Incident response is enacted to reduce recovery times and costs associated with the compromise of systems.
What is the main aim of incident response?
The main aim of incident response is to contain the threat, reducing the cost and recovery time associated with handling a breach or cybercriminal attack.
Any time a business deals with a data breach or security exploitation, a certain degree of fallout accompanies it. Incident response is initiated to mitigate the damage cybercriminals cause. This process reduces the overall cost and time required to ensure compromised systems or data have been stabilized, the incident’s cause has been identified and contained and overall security has been restored. Most often, companies institute an incident response plan well in advance of any incident to set guidelines for how to stabilize the business in an effective manner, as well as how to communicate the incident and the company’s response to stakeholders, customers and the general public.
What are the four phases of incident response?
The four incident response phases are preparation, detection and analysis, containment, eradication and recovery, and post-event activity phase.
The National Institute of Standards and Technology (NIST) recognizes four lifecycle phases that companies work through once a data breach or cybercriminal attack has been discovered. These phases include:
- The preparation phase
- The detection and analysis phase
- The containment, eradication and recovery phase
- The post-event activity phase.
The preparation phase involves the work that an organization does to prepare for an incident, including forming an incident response plan, establishing tools , identifying the personnel that will be used to handle the incident and performing tabletop exercises and walkthroughs to ensure all stakeholders know their role and responsibilities in the event of an incident. Detection and analysis begins the moment a company finds an incident has occurred and begins taking steps to identify the impact and how it occured. Containment, eradication and recovery is the phase in which the threat has been removed from the system and the team mitigates the effects of the incident in the most effective way possible. Finally, post-event activity involves taking an in-depth look at both the incident and the response to prevent incidents from happening in the future.
What are the 8 steps in incident response?
The eight steps in incident response are detection, team communication, impact assessment, customer communication, escalation, delegation and resolution.
Though incident response includes four phases in its lifecycle, according to NIST, Atlassian recommends seven steps for responding to compromised systems. These steps include:
- Detecting the incident
- Setting up internal communication channels
- Assessing the extent of the incident’s impact and assigning it a severity level
- Communicating the impact and initial response to customers
- Escalating critical needs and knowledge to the right responders
- Delegating roles and responsibilities for effective incident response
- Resolving the incident
- Evaluation
Incident detection includes monitoring processes, alert tools, or staff members who bring attention to an issue that leads to the confirmation of an incident such as an attack or a breach. Setting up internal communication channels involves creating a place for all communication between incident response team members to occur, such as Slack channels or video conferencing links. Next, teams will use detection tools and internal or external knowledge to assess the impact of the incident. From here, communication with customers and stakeholders is critical to maintain trust and ensure they can take any measures to protect themselves from data exposed by the breach. The next step is to bring in any additional required help to reduce the damage of and time spent handling the incident.
As the incident response teams assemble, roles are assigned so multiple parties may respond simultaneously. From here, the team is focused on resolving the incident so that it is no longer impacting the business and stability returns. Teams then begin cleanup and response analysis measures. Finally, the evaluation step is where teams work to identify how the incident occurred, how similar incidents can be avoided in the future and how the response could be improved moving forward.