What is incident response?

The goal of incident response is to prevent cyberattacks before they happen and minimize the cost and business disruption resulting from any cyberattacks that occur. Incident response is the technical portion of incident management, which also includes executive, HR and legal management of a serious incident.

Ideally, an organization defines incident response processes and technologies in a formal incident response plan (IRP) that specifies how different types of cyberattacks should be identified, contained and resolved.

An effective incident response plan can help cyber incident response teams detect and contain cyberthreats, restore affected systems and reduce lost revenue, regulatory fines and other costs.

IBM’s Cost of a Data Breach Report found that having an incident response team and formal incident response plans enables organizations to reduce the cost of a breach by almost half a million US dollars (USD 473,706) on average.

A security incident, or security event, is any digital or physical breach that threatens the confidentiality, integrity or availability of an organization’s information systems or sensitive data. Security incidents can range from intentional cyberattacks by hackers or unauthorized users, to unintentional violations of IT security policy by legitimate authorized users.

Some of the most common security incidents include:

Ransomware is a type of malicious software, or malware, that locks up a victim's data or computing device and threatens to keep it locked, or worse, unless the victim pays a ransom. The latest X-Force Threat Intelligence Index from IBM reports that 20% of network attacks used ransomware and that extortion-based attacks are a driving force in cybercrime, only surpassed by data theft and leaks.

Phishing attacks are digital or voice messages that try to manipulate recipients to share sensitive information, download malicious software, transfer money or assets to the wrong people or take some other damaging action.

Attackers craft phishing messages to look or sound as if they come from a trusted or credible organization or individual, sometimes even an individual the recipient knows personally.

Phishing and stolen or compromised credentials are the two most prevalent attack vectors, according to the IBM Cost of a Data Breach report. Phishing is also the most common form of social engineering, a class of attack that hacks human nature rather than digital security vulnerabilities to gain unauthorized access to sensitive personal or enterprise data or assets.

In a distributed denial-of-service (DDoS) attack, hackers gain control of large numbers of computers and use them to overwhelm a target organization’s network or servers with bogus traffic, making those resources unavailable to legitimate users.

Supply chain attacks are cyberattacks that infiltrate a target organization by attacking its vendors. For example, this could include stealing sensitive data from a supplier’s systems or using a vendor’s services to distribute malware.

There are two types of insider threats. Malicious insiders are employees, partners or other authorized users who intentionally compromise an organization’s information security. Negligent insiders are authorized users who unintentionally compromise security by failing to follow security best practices by, say, using weak passwords or storing sensitive data in insecure places.

These involve an attacker who first gains limited privileges in a system and uses those to move laterally, receiving higher privileges and gaining access to more sensitive data along the way.

Stolen credentials can help the attacker with either the initial entry or boosting their privileges. According to the X-Force Threat Intelligence Index, the abuse of valid accounts is the most common way that attackers breach systems today.

In an MITM attack, the threat actor intercepts a communication, often an email containing sensitive information such as usernames or passwords, and either steals or alters that communication. The attacker either uses the stolen information directly or injects malware to be forwarded to the intended recipient.

An organization’s incident handling efforts are normally guided by an incident response plan. Typically, plans are created and executed by a computer security incident response team (CSIRT) made up of stakeholders from across the organization.

The CSIRT team might include the chief information security officer (CISO), security operations center (SOC), security analysts and IT staff. It may also include representatives from executive leadership, legal, human resources, regulatory compliance, risk management and possibly third-party experts from service providers.

The Cost of a Data Breach Report notes that, “By investing in response preparedness, organizations can help reduce the costly, disruptive effects of data breaches, support operational continuity and help preserve their relationships with customers, partners and other key stakeholders.”

An incident response plan usually includes:

•  An incident response playbook including the roles and responsibilities of each member of the CSIRT throughout the incident response lifecycle.

• The security solutions, software, hardware and other technologies, installed across the enterprise.

• A business continuity plan outlining procedures for restoring critical systems and data as quickly as possible if there’s an outage.

• An incident response methodology that details the specific steps to be taken at each phase of the incident response process, and by whom.

• A communications plan for informing company leaders, employees, customers and law enforcement about incidents.

• Instructions for collecting and documenting information about incidents for postmortem review and (if necessary) legal proceedings.

The CSIRT might draft different incident response plans for different types of incidents, as each type might require a unique response. Many organizations have specific incident response plans pertaining to DDoS attacks, malware, ransomware, phishing and insider threats.

Having incident response plans that are customized to an organization’s environment, or environments, is key to reducing the time to respond, remediate and recover from an attack.

Some organizations supplement in-house CSIRTs with external partners providing incident response services. These partners often work on retainer and assist with various aspects of the overall incident management process, including preparing and executing incident response plans.

Most incident response plans follow the same general incident response framework based on models developed by the National Institute of Standards and Technology (NIST)¹ and SANS Institute². Common incident response steps include:

This first phase of incident response is also a continuous one. The CSIRT selects the best possible procedures, tools and techniques to respond, identify, contain and recover from an incident as quickly as possible and with minimal business disruption.

Through regular risk assessment, the CSIRT identifies the business environment to be protected, the potential network vulnerabilities and the various types of security incidents that pose a risk to the network. The team prioritizes each type of incident according to its potential impact on the organization.

The CSIRT might “wargame” several different attack strategies and then create templates of the most effective responses to speed action during a real attack. Response time might be tracked to establish metrics for future exercises and possible attacks. Based on a complete risk assessment, the CSIRT might update existing incident response plans or draft new ones.

During this phase, security team members monitor the network for suspicious activity and potential threats. They analyze data, notifications and alerts gathered from device logs and various security tools (antivirus software, firewalls) to identify incidents in progress. The team works to filter false positives from real incidents, triaging the actual alerts in order of severity.

Today, most organizations use one or more security solutions, such as security information and event management (SIEM) and endpoint detection and response (EDR), to monitor security events in real time and automate response efforts. (See the “Incident response technologies” section for more.)

The communication plan also comes into play during this phase. When the CSIRT has determined what kind of threat or breach they're dealing with, they'll notify the appropriate personnel and then move to the next stage of the incident response process.

The incident response team takes steps to stop the breach or other malicious activity from doing further damage to the network. The emergency incident response plans then go into action. There are two categories of containment activities:

• Short-term mitigation measures focus on preventing the current threat from spreading by isolating the affected systems, such as by taking infected devices offline.

• Long-term containment measures focus on protecting unaffected systems by placing stronger security controls around them, such as segmenting sensitive databases from the rest of the network.

At this stage, the CSIRT might also create backups of affected and unaffected systems to prevent additional data loss and capture forensic evidence of the incident for future study.

After the threat has been contained, the team moves on to full remediation and complete removal of the threat from the system. This could include removal of malware or booting an unauthorized or rogue user from the network. The team also reviews both affected and unaffected systems to help ensure that no traces of the breach are left behind.

When the incident response team is confident the threat has been entirely eradicated, they restore affected systems to normal operations. This remediation might involve deploying patches, rebuilding systems from backups and bringing systems and devices back online. A record of the attack and its resolution are retained for analysis and system improvements.

Throughout each phase of the incident response process, the CSIRT collects evidence of the breach and documents the steps it takes to contain and eradicate the threat. At this stage, the CSIRT reviews this information to better understand the incident and gather “lessons learned.” The CSIRT seeks to determine the root cause of the attack, identify how it successfully breached the network, and resolve vulnerabilities so that future incidents of this type don't reoccur.

The CSIRT also reviews what went well and looks for opportunities to improve systems, tools and processes to strengthen incident response initiatives against future attacks. Depending on the circumstances of the breach, law enforcement might also be involved in the post-incident investigation.

In addition to describing the steps CSIRTs should take during a security incident, incident response plans typically outline the security solutions that incident response teams should use to implement or automate key workflows, such as gathering and correlating security data, detecting incidents in real-time and responding to in-progress attacks.

Some of the most commonly used incident response technologies include:

ASM solutions automate the continuous discovery, analysis, remediation and monitoring of vulnerabilities and potential attack vectors across all the assets in an organization's attack surface. ASM can uncover previously unmonitored network assets and map relationships between assets.

EDR is software designed to automatically protect an organization's users, endpoint devices and IT assets against cyberthreats that get past antivirus software and other traditional endpoint security tools.

EDR collects data continuously from all endpoints on the network. It also analyzes the data in real time for evidence of known or suspected cyberthreats and can respond automatically to prevent or minimize damage from the threats it identifies.

SIEM aggregates and correlates security event data from disparate internal security tools (for example firewalls, vulnerability scanners and threat intelligence feeds) and from devices on the network.

SIEM can help incident response teams fight “alert fatigue” by distinguishing indicators of actual threats from the huge volume of notifications that security tools generate.

SOAR enables security teams to define playbooks, formalized workflows that coordinate different security operations and tools in response to security incidents. SOAR platforms can also automate portions of these workflows where possible.

UEBA uses behavioral analytics, machine learning algorithms and automation to identify abnormal and potentially dangerous user and device behavior.

UEBA is effective at identifying insider threats, malicious insiders or hackers that use compromised insider credentials, that can elude other security tools because they mimic authorized network traffic. UEBA functions are often included in SIEM, EDR and XDR solutions.

XDR is a cybersecurity technology that unifies security tools, control points, data and telemetry sources and analytics across the hybrid IT environment. XDR creates a single, central enterprise system for threat prevention, detection and response. XDR can help overextended security teams and SOCs do more with less by eliminating silos between security tools and automating responses across the entire cyberthreat kill chain.

Artificial intelligence (AI) can help organizations mount a stronger defense against cyberthreats, just as data thieves and hackers are using AI to empower their attacks.

The cost savings of using added AI protection can be significant. According to the IBM Cost of a Data Breach Report, organizations that use AI-powered security solutions can save as much as USD 2.2 million in breach costs.

Enterprise-grade, AI-powered security systems can improve incident response capabilities through:

AI-powered systems can accelerate threat detection and mitigation by monitoring enormous volumes of data to speed the search for suspicious traffic patterns or user behaviors.

AI-powered systems can support more proactive incident response processes by providing real-time insights to the cybersecurity team, automating incident triage, coordinating defenses against cyberthreats and even isolating systems under attack.

AI-powered risk analysis can produce incident summaries to speed alert investigations and help find the root cause for a failure. These incident summaries can help forecast which threats are most likely to occur in the future so the incident response team can fine-tune a stronger plan to meet those threats.