A Closer Look: Incident Response

When a threat hits, incident response is responsible for diagnosing the vulnerability. Through a disciplined approach, incident response breaks down the resolution of breaches into stages and coordinates upfront preparations to avoid potential attacks.

To the outside world, incident response may seem like a generic term describing “techies” who are responsible for reacting to threats that endanger information systems. There is some truth to this. Incident responders, like firefighters, respond to emergencies and help organizations contain and eliminate threats to their networks. However, that is not all they do, and emergencies are not the only times organizations should solicit their services. Incident response teams are composed of more than just IT personnel; persons from departments like human resources, legal, and operations may be included to provide various perspectives and insights into tackling a breach.

Incident responders specialize in an array of services, most focused on the pre-incident phase of an organization’s risk management planning. This clarification is important since a robust incident response is not just reactive but proactive as well. No matter the engagement, responders’ services can be a valuable addition to any organization that’s assembling or refining a comprehensive enterprise cybersecurity strategy.

 

The Well-Known Role

Putting out fires and containing the damage wreaked by data breaches is the bread and butter of incident responders. When an attack occurs, the main objective of an incident response team is to quarantine the attacker to limit losses in terms of time and resources. This is usually achieved by developing a framework that includes a protocol to appropriately respond to cyber invasions.

Breaking down incident response into steps allows the team to resolve vulnerabilities in a methodical manner. Christopher Budd, a former security program manager at Microsoft, says that incident response teams help manage the risk that is generally implicit within threats. The processes practiced by an organization’s incident response team add a layer of stability to circumstances that are usually chaotic and sporadic. Usually, incident response follows a rule-of-thumb sequence:

 

 

Though constantly on the lookout for unfamiliar or unordinary activity, such as noticeable changes in user behavior and computer processes, in most cases the following scenario is how remediation efforts unfold.

Once a threat is detected, understanding its magnitude is the first priority for incident responders. This allows the team to classify threats by urgency and appropriately prioritize or “escalate” them. For example, a virus leaking data from an organization’s server will likely take precedence over an employee that sets off a tripwire while snooping through database files. Careful diagnosis is key to the entire remediation process because a hasty diagnosis may lead to the wrong course of action and squandered time and resources.

Once appropriately escalated, the threat is then quarantined by the incident response team. Toward that end, the team may, if given the authority to do so, disconnect infected systems and devices from the broader network and related software. Determining the extent of the breach may be problematic in some situations as the attack vector may be difficult to follow and predict.

Following the quarantine, the incident response team must eliminate and review the vulnerability. The threat is eliminated by tracing it back to the original source within an organization’s network. Once sourced, the vulnerability is removed from the system. Infected systems are then cleaned and reconnected to the network. They may then be analyzed again to determine if any unusual behaviors or items remain. If no other threats appear, the threat is considered resolved.

To better prepare for similar threats, the incident response team may review the breach to understand which steps could have been taken to prevent the incident in the first place. In cases where companies have the resources and desire to uncover the identity of the attacker, digital forensics investigations attempt to attribute responsibility for an attack. These investigations generally, but not necessarily, take place post-remediation and can run from a few weeks to several months depending on the attacker’s sophistication. In best-case scenarios, the culprits are found, and carefully assembled evidence that has followed an official chain of custody is used against them in legal proceedings.

 

Pre-Incident Services, Overshadowed Yet Critical

Helping organizations prepare for threats, before and even after a breach has occurred, is arguably a far more important role for incident responders than responding to them. Bart Holzer, GRA Quantum’s Director of Incident Response & Forensics, says, “Ironically, planning is the cheaper of the two factors and often the most overlooked. Unfortunately, even skilled technical people may be set up for failure in the absence of a proper plan . . . A clear plan of action in the event of an incident, complete with decision rights, escalation processes, and methods of communication, will often result in successfully recovering from an incident. The planning process itself often identifies vulnerabilities that are addressed before an incident takes place.” Reviewing the threat could reveal additional weaknesses in an organization’s network that may not be immediately apparent. These actions allow an organization’s incident response team to plan how they will detect and contain the next threat their organization may encounter.

In that sense, a large part of what incident responders do is help organizations proactively develop and maintain strong security practices that identify, classify, and appropriately address risks. These practices require careful planning at each step to effectively improve and connect these actions. Planning ahead for potential cyber invasions doesn’t just save time for incident response teams, but it also saves time for divisions across a company as resources can be reallocated to alternative initiatives. Experts like Holzer routinely admit that they would rather help organizations secure their systems and processes to prevent incidents than to constantly help contain breaches resulting from poor planning and weak defenses. Setting up a robust incident response plan before disaster strikes will go a long way toward minimizing and preventing potential incidents.

Incident response teams can help develop effective incident response plans by understanding company-specific plans and industry standards. This way, a company can set up a plan that fits in well with industry standards and their business needs. There are myriad security and risk management resources currently available, ranging from open-source tools to expensive enterprise-level software suites. However, gaps and vulnerabilities may begin to emerge in a company’s cybersecurity structure if it’s not implemented properly. The personnel and technological elements of security are critical to securing processes and systems. “The effectiveness of any combination of these tools, regardless of price, comes down to two things: People and planning,” says Holzer. “To build an effective enterprise security strategy, a company must identify, empower, train, and support the people who are responsible for securing the IT infrastructure, including [incident response] activities, and have plans in place to guide their actions.” Building an incident response roadmap is very important to how a company approaches threats, but it is just one piece of a comprehensive enterprise cybersecurity strategy.

There are other aspects of a comprehensive enterprise cybersecurity strategy that insert additional layers of proactive planning to test the strength of a company’s defenses. Tabletop exercises or crisis simulations, for example, often involve key decision-makers of a company and custom-made breach scenarios to test how they would handle breaches in real-world situations. These tests reveal how well key decision-makers and their existing disaster plans and procedures may hold up under the pressure of an actual security breach. As part of the planning process, practice makes perfect. Companies should proactively test, audit, and drill their people, policies, and plans.

The most effective enterprise cybersecurity strategies are comprehensive. This includes carefully constructed incident response plans that not only solidify defenses but also actively prepare for worst-case scenarios. Though strong incident response plans seek to minimize costly after-the-fact responses, apprehensions toward these plans may exist due to their immediate implementation costs that could affect other organizational operations. Yes, proper planning may be costly in the short term, but the medium- and long-term benefits prove its value. For most companies, profitability is critical for sustaining market viability. Because security breaches and stolen information can negatively impact profitability, having a strong incident response component of a comprehensive risk management plan is critical. Preparing for a breach saves money, secures data, and makes organizations more resilient against threats.

Big or small, organizations should invest in incident response to maintain their systems’ security. That being said, each organization must make tailored decisions when developing incident response plans that best fit into their current cybersecurity landscape. Consequently, each company should uniquely develop an incident response plan according to the nature of their business and their perceived threat exposure. Having a robust incident response plan within an enterprise cybersecurity strategy enhances the risk management of an organization; however, a plan will never be perfect. Ultimately, achieving a completely secure system is next-to-impossible, but planning ahead and utilizing a variety of proactive strategies, like tabletop exercises, can help to move an organization closer to impenetrability.