- How does incident response work and are there specific incident response steps that organizations should follow?
Incident response definition
Incident Response is the method of managing the consequences of a cyber-attack. The main aim of Incident Response is to properly manage an ongoing incident so that the organization does not suffer any more damage or disruption than has already been inflected, as well as formulating effective strategies to deal with recovery time and the costs associated with the attack. Incident Response might also consider how an organization’s reputation may have been affected by a cyber-attack, and how to prevent or reduce further reputational damage.
What is an incident response plan and what is the incident action plan in incident response?
An Incident Response plan is a documented plan that an organization would have to utilize in the event that a cyber-attack has affected their digital estate in order to effectively manage the situation and the aftermath. Its main purpose it to establish a well-oriented and structured format that organizations can follow to help limit damage and disruption if they fall victim to a cyber-attack. This is formatted by National Institute of Standards and Technology, ie NIST (https://www.titanfile.com/blog/phases-of-incident-response/) (https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf). An incident action plan is a plan that is written up with the details, objectives and strategies for detailing and managing an ongoing cyber incident and the repercussions.
How does incident response work and are there specific incident response steps that organizations should follow?
There are generally 7 steps that are [RT1] included in the Incident Response plan. These steps usually are identified as Preparation, Identification, Containment, Eradication, Recovery, Learning, and Re-Testing (https://www.titanfile.com/blog/phases-of-incident-response/, https://www.cynet.com/incident-response/nist-incident-response/#containment)
Preparation typically involves risk assessment, compiling lists of key assets and monitoring network activity to gain an understanding of what represents ‘normal activity’.
Identification refers to uncovering and recognizing potential threats to an organization’s environment; one method of this is through penetration testing exercises to find vulnerabilities within the network.
Containment involves stopping an ongoing attack and preventing it from causing disruption or damage to a network. Containment strategies may consist of disconnecting infected devices, changing privileged credentials that may have been compromised and disabling remote access capabilities.
Eradication is the process of removing all elements of a compromise from the affected network, this could include identifying compromised host, removing malware, or reimagining infected hard drives.
Recovery involves restoring a network to its normal functionality as quickly as possible once an attack has been eradicated. This could include testing and monitoring affected access points to ensure there are no remnants of infection.
Learning here refers to examining and investigating the incident and ascertaining:
- What happened, when and which devices were involved?
- What went wrong? Could this have caused further damage to the network?
- What could the security team have done differently?
- Are any additional security tools required?
Re-Testing, the final step, consists of fine-tuning the incident response plan to ensure it covers all areas of security within the organization’s digital environment. This will allow security teams to improve the plan and find any previously unnoticed gaps.
What challenges do organizations typically face in incident response?
There are multiple challenges to incident response plans and processes. One consideration is that there may be too much data freely available. The threat landscape is constantly growing, and new attack methods and novel strains are frequently appearing in the wild. As a result, security teams often receive a huge volume of inbound data and do not have enough resources or time to investigate it properly. As result, security teams can become overwhelmed and burned out which can lead to investigations not receiving the required level of attention or time.
On average, an organization’s Security Operations Centre (SOC) receives around 10,000 security alerts per day. It is important for security teams to work as efficiently as possible, ensuring they can properly triage and investigate alerts. In addition, there is a shortage of experienced cyber security professionals available who can conduct this type of technical investigation and determine whether an alert represents a genuine cyber threat or a false positive. There are also compliance-related challenges from numerous regulators and organizations, such as the European Union’s General Data Protection Regulation (GDPR) policy, that requires organizations to report on a cyber-attack or breach within a certain time.
What is the NIST incident response framework?
The National Institute of Standards and Technology (NIST) created the NIST Incident Response Framework in order to establish a process that organizations should follow in the event that their network is compromised. The NIST framework contains four steps that are intended to give incident response teams an established methodology to help them manage cyber-attacks in a cyclical manner that allows organizations to learn from previous incidents. The four steps of the NIST Incident Response Framework are: preparation, detection and analysis, containment, eradication and recovery, and finally, post-incident activity.
How can security solutions help in incident response?
Security solutions often automate the threat detection process which in turn reduces the workload for incident response teams, while also decreasing the number of false positives that are investigated.
There are several security solutions available that could be helpful when it comes to Incident Response. For example, “Security, Orchestration, Automation and Response”, or SOAR, solutions can help security teams to automate data collection, threat analysis and incident response processes. They typically specialize in coordinating, automating and prioritizing threat detection and remediation. SOAR allows security teams to focus on more complicated issues and sophisticated threats.
Security Information and Event Management (SIEM) tools provide incident data to SOC teams. It plays a crucial role in monitoring emerging threats and response by enriching log data from Security Event Management (SEM) with data analysis from System Information Management (SIM) in order to generate incident alerts for subsequent investigation and remediation by security teams.
How can organizations automate incident response?
Using both Artificial Intelligence and Machine Learning, organizations can automate their incident response.
There is often a massive amount of incoming data pertaining to ongoing incidents that security teams and incident response teams alike have to analyze to keep their networks secure. Automating this analysis makes the process of identifying and triaging ongoing incidents much more efficient, thus freeing up valuable resources. Organizations can configure this automation to ensure that only relevant and/or potentially concerning events are alerted, reducing the amount of false positives while ensuring potentially malicious events are not missed. Automated incident response will recognize the context surrounding the incident, then look investigate why it occurred and what can be done about the incident.
How does Darktrace HEAL help with incident response?
Darktrace HEAL helps with incident response by utilizing AI to establish how ready customer networks are for a cyber-attack and how prepared they would be to recover and restore their environment to an operational state.
Additionally, Darktrace HEAL offers attack simulations to test different incident response plans.
Following an incident, HEAL is able to analyze a specific incident and generate a timelined report that details exactly what happened and what actions were taken throughout the course of the attack. These reports can ultimately be used by third-part forensic teams, insurance providers, security teams and legal teams after a cyber-attack.