What is incident response, and why does your business need it?

Author: Phil Muncaster

Cyber threats are one of the biggest global risks facing organizations over the next five years according to the World Economic Forum1. Over a fifth (5,212) of the 23,896 incidents analyzed in the Verizon 2022 Data Breach Investigations Report (DBIR) were classified as breaches. When this happens, it's down to the incident response team to spring into action.

In short, you can't stop cyber threats from happening all of the time. But you can act rapidly to contain them, recover and build resilience for the next event. As such, incident response should be a critical part of any cyber security strategy.

What is incident response?

Incident response is the process used to manage and recover from a cyber security breach. It's usually reactive in nature, designed to kick in once an incident has occurred. But incident response is also crucial in helping organizations quickly mitigate the potential impacts of that incident and bounce back based on lessons learned from the data breach investigation. This includes generating intelligence to proactively update defensive tools, patch vulnerabilities and address misconfigurations to help prevent a similar incident in the future.

Events that could qualify as incidents may include:


How does incident response work?

An IT-led cross-functional team delivers incident response, which follows a prewritten and rigorously tested plan. The CSIRT (cyber security incident response team) or CIRT (cyber incident response team) will usually include:

  • A manager responsible for ensuring all incidents are tracked and the appropriate ones are escalated, documented and communicated

  • A technical lead to head up the technical response and recovery work

  • Representatives from other key departments, including human resources, legal, audit/risk, public relations and potentially customer service

  • Security analysts/researchers who work with threat intelligence and detection and response tools to track incidents, prioritize possible intrusion events for investigation and handle forensic evidence

  • IT and infrastructure team players who help with incident containment and remediation

4 stages of incident response

According to the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide, there are four key stages2.

1. Preparation

This involves ensuring incident response plans are current and well tested. Plans could include:

  • Allocating roles and responsibilities
  • Defining and updating which technologies to use
  • Ensuring communications pathways are up to date

2. Detection and analysis

This involves detecting the telltale precursors and indicators of an incident, working out if it represents a legitimate threat, prioritizing it based on potential impact and notifying key stakeholders.

3. Containment, eradication and recovery

Once an incident is detected, the first task is to contain the threat so it can't spread, then eliminate it, remediate and restore. Exactly what form these steps take varies depending on the type of incident, the systems impacted and the resources required.

4. Post-incident activity

The final "lessons learned" phase can be used to improve response plans and enhance defenses to help prevent similar attacks in the future.

Incident response has no final destination. It's a continually evolving discipline in which teams should be constantly striving to improve. One useful way to do so is by testing how successful current plans are through metrics such as:

  • Number of incidents detected and missed
  • Number of incidents requiring action
  • Time taken to remediate
  • Number of incidents leading to full-scale breaches

Why your organization needs incident response

For today's cyber security teams, it's just a matter of time before threat actors find a way to compromise their IT systems, making incident response and data breach investigation efforts critical. Whether they're state-backed hackers or financially motivated cyber crime groups, those launching attacks usually have the advantage of surprise. And they're increasingly well resourced. In fact, cyber crime is predicted to cost the world $7 trillion in 2022.

The widespread digital investment during and after the pandemic also makes cyber criminals' jobs easier. These transformation initiatives are necessary to drive cost efficiencies, business agility and competitive advantage, but they also create a larger attack surface for threat actors to target. This has resulted in:

The challenge for many organizations is realizing they've been compromised. The global median dwell time—the period of time attackers are allowed to reside inside networks without being discovered—stood at 21 days in 2021. That's three weeks for threat actors to find and steal sensitive data, deploy ransomware and crypto miners, and carry out other nefarious activities.

Services that can help with incident response and data breach investigation

As NIST says in its guidance document, "incidents can occur in countless ways" and through many different attack vectors, so there's no definitive list of suitable tools4. However, some critical technologies for helping teams identify incident precursors and indicators are:

Partnering with experts

NIST also mentions the role of third-party monitoring services as many organizations may not have the time, money or resources to spend a great deal on incident response. Third-party partners also often bring specific domain expertise that enhances in-house efforts at a fraction of the cost of developing such capabilities internally. Services include:

  • Incident response planning to assess existing plans, benchmark them against industry peers and recommend ways to enhance response readiness and effective decision-making
  • Rapid response services that feature 24/7 support to help customers quickly contain and recover from a security breach
  • Cyber and data breach investigation services that leverage external security operations and forensics teams to collect and analyze evidence, reverse engineer malware, salvage data and hunt for dark web threats
  • Post-incident support designed to help customers strengthen their security posture going forward through a third-party assessment of incident response processes
  • Verizon has over 25 years of experience and monitors, on average, 61 billion security events and 500 million incidents each year.

Discover how Verizon's incident response and investigations service can help your organization accelerate response and minimize the impact of attacks.

The author of this content is a paid contributor for Verizon.

World Economic Forum, The Global Risks Report 2022, page 9.

National Institute of Standards and Technology, Computer Security Incident Handling Guide, page 30.

Verizon, 2022 Mobile Security Index Executive Summary, page 6.

National Institute of Standards and Technology, Computer Security Incident Handling Guide, page 2.