What is Incident Response? Definition, Steps and Tools

What is Cybersecurity incident response?

Incident response is defined as an intentional approach to preparing for, detecting, isolating, and recovering from a cybersecurity incident. An incident is a breach of policy, law, or other unsanctioned act involving digital technology assets including devices, applications, and networks, or an incident occurs when someone tries to break into the system. 

Why is it important to have an incident response plan?

The world is becoming more connected each day through the use of digital technology. Unfortunately, as more devices come online, they become targets and vulnerable to exploitation by malicious actors seeking to compromise information assets for their own gain. 

According to Accenture’s State of Cybersecurity Resilience 2021 report, security attacks increased 31% from 2020 to 2021. Cisco/Cybersecurity Ventures’ 2022 Cybersecurity Almanac predicts the cost of cybercrime will hit $10.5 trillion by 2025. 

It’s only a matter of time before an organization falls victim to a cybersecurity incident. Failure to formulate, practice, or execute an incident response plan can lead to significant monetary damage, loss of resources, damaged brand reputation, fractured client trust, and even regulatory penalties. 

Here’s how you can lessen the effects of an incident by developing an incident response plan in just six steps.

Six steps of an incident response plan

By formalizing these six foundational steps, you can create an incident response plan that’s robust and effective at limiting the impact of a cybersecurity incident.  

1. Preparation

A security incident can happen at a moment’s notice so it’s important that your organization has prepared in advance for the fateful day. 

Start by assembling a cyber incident response team (CIRT) across disciplines who will be responsible for handling specific tasks related to an incident. These can include team members from the legal, human resources, public relations, IT, and cybersecurity departments. It’s important to provide them with the right tools, access control, and appropriate permissions necessary to perform their job. 

The CIRT should create a policy with a written strategy that details how to handle specific events and prioritizes incidents based upon organizational impact. They should also develop a communication plan that defines who should be contacted, including law enforcement, if necessary. For every task in the Incident Response Plan a RACI (Responsible, Accountable, Consulted, Informed) needs to be clearly defined.

The team must also have a process for ensuring proper documentation, especially if evidence needs to be collected for either insurance or legal purposes. Having a prepared checklist with a place for notes, dates, times, people involved, and other essential details can make documentation easier so nothing gets missed during the stress of an incident. 

Your CIRT team and organization as a whole should reference a vulnerability database (like Snyk's) to understand current threats, and undergo periodic training on what actions everyone should take in the event of an incident. 

As the saying goes “you can’t protect what you don’t know”. In order to properly prepare for an incident you must have complete visibility into all the layers that make up your cybersecurity environment. Take for example the application layer– in order to be prepared for a zero day, your team must be able to quickly determine a) Yes or no if it affects your applications b) which asset(s) does it affect and C) if it affects business-critical assets. Get prepared by using an ASPM tool (application security posture management) with a full asset inventory and automatic asset-class rankings.

2. Identification

Identification refers to the detection and determination of a cyber event that deviates from normal operations (e.g., a breach, tech failure, or other anomaly). Users should gather evidence of the event and report it to the CIRT who should determine the scope, then decide whether the event should be classified as an incident. CIRT and management must coordinate their actions and open all lines of communication in order to minimize the impact on business operations. It’s important to maintain detailed documentation of the evidence, particularly if the issue will escalate to law enforcement. 

3. Containment

Once a cyber incident has been identified, it must be contained to prevent further damage. Isolate the infected technology by removing compromised devices from the network and taking breached production servers offline, then rerouting traffic to failover servers. Remember to preserve evidence by performing a system back-up before wiping and reimaging a system. For long-term containment, install security patches and remove accounts and/or backdoors used by bad actors. 

4. Eradication

Eradication involves purging malicious content from affected systems, and cleaning it to prevent reinfection. Start by reimaging system hard drive(s) to ensure all malicious content is removed, then use anti-malware software to safeguard against reinfection. In this phase, cybersecurity defense should be hardened (i.e., fix vulnerabilities) to prevent future exploitation. For more information on fixing vulnerabilities, check out our post on the vulnerability remediation process.

5. Recovery

Recovery is when affected systems are carefully brought back into the production environment after testing, monitoring, and validating them to verify they are no longer compromised. The CIRT is responsible for advising on when is the best (safest) time to restore the systems once it’s determined that remediation actions have been taken and are sufficient enough to safeguard against a similar attack. 

6. Lessons Learned

Cyber incidents aren’t one-and-done events, as criminals commonly return to attack companies that haven’t fortified their defenses. It’s critical for organizations to take the time to take stock of what happened during the first incident. Analyze how and why it happened and take corrective action to ensure it doesn’t happen again. 

Using the MITRE ATT&CK® Framework to enhance incident response 

In 2013, the non-profit institution MITRE released the ATT&CK Framework, which has become an industry standard for developing a robust incident response strategy. ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a guideline for classifying and describing cyberattacks and intrusions. It involves threat modeling by evaluating a network’s cybersecurity from the perspective of a malicious actor. 

The ATT&CK matrix for Enterprise contains the following adversarial tactics:

• Reconnaissance: gathering intelligence in the lead up to an attack

• Resource development: establishing resources to execute the attack 

• Initial access: attempting to penetrate a network, commonly through phishing 

• Execution: attempting to install a malicious code

• Persistence: changing configurations to maintain a foothold

• Privilege escalation: exploiting a security vulnerability to gain higher-level permissions

• Defense evasion: attempting to avoid detection

• Credential access: stealing account credentials such as user names and passwords

• Discovery: exploring what the attacker can control within an environment 

• Lateral movement: using legitimate credentials to move through an environment

• Collection: gathering relevant information to achieve the adversary’s goal

• Command and control: communicating with and controlling compromised systems

• Exfiltration: stealing information

• Impact: manipulating, interrupting, or destroying systems and data (typically with malware or ransomware)

MITRE has also released ATT&CK frameworks for Cloud, Containers, and Mobile which similarly detail adversary tactics and techniques applicable to their respective environments. 

Automated incident response tools

Fortunately, there are tools on the market that can automate incident response and mitigate some of the damage of a cyber attack. Popular automated tools include:

CrowdStrike: CrowdStrike Incident Response (IR) blends real-world IR and remediation experience with the unique CrowdStrike Falcon cloud native platform to identify attackers quickly and disrupt, contain, and eject them from your environment.

IBM QRadar: A modular security suite that helps security teams gain visibility to quickly detect threats. Teams save time enriching threat intelligence and investigation using AI and pre-built playbooks, including automatic root cause analysis and MITRE ATT&CK mapping. 

SolarWinds Security Event Manager: A security information and event management solution featuring centralized log collection and normalization, automated threat detection and response, and integrated compliance reporting tools.

Splunk Phantom: A platform that combines security infrastructure orchestration, playbook automation, and case management capabilities to orchestrate security workflows, automate repetitive security tasks, and enable security teams to quickly respond to threats.

AlienVault USM Anywhere: A tool that integrates security automation across internal and external IT security and management technologies, helping security teams work more efficiently and achieve faster threat detection and incident response.

What is the NIST Cybersecurity Framework?

The NIST (National Institute of Standards and Technology) Cybersecurity Framework is designed to help businesses understand, manage, and reduce their cybersecurity risk and protect their assets. The framework outlines best practices that businesses can implement to strengthen their cybersecurity posture and decrease open source risks. 

The steps include: 

• Identify, 

• Protect, 

• Detect, 

• Respond, and 

• Recover.

What is the National Cyber Incident Response Plan (NCIRP)?

The NCIRP provides a national approach for dealing with cyber incidents that are likely to harm national security interests, foreign relations, the economy of the United States or the well-being of the American people. It outlines roles and responsibilities for federal agencies, state and local government, and the private sector. The NCIRP should serve as the basis when developing operational planning and gives information and resources to create incident response plans. Download the NCIRP here.

Frequently asked questions