An incident response plan is a documented, written plan with 6 distinct phases that helps IT professionals and staff recognize and deal with a cybersecurity incident like a data breach or cyber attack. Properly creating and managing an incident response plan involves regular updates and training. Show
Is an incident response plan a PCI DSS requirement?Yes, Requirement 12 of the PCI DSS specifies the steps businesses must take relating to their incident response plan, including:
How to create an incident response planAn incident response plan should be set up to address a suspected data breach in a series of phases. Within each phase, there are specific areas of need that should be considered.The incident response phases are:
2. IdentificationThis is the process where you determine whether you’ve been breached. A breach, or incident, could originate from many different areas. Questions to address
When a breach is first discovered, your initial instinct may be to securely delete everything so you can just get rid of it. However, that will likely hurt you in the long run since you’ll be destroying valuable evidence that you need to determine where the breach started and devise a plan to prevent it from happening again.Instead, contain the breach so it doesn’t spread and cause further damage to your business. If you can, disconnect affected devices from the Internet. Have short-term and long-term containment strategies ready. It’s also good to have a redundant system back-up to help restore business operations. That way, any compromised data isn’t lost forever. This is also a good time to update and patch your systems, review your remote access protocols (requiring mandatory multi-factor authentication), change all user and administrative access credentials and harden all passwords. Questions to address
Questions to address
5. RecoveryThis is the process of restoring and returning affected systems and devices back into your business environment. During this time, it’s important to get your systems and business operations up and running again without the fear of another breach. Questions to address
Once the investigation is complete, hold an after-action meeting with all Incident Response Team members and discuss what you’ve learned from the data breach. This is where you will analyze and document everything about the breach. Determine what worked well in your response plan, and where there were some holes. Lessons learned from both mock and real events will help strengthen your systems against the future attacks. Questions to address
Need help with a data breach? Talk to one of our Forensic Investigators. David Ellis (GCIH, QSA, PFI, CISSP) is VP of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience.
Learn how an incident response plan is used to detect and respond to incidents before they cause major damage. What is incident response?Incident response is an approach to handling security breaches. The aim of incident response is to identify an attack, contain the damage, and eradicate the root cause of the incident. An incident can be defined as any breach of law, policy, or unacceptable act that concerns information assets, such as networks, computers, or smartphones. As the frequency and types of data breaches increase, the lack of an incident response plan can lead to longer recovery times, increased cost, and further damage to your information security effectiveness. This makes incident response a critical activity for any security organization. In this article: Why is incident response important?When your organization responds to an incident quickly, it can reduce losses, restore processes and services, and mitigate exploited vulnerabilities. An incident that is not effectively contained can lead to a data breach with catastrophic consequences. Incident response provides this first line of defense against security incidents, and in the long term, helps establish a set of best practices to prevent breaches before they happen. If you fail to address an incident in time, it can escalate into a more serious issue, causing significant damage such as data loss, system crashes, and expensive remediation. Effective incident response stops an attack in its tracks and can help reduce the risk posed by future incidents. A solid incident response plan helps prepare your organization for both known and unknown risks. Reliable incident response procedures will allow you to identify security incidents immediately when they occur and implement best practices to block further intrusion. Incident response is essential for maintaining business continuity and protecting your sensitive data. Your response strategy should anticipate a broad range of incidents. Even simpler incidents can impact your organization’s business operations and reputation long-term. In addition to the technical burden and data recovery cost, another risk is the possibility of legal and financial penalties, which could cost your organization millions of dollars. The six steps of incident response1. PreparationHere are steps your incident response team should take to prepare for cybersecurity incidents:
2. IdentificationDecide what criteria calls the incident response team into action. IT systems gather events from monitoring tools, log files, error messages, firewalls, and intrusion detection systems. This data should be analyzed by automated tools and security analysts to decide if anomalous events represent security incidents. For example, just seeing someone hammering against a web server isn’t a guarantee of compromise – security analysts should look for multiple factors, changes in behavior, and new event types being generated. When an incident is isolated it should be alerted to the incident response team. Team members coordinate the appropriate response to the incident:
3. ContainmentOnce your team isolates a security incident, the aim is to stop further damage. This includes:
4. EradicationContain the threat and restore initial systems to their initial state, or close to it. The team should isolate the root cause of the attack, remove threats and malware, and identify and mitigate vulnerabilities that were exploited to stop future attacks. These steps may change the configuration of the organization. The aim is to make changes while minimizing the effect on the operations of the organization. You can achieve this by stopping the bleeding and limiting the amount of data that is exposed. This is done as follows:
Ensure your team has removed malicious content and checked that the affected systems are clean. For example, if the attacker used a vulnerability, it should be patched, or if an attacker exploited a weak authentication mechanism, it should be replaced with strong authentication. 5. RecoveryThe purpose of this phase is to bring affected systems back into the production environment carefully to ensure they will not lead to another incident. Always restore systems from clean backups, replacing compromised files or containers with clean versions, rebuilding systems from scratch, installing patches, changing passwords, and reinforcing network perimeter security (boundary router access control lists, firewall rulesets, etc.) Decide how long you need to monitor the affected network and endpoint systems, and how to verify that the affected systems are functioning normally. Calculate the cost of the breach and associated damages in productivity lost, human hours to troubleshoot and take steps to restore, and recover fully. 6. Lessons LearnedAfter any incident, it’s a worthwhile process to hold a debriefing or lessons learned meeting to capture what happened, what went well, and evaluate the potential for improvement. The incident response team and stakeholders should communicate to improve future processes. Complete documentation that couldn’t be prepared during the response process. The team should identify how the incident was managed and eradicated. See what actions were taken to recover the attacked system, the areas where the response team needs improvement, and the areas where they were effective. Reports on lessons learned provide a clear review of the entire incident and can be used in meetings, as benchmarks for comparison or as training information for new incident response team members. Who handles incident response? The Computer Incident Response Team (CSIRT)To prepare for and attend to incidents, you should form a centralized incident response team, responsible for identifying security breaches and taking responsive actions. In a large organization, this is a dedicated team known as a CSIRT. The CSIRT includes full-time security staff. These individuals analyze information about an incident and respond. In a smaller organization, the incident response team can consist of IT staff with some security training, augmented by in-house or outsourced security experts. The incident response team also communicates with stakeholders within the organization, and external groups such as press, legal counsel, affected customers, and law enforcement. The team should include:
Incident response orchestration and automationOne of the key steps in incident response is automatically eliminating false positives (events that are not really security incidents), and stitching together the event timeline to quickly understand what is happening and how to respond. Exabeam offers a next-generation Security Information and Event Management (SIEM) that provides Smart Timelines, automatically stitching together both normal and abnormal behaviors. This helps investigators accurately pinpoint a series of anomalous events, along with its associated assets, users, and risk reasons, all attached to a single timeline. This automatic packaging of events into an incident timeline saves a lot of time for investigators, and helps them mitigate security incidents faster, significantly lowering the mean time to respond (MTTR). What metrics are needed by SOC Analysts for effective incident response?
Goals of incident responseThe main goal of incident response is to coordinate team members and resources during a cyber incident to minimize impact and quickly restore operations. This includes:
In modern Security Operations Centers (SOCs), advanced analytics plays an important role in identifying and investigating incidents. User and Entity Behavior Analytics (UEBA) technology is used by many security teams to establish behavioral baselines of users or IT systems, and automatically identify anomalous behavior. This makes it much easier for security staff to identify events that might constitute a security incident. 5 tips for successful incident response1. Isolate exceptionsTechnology alone cannot successfully detect security breaches. You should also rely on human insight. Following are a few conditions to watch for daily:
Modern security tools such as User and Entity Behavior Analytics (UEBA) automate these processes and can identify anomalies in user behavior or file access automatically. This provides much better coverage of possible security incidents and saves time for security teams. For example, see the Entity Analytics module, a part of Exabeam’s next-generation SIEM platform. 2. Use a centralized approachGather information from security tools and IT systems, and keep it in a central location, such as a SIEM system. Use this information to create an incident timeline, and conduct an investigation of the incident with all relevant data points in one place. You can also use a centralized approach to allow for a quick automated response. Use data from security tools, apply advanced analytics, and orchestrate automated responses on systems like firewalls and email servers, using technology like Security Orchestration, Automation, and Response (SOAR). 3. Assert, don’t assumeDon’t conduct an investigation based on the assumption that an event or incident exists. Instead of making assumptions, make assertions, based on a question that you can evaluate and verify. For example “If I’ve noted alert X on system Y, I should also see event Z occur in close proximity.” Create your assertions based on your experience administering systems, writing software, configuring networks, building systems, etc., imagining systems and processes from the attacker’s eyes. 4. Eliminate impossible eventsYou may not know exactly what you are looking for. On these occasions, eliminate occurrences that can be logically explained. You will then be left with the events that have no clear explanation. For example:
5. Take post-incident measuresContinue monitoring your systems for any unusual behavior to ensure the intruder has not returned. Watch for new incidents and conduct a post-incident review to isolate any problems experienced during the execution of the incident response plan.
The Complete Guide to CSIRT Organization: How to Build an Incident Response Team 10 Best Practices for Creating an Effective Computer Security Incident Response Team (CSIRT) How to Quickly Deploy an Effective Incident Response Policy Incident Response Plan 101: How to Build One, Templates and Examples IT Security: What You Should Know Incident Response Steps: 6 Steps for Responding to Security Incidents When a security incident occurs, every second matters. Malware infections rapidly spread, ransomware can cause catastrophic damage, and compromised accounts can be used for privilege escalation, leading attackers to more sensitive assets. Whatever the size of your organization, you should have a trained incident response team tasked with taking immediate action when incidents happen. Read on to learn a six-step process that can help your incident responders take action faster and more effectively when the alarm goes off. Beat Cyber Threats with Security Automation IPS Security: How Active Security Saves Time and Stops Attacks in their Tracks
For more in-depth guides on additional information security topics, see below: Cybersecurity Threats Guide Cybersecurity threats are intentional and malicious efforts by an organization or an individual to breach the systems of another organization or individual. See top articles in our cybersecurity threats guide SIEM Security GuideSIEM security refers to the integration of SIEM with security tools, network monitoring tools, performance monitoring tools, critical servers and endpoints, and other IT systems. See top articles in our SIEM security guide User and entity behavior analytics GuideUEBA stands for User and Entity Behavior Analytics which is a category of cybersecurity tools that analyze user behavior, and apply advanced analytics to detect anomalies. See top articles in our User and Entity Behavior Analytics guide Insider Threat GuideAn insider threat is a malicious activity against an organization that comes from users with legitimate access to an organization’s network, applications or databases. See top articles in our insider threat guide Security Operations Centers GuideA security operations center (SOC) is traditionally a physical facility with an organization, which houses an information security team. See top articles in our security operations center guide DLP GuideDLP is an approach that seeks to protect business information. It prevents end-users from moving key information outside the network. See top articles in our DLP guide Regulatory Compliance GuideSee top articles in our regulatory compliance guide |