The 7 Steps to Effective Incident Response
Cybercriminals have been around for as long as the Internet, and they are becoming bolder and more sophisticated with each passing day.
Yet incredibly, the majority of businesses are still not ready to respond to cyberattacks or breach events, according to a recent FireEye survey of 800 chief information security officers and other senior executives from around the world.
In a recent study by the Ponemon Institute, 65% of businesses said they lacked the budget to achieve a strong security posture. But the costs of cybersecurity pale in comparison to the potential loss from just an hour of downtime, estimated at $8,000 for small businesses and $74,000 for medium-sized businesses according to a Datto study.
Cybersecurity may seem like one of those nice-to-haves, but like car or home insurance it is actually a must-have.
Thankfully, these seven steps are all it takes to strengthen your incident response capability.
Not surprisingly, effective incident response begins with an Incident Response Plan (IRP). An IRP establishes and tests your capability to deal with new or undiagnosed security issues, enabling your business to defend against and recover from cyberattacks more quickly.
A good IRP begins with these five actions:
- Identifying the baseline. Baseline security is the minimum a company should do to protect itself from vulnerabilities. The baseline should contain recommended configurations, technical solutions, and recovering actions.
- Establishing critical components. Strengthen defenses around critical infrastructure and develop plans for potential failure.
- Diagnosing single points of failure. Know the single points of failure (at both a hardware and software level) and develop plans to deal with them.
- Developing a continuity plan. A workforce continuity plan enables staff to deal with security issues while normal company operations resume.
- Training staff. Your IRP will only work if IT professionals understand how to implement it.
There are multiple ways to identify attacks. For example, your monitoring system may send an alert, employees may notice a malfunction, customers may send complaints about a product, or an unusual entry in an audit log may indicate something is wrong.
Identification consists of four components:
- Monitoring. Your SOC (security operations center) should have eyes on every network endpoint and vulnerability. Your monitoring system should be scanning for anomalous activity that indicates if an attack is underway.
- Detection. When activity seems amiss, your SOC should detect any security incidents. Your SIEM (Security Information and Event Management) or other security tools should issue an alert to relevant security personnel.
- Documentation. Your cyberteam should document their initial findings and assign an incident classification. Referring to logs will help them perform event correlation, allowing for quicker and more efficient responses in the future.
Containment begins with coordinated isolation of all systems within your network that have been compromised. The isolation must be coordinated and in accordance with your incident response policy. Communicate using established channels among all incident response personnel to coordinate the shutdown.
Next, close any gateways that enabled the breach. Find and dismantle backdoors that your attacker may have implemented to give them future access. By identifying IOCs (indicators of compromise) and searching for TTPs (tactics, techniques, and procedures) that were used to overcome your security measures, you improve your odds of containing the attack.
Once contained, your security team should take a surgical approach to remove any malware. In extreme cases, it may be necessary to wipe out all infected devices and rebuild the operating system.
As part of the eradication process, administrators must restore systems to normal operation and ensure that systems function as expected. Continuous assessment is necessary throughout the eradication process to ensure that vulnerabilities and infections are no longer present during the remediation, recovery, and post-incident phases.
The remediation process should be a phased approach. Small or medium-sized businesses may be online again within a matter of days, but large enterprises may need months to safety to full functionality.
The process should include:
- Setting aside time for updates and analysis of the incident.
- Reducing vulnerabilities through system hardening, following the path that the attackers took, and closing vulnerabilities. This includes the hardening of applications, operating systems, servers, databases, and the network.
- Checking all configurations to ensure that there are no misconfigured settings that could be exploited by cyber-criminals, and deploying all patches.
During the recovery phase, your goal is to determine whether the malware can be completely removed, assess the recoverability of the compromised assets, and rehabilitate the asset, bringing it back into normal operations.
The IT team should take predefined steps outlined in the IRP and apply the required changes and patches to the affected asset. If recovery is too complex or if the cost of recovery is more than the value of the asset, then the IT team may decide to decommission the asset.
With the incident in your rearview mirror, it’s time to focus on lessons learned. This should
- Conducting “threat hunting” operations, looking for signs of a latent breach that you missed during the containment and eradication stages.
- Documenting the incident and your response, and noting areas where your team functioned effectively and areas that need to be improved. Then determining if the issue was poor policy or poor implementation and acting accordingly.
- Maintaining a higher state of vigilance, as hackers may decide they want to exploit your network again, and studying logs to see if there was a sign before the initial attack that you missed.
To learn more about the 7 steps to effective incident response, including best practices, download our new e-book.