Life’s a Breach: 6 Steps of Incident Response

by Sarah Harvey / April 14th, 2015

Cyberattacks and data breaches are things all business owners have learned to accept as a possibility. Breaches and hacks penetrate the headlines almost daily, and as technology continues to evolve, so do the ever-present threats associated with these types of risks. There are two sides to every breach, however. Prevention and recovery. You’re most likely already taking steps towards protecting your organization from the possibility of a breach, but have you planned what you will do to remain operable and minimize damages in the event that your environment is compromised? Experiencing a breach is disruptive, but fumbling the response is disastrous. Incident response plans are invaluable measures that should be taken by every organization, because let’s face it – controls can fail, implementation can fail, and consequently, incidents are bound to happen.

What is an Incident?

According to The SANS Institute, an incident is defined as an “assessed occurrence having actual or potentially adverse effects on an information system”.  Incident Handling is “an action plan for dealing with intrusions, cyber-theft, denial of service, fire, floods, and other security-related events.” Your Incident Response Plan should include appropriate policies and procedures that dictate to your organization what the immediate steps are following the detection of an incident. These steps may include containment, notification of appropriate personnel, reporting, eradication, and lessons learned.

There are six common stages of incident response that are important when developing your own Incident Response Plan. Take a look at the break down of the Six Steps of Incident Response, and ask yourself, “Are we ready?”

Six Steps of Incident Response

  1. Preparation: Advanced preparation is important when planning for a potential incident. Policies and procedures should be known and tested by management and all personnel to ensure that the recovery and remediation process will quickly address any and all incidents in a timely manner, resulting in the least amount of damage. Do you have the necessary tools and training to handle incidents before they actually occur?
  2. Detection and Identification: After the incident occurs, it’s important to ask yourself a number of questions. What kind of incident has occurred? Data theft? Insider threat? Network attacks? Once you’ve identified the type of incident that has occurred, it’s important to determine the severity of the incident in order to choose the best course of action according to your predetermined Incident Response Policy and Procedures. Are there any safety concerns for personnel that need to be considered? Has there been loss or exposure of data? Were any laws or contracts violated? What is the size of the impact area?
  3. Containment: In order to limit the impact of an incident, the containment phase of incident response is critical. Have the right people in your organization been notified? The faster the response time, the more likely it will be that you can reduce the damage of the particular incident. This may mean isolating the infected or compromised area to determine the best way to handle recovery. Do you have the right tools and personnel needed to handle the task?
  4. Remediation: At this stage, it’s time to resolve the issue and remove any malicious code, threat, personnel responsible for the incident, etc. Forensic analysis should be completed and logs kept throughout the remediation process. Will backups need to be implemented? What information security weaknesses need to be addressed at this time?
  5. Recovery: At this point, it’s time to get things back up and running and be sure that all company policies and procedures are effectively being implemented. Continuous, ongoing monitoring is important following remediation of an incident to be certain that it has been fully resolved and nothing threatening is lingering in your network. Continuous monitoring will also detect any suspicious behavior going forward.
  6. Lessons Learned: Compiling a detailed report of what happened and what was done as corrective measures is a good step towards ensuring the same incident will not occur again. Why did it happen? What could have prevented it? Does your security posture need to be updated to ensure similar incidents won’t happen in the future? Who does this information need to be shared with in order to make any necessary change to your security posture?

Preparation is just as important as prevention when it comes to securing and protecting your business. Don’t be surprised by an unexpected security incident. Develop and implement an Incident Response Plan, train your employees on what needs to be done to protect your business in the aftermath of an incident, and you will be able to reduce, minimize, and address damage caused by an unfortunate event.