Security 101

Complete Incident Response Guide

What is Incident Response?

Incident response is the process of identifying, investigating, and recovering from a potential cybersecurity incident.  It covers everything from the initial indication that an intrusion may have occurred through to post-response retrospectives and lessons learned.

Incident response activities are typically carried out by a dedicated incident response team (IRT) within an organization.  This helps to ensure that the team can respond quickly to the potential incident and that they know how to investigate and remediate it in accordance with corporate policy and cybersecurity best practices.

Building Your Incident Response Team

Defining an incident response team is a vital preparatory step that should happen before an incident occurs.  Defining team members and briefing them on their responsibilities ensures that they will be ready to respond promptly in the event that an incident is detected.

The composition of an incident response team will depend on an organization’s unique needs and the skill sets required.  For example, an organization with a large cloud deployment may need cloud security expertise on the team, while other companies may not.

Every incident response team should have a few key roles, including:

  • Team Leader: The team leader holds overall responsibility for the incident response process and acts as a primary point of contact (POC) for management.  Often, this role is held by a manager or senior member of the security staff.
  • Lead Investigator: The lead investigator is the operational head of the incident response operation.  This role requires technical expertise and experience with performing incident response activities.  Depending on the size of the organization and its incident response team, this person may be the only investigator or may lead and define assignments for a team.
  • Communications Lead: A cybersecurity incident has several stakeholders both inside and outside of the organization.  The incident response team may be required to report to management, the board, law enforcement, the company’s cybersecurity insurance agency, regulatory authorities, customers, shareholders and other parties.  The communications lead is tasked with opening these communications channels and keeping stakeholders apprised of information relative to them.
  • Documentation & Timeline Lead: Clear documentation of an incident and the resulting response is essential for law enforcement purposes, regulatory compliance, insurance, and internal records.  The documentation and timeline lead is responsible for ensuring that all events and actions are properly documented to provide a clear and legally admissible record.
  • HR/Legal Representation: Cybersecurity incidents can have legal and HR implications, especially if an insider is involved somehow with the incident.  The incident response team should have HR and Legal representation available to provide any necessary guidance and to help with communications with stakeholders.

These are some of the high-level and essential roles that should be filled on an incident response team, but many corporate incident response teams have other members as well.  The incident response team should have the knowledge and expertise necessary to investigate and respond to an incident anywhere in an organization’s IT environment, and team members should have means of reaching relevant network and systems administrators if needed and if they are not part of the team itself.

team meeting incident response
Photo Credit: Annie Spratt

Creating an Incident Response Plan

An incident response plan acts as a guide to the team on how to consistently and correctly handle cybersecurity incidents.  Depending on the details of the incident itself, an organization may have multiple plans or playbooks tailored to different scenarios or a single general framework.

The incident response process can be broken up into six stages, which inform the contents of the incident response plan.  These stages are:

Preparation

Preparation is essential to successful incident response.  This phase includes building an incident response team and ensuring that they have a plan, tools, and experience in using both.

Identification

The identification phase of the incident response plan includes initial detection of threats and investigation of any potential incidents.  Investigation should be based upon processes laid out in the corporate incident response plan.

Containment

Cyberattackers and malware commonly attempt to move laterally through compromised networks, and containment is necessary to protect uninfected machines.  Containment is typically performed by disconnecting systems from the network, and the incident response plan should include processes for doing so.

Eradication

Different types of infections and cyberattacks need to be remediated and eradicated in different ways.  An incident response plan should have strategies for remediating different types of malware attacks and for determining if they have persistence mechanisms that must be removed.

Recovery

After the infection has been eradicated, affected devices can be returned to normal operation.  The incident response plan should include strategies for determining when a system is ready for restoration, a process for doing so, and instructions for monitoring a restored device after recovery in case the intrusion was not fully remediated.

Lessons Learned

A cybersecurity incident happens because something went wrong, and the incident response may not have gone as smoothly as it should.  This stage is focused on looking back to identify these issues and ways to correct or mitigate them in the future.

A cyberattack is a stressful situation, and a feeling of stress and urgency can cause incident response team members to make mistakes that can hurt the business.  An incident response plan should lay out approved processes and procedures to help to minimize the chance of these mistakes.

The process of building this incident response plan should be an iterative one.  Drafts of the plan should be sent to stakeholders for feedback and should be tested via simulations.  Based on this feedback and the results of the practice, the plan can be updated to improve response to real incidents in the future.

Photo Credit: Nina Mercado

Incident Response Tools

Having the right tools is essential to the success of an incident response team.  Without these tools, investigators might not be able to collect the information that they need to fully remediate an intrusion, or incident response may be delayed, creating greater costs for the organization.

The exact tools that incident responders use for their investigations can depend on the details of their environments.  More cloud-focused organizations require cloud-specific tools, companies with many corporate mobile devices or bring your own device (BYOD) policies need tools for mobile investigation, etc.

That said, there are certain capabilities that incident response teams will need within any organization.  Prey offers a variety of solutions that can help incident responders prevent, investigate, and remediate a potential security incident, including:

Data Protection

Properly protecting data using encryption and access controls can help to prevent a data breach or reduce the impacts of a cybersecurity incident.  Part of the preparatory stage of incident response should be putting protections (such as data protection) in place to prevent future incidents.

Asset Inventory

Determining the scope of an incident and which assets may have been impacted requires the ability to rapidly inventory and manage corporate assets.  A centralized asset management system with support for automation can help to speed incident response activities and reduce the cost of a security incident.

Device Tracking

Device location information and historical data can be crucial to incident response activities since it can be used to determine potential infection vectors, the spread of an infection, and if a device containing sensitive information has been lost or stolen.  Additionally, the ability to remotely wipe devices is essential to managing the potential for data leaks.

The longer that an attacker has access to an organization’s systems, the greater the cost and impact to the company.  Putting the right solutions in place and providing the incident response team with the tools that they need can mean the difference between a costly security incident and a non-event.

Final Thoughts

According to the 2021 Cost of a Data Breach report, having an incident response team and plan in place decreases the average cost of a data breach by $2.46 million or approximately 54%.  By defining a team and preparing them with a plan, tools, and training, an enterprise enables them to quickly and correctly respond to a potential security incident, reducing the time that an intruder has to achieve their objectives and cause damage to the organization.

To be effective, incident responders need tools that enable them to prevent security incidents and quickly investigate and respond to intrusions into their networks.  Prey solutions provide centralized visibility and management of corporate IT assets, enabling incident responders to quickly determine the scope of a breach and take action to contain and mitigate it.

About the author

Norman Gutiérrez

Norman Gutiérrez is our Security Researcher at Prey, one of the leading companies in the security and mobility industry, with more than 8 million users worldwide. In addition to this, Norm is Prey's Content and Communication Specialist, and our Infosec ambassador. Norm has worked for several tech media outlets such as FayerWayer and Publimetro, among others. In his free time, Norman enjoys videogames, cool gadgets, music, and fun board games.