances.

Incident: An incident is a circumstance that adversely impacts a company's operations. The event often begins when an analyst or system qualifies an alert as an event. A hacker posting organization information publicly is one instance of a related issue.

Incident Response Plan Elements

These elements found in an incident response plan:

  • IR strategy adopted by the organization
  • How IR contributes to the company's mission, goals, and vision
  • IR activities and phases
  • Roles and duties for personnel, an adequately defined hierarchy of command, and support from top management
  • Based on the vulnerabilities, the amount of data exfiltrated, and the potential importance of the infrastructure elements compromised, you may use activity and resource priority.
  • Essential parameters to measure the IR program's effectiveness, success, and capabilities
  • The stakeholders and IR staff communicate with one another (external and internal)
  • How will the company reinforce what you learn from it?

An IR policy that is specifically designed and identifies components, such as:

  • Objectives, scope and purpose
  • Security incident definition
  • Management commitment statement
  • Definitions of duties, obligations, and levels of power
  • Requirements for communications, reporting, and information sharing
  • IR process escalation and handoff points
  • Performance measures
  • Incident prioritization

The organization must create Standard Operating Procedures (SOPs) based on the IR strategy and plan. They should be evaluated to confirm their effectiveness and must explain the procedures, methods, checklists, etc., that they employ. SOP training helps ensure that security issues manage effectively and with little disruption to business operations.

Steps in an Incident Reaction Plan

An effective IR plan can create using the following seven steps:

  1. Utilize triage drills and playbooks to get ready for probable incidents.
  2. To prevent the threat from spreading, disconnect the infected devices.
  3. Begin with the first affected device to determine the magnitude and scope of an event.
  4. Eliminate dangers by updating hardware, neutralizing malware, deactivating hacked accounts, etc.
  5. Restore and recover the company's operations to normal
  6. Keep track of your learnings to avoid repeating mistakes.
  7. Educate staff on how to respond to incidents

Incident Response Plan for Small Companies

Smaller companies must have an incident response strategy in place, especially in the post-COVID era, as it will enable them to respond to security incidents with the least expense and possible harm.

The procedures for developing an incident response strategy for small enterprises are as follows:

  • Determine any security events that might affect the company.
  • Select your response to each situation.
  • Determine the persons in charge of handling events.
  • Establish channels for external and internal communication
  • Compile these data to produce a complete plan.
  • Practice responding to incidents
  • Adapt the strategy as necessary

Incident Response Team

The primary objective of the IR team is to ensure that every security issue receives the appropriate response. It ought to have specialized subteams, each with a specific task. These consist of the following:

  • Security Operations Center (SOC): The first avenue of defence for prioritizing security warnings
  • Incident Manager: Coordinate with numerous stakeholders to decide on an incident reaction and a course of action.
  • The team responding to computer incidents offers knowledgeable technical advice.
  • Threat Intelligence Team: To continuously evaluate the cyber incident environment and improve the enterprise's security profile.

Who Handles Incident Response?

A company's Incident Response Team is in charge of handling events within the company. Investigating security issues and ensuring the proper solution launch are the primary objectives of the IR team. It ought to have specialized sub-teams, each with a distinct function. These consist of the following:

  • The first line of defence for prioritizing security warnings is the Security Operations Center (SOC).
  • Together with diverse stakeholders, define the event response and an action strategy.
  • Computer Incident Response Team (CIRT): To offer knowledgeable technical advice
  • Threat Intelligence Team: To continuously evaluate the cyber incident environment and improve the enterprise security profile

The team may include representatives from the human resources, legal, and public affairs teams in addition to the above functions.

The terms Computer Emergency Response Team, Cyber Incident Response Team (CIRT), and Computer Security Incident Response Team (CSIRT) use to refer to IR Teams (CERT).

Want Guaranteed Protection Against SIM Swap? Reach Out to Us.