What is Incident Response Plan?

Incident Response

Incident Response (IR) is a plan which is used following a cyberattack. The IT professionals use this incident response plan to respond to the security incidents like cyberattack or a data breach. A cyberattack or a data breach can cause severe damage to an organization which may potentially affect its customers, brand value, intellectual property, money and time and resources. Incident response plan’s aim is to reduce the damage an attack can cause and help the organization to recover as soon as possible.

An Incident Response plan is important in every organization. Due to increasing cyberattacks and data breaches, an incident response plan plays an important role in an organization’s information security defense. For an organization, it is vital to be fully prepared before an incident occurs to limit the success and damage of a potential attack and maximize response to the attack.

Computer Security Incident Response Team (CSIRT)

CSIRT is a security response team formed by people responsible for leading or handling the response to an incident (cyberattack or data breach). The CSIRT is crucial to process incident exercises, providing staff training, and maintaining security awareness.

A CSIRT involves several roles, which can be played by one or more people. These include senior and executive management, who are responsible for making critical decisions, and an incident manager, who ensures all actions are tracked and the incident is clearly documented, communicated to stakeholders, and escalated.

The CSIRT also includes leaders from customer service, human resources, legal, and public relations departments. It requires analysis, investigators, and IT infrastructure experts, who will typically be from an external organization, to explore, contain, and remediate the incident.

6 Steps of an Incident Response Plan

The SANS Institute proposed a 6 step incident response plan that an organization needs to take. The Incident Handler’s Handbook outlines the basic foundation for business to create their own incident response policies, standards, and teams. It also includes a checklist that ensures each of the incident response steps is followed in the event of an incident. Every phase of the six-step plan needs to be followed in sequence, as each depends upon the previous phase.

Step 1: Prepare

Preparation is the most crucial phase in the incident response plan. This step determines how well an organization will be able to respond in the event of an attack. It requires several key elements to have been implemented to enable the organization to handle an incident:

1. Policy: Provides a written set of principles, rules, or practices within an organization and is a crucial action that offers guidance as to whether an incident has occurred.
2. Response plan/strategy: The response plan needs to include the prioritization of incidents based on organizational impact, from minor incidents like a single workstation failing to a medium risk like a server going down, and high-risk issues like data being stolen from a department. This can help build the case for management buy-in and gain resources required to handle an incident effectively.
3. Communication: Having a communication plan is vital to ensuring the entire CSIRT knows who to contact, when, and why. Not having a plan will likely delay the response time and result in the wrong people being contacted.
4. Documentation: This is a vital step in an incident response plan. Documenting the incident assists the organization in providing evidence in the event the incident is considered a criminal act. It also facilitates learning lessons for the future. Everything the CSIRT does must be documented and be able to answer any potential who, what, when, where, and why questions
5. Team: The CSIRT needs to be composed of people from different disciplines and departments across the organization, not just technical or security teams.
6. Access control: The CSIRT also needs to have the appropriate permissions to perform their roles. For example, having permission to access networks and systems to mitigate problems and having that permission removed when it is no longer needed.
7. Tools: Software and hardware are crucial to helping the CSIRT investigate an incident. This can range from anti-malware programs and laptops to screwdrivers. All of the tools required must be contained in a “jump bag.”
8. Training: Training is crucial to ensuring a team is prepared to tackle a security incident. It is recommended to have regular drills so all CSIRT members know their duties as and when an incident occurs.

Step 2: Identify

The second phase deals with detecting and determining whether an incident has occurred. Information such as error messages and log files must be gathered from various sources, including intrusion detection systems and firewalls, to make this decision. If an incident has occurred, it should be reported as quickly as possible to give the CSIRT enough time to collect evidence and prepare for the next steps. CSIRT members also need to be notified and begin the incident response plan process.

Step 3: Contain

Once a threat has been identified, the organization must limit and prevent any further damage. There are several necessary steps to help them mitigate an incident and prevent the destruction of evidence.

1. Short-term containment: This aims to limit the damage as quickly as possible. It can be as simple as isolating infected machines to taking down production servers and routing all traffic to failover servers.
2. System backup: Forensic software must capture an image of affected systems as they were during the incident to preserve evidence and understand how they were compromised.
3. Long-term containment: This step sees the affected systems temporarily fixed to ensure they can continue to be used while rebuilding clean systems. The primary focus is for accounts or backdoors left by attackers to be removed and security patches to be installed.

Step 4: Eradicate

This phase sees the removal and restoration of systems affected by the security incident. As in all phases of the plan, documentation is crucial to determining the cost of man-hours, resources, and overall impact of the attack. The organization also must ensure that malicious content has been removed from affected systems and systems have been thoroughly cleaned to prevent the risk of reinfection.

The eradication phase is also crucial to helping businesses improve their defenses and fix vulnerabilities based on the lessons they learned to make sure their systems do not get compromised again.

Step 5: Recover

This phase helps organizations carefully bring affected systems back into the production environment and ensures another incident does not occur. Systems must be tested, monitored, and validated as they move back into production so they are not re-infected by malware or compromised. Important decisions here include:

1. The time and date that operations are restored. System operators and owners must make the final decision based on the CSIRT’s advice.
2. How to test and verify that compromised systems are clean and fully functional.
3. The duration that abnormal behaviors are monitored.
4. Tools used to test, monitor, and validate system behavior.

Step 6: Learn

It is vital for organizations to review their incident response and adapt their approach for future attacks. All documentation that was not completed during the incident now needs to be compiled, along with additional information that may benefit future incidents.

The report must provide a play-by-play review of what happened throughout the entire incident. This will help the CSIRT improve its performance, learn from the events that occurred, and provide reference materials for future events. The report can also be used as training material for new employees and to guide any drills that teams hold.

After an event, a lesson learned meeting should take place as soon as possible. Your report should cover:

1. When the problem was first detected, how, and by whom
2. The root cause of the incident
3. How the problem was contained and eradicated
4. Actions performed throughout the recovery process
5. Areas where the CSIRT was effective and areas for improvement
6. Suggestions and discussion around how to improve the CSIRT