Incident response (sometimes called cybersecurity incident response) refers to an organization’s processes and technologies for detecting and responding to cyberthreats, security breaches or cyberattacks. The goal of incident response is to prevent cyberattacks before they happen, and to minimize the cost and business disruption resulting from any cyberattacks that occur.
Ideally, an organization defines incident response processes and technologies in a formal incident response plan (IRP) that specifies exactly how different types of cyberattacks should be identified, contained, and resolved. An effective incident response plan can help cybersecurity teams detect and contain cyberthreats and restore affected systems faster, and reduce the lost revenue, regulatory fines and other costs associate with these threats. IBM’s Cost of a Data Breach 2022 Report found that organizations with incident response teams and regularly tested incident response plans had an average data breach cost USD 2.66 million lower than that of organizations without incident response teams and IRPs.
A security incident, or security event, is any digital or physical breach that threatens the confidentiality, integrity or availability or an organization’s information systems or sensitive data. Security incidents can range from intentional cyberattacks by hackers or unauthorized users, to unintentional violations of security policy by legitimate authorized users.
Some of the most common security incidents include:
Ransomware. Ransomware is a type of malicious software, or malware, that locks up a victim's data or computing device and threatens to keep it locked—or worse—unless the victim pays the attacker a ransom. According to IBM's Cost of a Data Breach 2022 report, ransomware attacks rose by 41 percent between 2021 and 2022.
Phishing and social engineering. Phishing attacks are digital or voice messages that try to manipulate recipients into sharing sensitive information, downloading malicious software, transferring money or assets to the wrong people, or taking some other damaging action. Scammers craft phishing messages to look or sound like they come from a trusted or credible organization or individual—sometimes even an individual the recipient knows personally.
Phishing is the most costly and second most common cause of data breaches, according to IBM's Cost of a Data Breach 2022 report. It’s also the most common form of social engineering—a class of attack that hacks human nature, rather than digital security vulnerabilities, to gain unauthorized access to sensitive personal or enterprise data or assets.
DDoS attacks. In a distributed denial-of-service (DDoS) attack, hackers gain remote control of large numbers of computers and use them to overwhelm a target organization’s network or servers with traffic, making those resources unavailable to legitimate users.
Supply chain attacks. Supply chain attacks are cyberattacks that infiltrate a target organization by attacking its vendors—e.g., by stealing sensitive data from a supplier’s systems, or by using a vendor’s services to distribute malware. In July 2021, cybercriminals took advantage of a flaw in Kaseya's VSA platform (link resides outside ibm.com) to spread ransomware to customers under the guise of a legitimate software update. Even though supply chain attacks are increasing in frequency, only 32 percent of organizations have incident response plans prepared for this particular cyber threat, according to IBM's 2021 Cyber Resilient Organization Study.
Insider threats. There are two types of insider threats. Malicious insiders are employees, partners or other authorized users who intentionally compromise an organization’s information security. Negligent insiders are authorized user who unintentionally compromise security by failing to follow security best practices—by, say, using weak passwords, or storing sensitive data in insecure places.
Incident response planning
As noted above, an organization’s incident response efforts are guided by an incident response plan. Typically these are created and executed by a computer security incident response team (CSIRT) made up of stakeholders from across the organization—the chief information security officer (CISO), security operations center (SOC) and IT staff, but also representatives from executive leadership, legal, human resources, regulatory compliance and risk management.
An incident response plan usually includes
It’s not uncommon for the CSIRT to draft different incident response plans for different types incidents, as each type may require a unique response. According to IBM's 2021 Cyber Resilient Organization Study, most organizations have specific incident response plans pertaining to DDoS attacks, malware and ransomware, and phishing, and nearly half have plans for insider threats.
Some organizations supplement in-house CSIRTs with external partners providing incident response services. These partners often work on retainer, assist with various aspects of the incident management process, including preparing and executing IRPs.
The incident response process
Most IRPs also follow the same general incident response framework based on incident response models developed by the SANS Institute, the National Institute of Standards and Technology (NIST), and the Cybersecurity and Infrastructure Agency (CISA).
Preparation. This first phase of incident response is also a continuous one, to make sure that the CSIRT always has best possible procedures and tools in place to respond to identify, contain and recover from an incident as quickly as possible and within minimal business disruption.
Through regular risk assessment the CSIRT identifies network vulnerabilities, defines the various types of security incidents that pose a risk to the network, and prioritizes each type according to its potential impact on the organization. Based on this risk assessment, the CSIRT may update existing incident response plans or draft new ones.
Detection and Analysis. During this phase, security team members monitor the network for suspicious activity and potential threats. They analyze data, notifications and alerts gathered from device logs and from various security tools (antivirus software, firewalls) installed on the network, filtering out the false positives and triage the actual alerts in order of severity.
Today, most organizations use one or more security solutions—such as SIEM (security information and event management) and EDR (endpoint detection and response)—to help security teams monitor and analyze security events in real time, and automate incident detection and response processes. (See “Incident response technologies,” below for more.)
The communication plan also comes into play during this phase. Once the CSIRT has determined what kind of threat or breach they're dealing with, they'll notify the appropriate personnel before moving to the next stage of the incident response process.
Containment. The incident response team takes steps to stop the breach from doing further damage to the network. Containment activities can be split into two categories:
At this stage, the CSIRT may also create backups of affected and unaffected systems to prevent additional data loss, and to capture forensic evidence of the incident for future study.
Eradication. Once the threat has been contained, the team moves on to full remediation and complete removal of the threat from the system. This involves actively eradicating the threat itself—e.g., destroying malware, booting an unauthorized or rogue user from the network—and reviewing both affected and unaffected systems to ensure no traces of the breach are left behind.
Recovery. When the incident response team is confident the threat has been entirely eradicated, they restore affected systems to normal operations. This may involve deploying patches, rebuilding systems from backups, and bringing remediated systems and devices back online.
Post-incident review. Throughout each phase of the incident response process, the CSIRT collects evidence of the breach and documents the steps it takes to contain and eradicate the threat. At this stage, the CSIRT reviews this information to better understand the incident. The CSIRT seeks to determine the root cause of the attack, identify how it successfully breached the network, and resolve vulnerabilities so that future incidents of this type don't occur.
The CSIRT also reviews what went well and looks for opportunities to improve systems, tools, and processes to strengthen incident response initiatives against future attacks. Depending on the circumstances of the breach, law enforcement may also be involved in the post-incident investigation.
As noted above, in addition to describing the steps CSIRTs should take in the event of a security incident, incident response plans typically outline the security solutions that incident response teams should have in place to carry out or automate key incident response workflows, such as gathering and correlating security data, detecting incidents in real-time, and responding to in-progress attacks.
Some of the most commonly used incident response technologies include:
Get the security protection your organization needs to improve breach readiness with an incident response retainer subscription from IBM Security. When you engage with our elite team of IR consultants, you have trusted partners on standby to help reduce the time it takes to respond to an incident, minimize its impact and help you recover faster before a cybersecurity incident is suspected.
Threat detection is only half of the security equation. You also need a smart incident response to the growing volume of alerts, multiple tools and staff shortages. Accelerate incident response with automation, process standardization and integration with your existing security tools with IBM.
With the growing number of laptops, desktops and remote workers, sophisticated cybercriminals have even more open doors to your organization. From these entry points, they can often proceed deep and unnoticed. IBM delivers a turnkey, 24x7 threat prevention, detection and fast response capability, fueled by threat intelligence and proactive threat hunting to identify and remediate advanced threats.
Proactive threat hunting, continuous monitoring and a deep investigation of threats are just a few of the priorities facing an already busy IT department. Having a trusted incident response team on standby can reduce your response time, minimize the impact of a cyberattack, and help you recover faster.