What is Incident Response?

Incident response (IR) refers to an organization’s processes and systems for discovering and responding to cybersecurity threats and breaches. The goal of IR is the detection, investigation, and containment of attacks on an organization. Lessons learned from IR activities also inform downstream prevention and mitigation strategies to enhance an organization’s overall security posture. Cybersecurity incidents are inevitable. Having a robust incident response program can be the difference between sinking and swimming.

Click here to learn how cloud-native IR is different from traditional IR.

Why Is Incident Response Important?

The frequency, sophistication, and severity of attack methods continues to increase, and it’s crucial for a security operations center (SOC) to have documented and tested responses prepared for the threats they will face. The IR process helps answer crucial questions about an attack, such as how an attacker got in, what actions they took, and if sensitive information was compromised. Confidently answering these questions will not only improve an organization’s security posture but also help with assessing potential legal or regulatory liabilities.

Additionally, an effective IR strategy can reduce the economic impacts often associated with cybersecurity incidents or breaches. Attack methods like malware outbreaks (including ransomware and spyware), DDoS, and credential theft can be costly and disruptive if an organization is not adequately prepared to respond.

What Is Digital Forensics and Incident Response?

Oftentimes, digital forensics is combined with incident response efforts to create a broader digital forensics and incident response (DFIR) process. Digital forensics specifically collects and investigates data with the purpose of reconstructing an incident and providing a complete picture of the entire attack lifecycle, which often involves the recovery of deleted evidence.

Figure 1: The Unit 42 approach to digital forensics

Merged together, DFIR determines the root cause of issues, identifies and locates all available evidence, and offers ongoing support to ensure that an organization’s security posture is bolstered for the future.

Click here to join Cortex’s DFIR community.

Incident response is a complex but crucial part of cybersecurity. The best advice to security teams building incident response programs is not to fret. Prepare and plan, but don’t panic! Like cybersecurity in general, incident response is not about being 100% ready for every cyberattack, but about continuously learning and enhancing processes to build resilience into security programs. As long as you know which steps to take, how to find the best help and which pitfalls to avoid, you’ll be able to lead your SOC through any security incident. Part of preparing for attacks is understanding the Incident Response Lifecycle.

If these attacks do occur, SOCs can implement DFIR to better understand their environment and how these attacks succeeded.

What Is the Incident Response Lifecycle?

The incident response lifecycle is the suggested foundation for how a SOC can prepare and respond to an attack. There are five steps to this lifecycle as identified by Unit 42:

1. Define the engagement scope to assess the attack and how it affected the environment.
2. Fully understand the incident by collecting and analyzing evidence with security tools like Cortex XDR.
3. Contain and eradicate the attacker from your environment and apply 24/7 monitoring against new malicious activity.
4. Implement findings and recover from the incident by implementing enhanced security controls.
5. Improve the security posture by refining the incident response plan with the lessons learned from the breach.

Figure 2: A graphic detailing the Unit 42 Incident Response Methodology

It is considered best practice for all members of the SOC to be familiar with the Incident Response Lifecycle, even though in the event of an attack, there’s a specific team that will be leading the SOC.

Who Is Responsible for Incident Response?

Many organizations have a specific team dedicated to Incident Response. This team goes by different names, like Computer Security Incident Response Team (CSIRT), Cyber Incident Response Team (CIRT), or Computer Emergency Response Team (CERT). A CSIRT can consist of an incident response manager, incident response analysts, digital forensics analyst, malware reverse engineers, and threat researchers. Many of these teams are led by chief information security officers (CISOs) or IT directors.

In some cases, organizations will choose to combine the efforts and capabilities of their internal teams with external incident response partners, such as Unit 42. Supplementing the team with additional experts is an excellent strategy to address the need for varying levels of subject matter expertise. Since cyber attacks can come in all shapes and sizes, it’s beneficial to have access to experienced external partners that can fill skill gaps when necessary.

In addition to having cyber-focused team members, it is also beneficial to have non-security stakeholders on the incident response team. This can include legal, risk managers, human resources, and other business functions. For example, it is good to have a human resources representative on the team in case the security incident involves an employee, such as with insider threats or data leaks. Having general counsel on the team can be important to assess legal implications or if the incident involves third parties, like customers or vendors. Finally, a CSIRT should have a public relations specialist to present accurate information to relevant parties.

Having a well rounded and capable incident response team is a crucial part of the incident response process. Acting as experts in a time of crisis, the CSIRT should also spend time researching threats, encouraging best practices, and developing an incident response plan.

What Is an Incident Response Plan?

An incident response plan (IRP) is a crucial part of the SOC that defines what an incident is and outlines a clear, guided response. IRPs are managed and developed by incident response teams, who should continuously review, test, execute, and update the plan as needed. These plans continue working after an incident or breach has been contained, offering ongoing guidance for proper documentation and downstream activities associated with an incident.

An incident is not just a security problem; it’s a business problem. Losing data, reputational damage, or harming employees and customers are just a few ways that incidents can have detrimental impacts on a business. Having an IRP in place will guide the organization during a crisis and ensure that everyone understands their roles and responsibilities.

Incident Response Plan vs. Disaster Recovery Plan

An incident response plan is very similar to a disaster recovery plan (DRP), but it focuses more on cybersecurity threats. Both aim to minimize the damage to an organization, whether the incident is a breach or an earthquake. Even though these documents are similar, it’s still important to maintain them separately; however, it is not uncommon for each document to reference the other. Many organizations will use them in tandem as parts of a larger business continuity plan. Maintaining a robust IRP with the recommended cybersecurity frameworks will protect the organization in a different way from the DRP.

What Are Incident Response Frameworks?

Incident response frameworks provide organizations with standards for creating an IRP. While it’s not required to implement them, these frameworks are excellent guidelines for SOCs as they create and adjust their plans. There are two especially well-known cyber agencies that have frameworks organizations may reference:

1. The National Institute of Standards and Technology (NIST) framework provides detailed steps on how to create an IRP, build a CSIRT, and train employees. While NIST contains frameworks for all things technology, NIST SP 800-61 details its suggestions for IR.
2. The SANS Institute offers training courses and certificates along with their 20-page handbook on IR. Unit 42 uses these frameworks as well as guidelines from MITRE ATT&CK and the Center for Internet Security when helping customers create an IRP.

How to Create an Incident Response Plan

When creating an IRP, security leaders should understand the short- and long-term requirements of their business. But identifying needs, risks, and vulnerabilities is just the beginning. It is important when creating a thorough IRP to establish a plan for who maintains it, how to recognize when it activates, organize a communication plan, and identify performance metrics and compliance needs. Read this Incident Response Plan article for more information and key considerations.

There is no one-size-fits-all IRP. Creating one will require security teams to test and edit relentlessly. Here are some additional tips for creating and testing the plan:

• Evaluate and list your risk potentials.
• Use clear language and unambiguous terms.
• Identify how to inform internal stakeholders, like operations and senior management.
• If you choose to use a pre-made template, adapt it to your specific needs.
• Test your plan often with techniques like purple teaming or tabletop exercises to make changes as needed.
• Utilize incident response technology like Cortex XSOAR to optimize and automate response workflows and eradicate malicious activity.

If you’re looking for IRP templates or additional guidance, Unit 42 offers an IRP Development and Review service. When you partner with Unit 42, you will create and validate your incident response plan with the help of an expert.

While preparation is undoubtedly an important part of incident response, it is equally crucial that SOCs are able to perform accurately in times of crisis. For moments when they’re unsure of what’s happening, many companies will request incident response services to assist with real-time detection, containment, and eradication.

What Are Incident Response Services?

Many SOCs have limited or even nonexistent resources to effectively respond to an incident. That is why many companies choose to hire outside partners to assist with their incident response needs. Supplementing or even replacing internal teams, these partners deliver services to monitor, detect, and respond to security incidents that occur.

In the case of Unit 42’s IR services, our experts are on standby 24/7 to deploy resources to address your incident response needs. We can deploy best-in-class-tools like Cortex XDR to contain threats and gather evidence within minutes. This information will then be condensed into a post-mortem analysis that contributes to enhancing your IRP. Watch the video below to see how a Unit 42 expert will operate as an extension of your team.

Initiate Your Response Within Minutes with a Unit 42 Retainer

With a Unit 42 Retainer, your organization will receive pre-paid credits for incident response. Your SOC can make our experts an extension of your team, having them on speed dial whenever you require assistance. You won’t engage in a frantic search for resources when there is a problem. Instead, a specialist who is already familiar with your environment will be there to help when you call.

If you don’t use all of your retainer credits on IR, you can repurpose them toward any other Unit 42 cyber risk management service to help you become more proactive, including IRP development, risk assessments, and so much more.

Learn More About Incident Response

Incident response needs to evolve with the ever-changing threat landscape, and this starts with understanding the latest trends. To get an accurate representation of the present and future of incident response, check out the 2022 Unit 42 Incident Response Report.

The free Unit 42 e-book, Respond to Threats in Record Time, provides a guide to help your team quickly detect, respond and contain security incidents.

To dive deeper into incident response and more, check out the Unit 42 blog.