What is incident response, and why does your business need it?
Author: Phil Muncaster
Cyber threats are one of the biggest global risks facing organizations over the next five years according to the World Economic Forum1. Over a fifth (5,212) of the 23,896 incidents analyzed in the Verizon 2022 Data Breach Investigations Report (DBIR) were classified as breaches. When this happens, it's down to the incident response team to spring into action.
In short, you can't stop cyber threats from happening all of the time. But you can act rapidly to contain them, recover and build resilience for the next event. As such, incident response should be a critical part of any cyber security strategy.
What is incident response?
Incident response is the process used to manage and recover from a cyber security breach. It's usually reactive in nature, designed to kick in once an incident has occurred. But incident response is also crucial in helping organizations quickly mitigate the potential impacts of that incident and bounce back based on lessons learned from the data breach investigation. This includes generating intelligence to proactively update defensive tools, patch vulnerabilities and address misconfigurations to help prevent a similar incident in the future.
Events that could qualify as incidents may include:
- Malware-based attacks (e.g., cryptojacking, ransomware, banking Trojans, info-stealer malware)
- Phishing attacks designed to harvest user credentials or potentially deliver malware
- Distributed denial of service attacks designed to cripple services by flooding them with traffic
- Insider threats stemming either from negligence—such as using unpatched personal devices for work—or malice
- Third-party attacks that impact the organization through a supplier, such as a managed service provider, a software vendor, an open source repository or a non-digital supplier like a law firm
How does incident response work?
An IT-led cross-functional team delivers incident response, which follows a prewritten and rigorously tested plan. The CSIRT (cyber security incident response team) or CIRT (cyber incident response team) will usually include:
A manager responsible for ensuring all incidents are tracked and the appropriate ones are escalated, documented and communicated
A technical lead to head up the technical response and recovery work
Representatives from other key departments, including human resources, legal, audit/risk, public relations and potentially customer service
Security analysts/researchers who work with threat intelligence and detection and response tools to track incidents, prioritize possible intrusion events for investigation and handle forensic evidence
IT and infrastructure team players who help with incident containment and remediation
4 stages of incident response
According to the National Institute of Standards and Technology (NIST) Computer Security Incident Handling Guide, there are four key stages2.
This involves ensuring incident response plans are current and well tested. Plans could include:
- Allocating roles and responsibilities
- Defining and updating which technologies to use
- Ensuring communications pathways are up to date
2. Detection and analysis
This involves detecting the telltale precursors and indicators of an incident, working out if it represents a legitimate threat, prioritizing it based on potential impact and notifying key stakeholders.
3. Containment, eradication and recovery
Once an incident is detected, the first task is to contain the threat so it can't spread, then eliminate it, remediate and restore. Exactly what form these steps take varies depending on the type of incident, the systems impacted and the resources required.
4. Post-incident activity
The final "lessons learned" phase can be used to improve response plans and enhance defenses to help prevent similar attacks in the future.
Incident response has no final destination. It's a continually evolving discipline in which teams should be constantly striving to improve. One useful way to do so is by testing how successful current plans are through metrics such as:
- Number of incidents detected and missed
- Number of incidents requiring action
- Time taken to remediate
- Number of incidents leading to full-scale breaches
Why your organization needs incident response
For today's cyber security teams, it's just a matter of time before threat actors find a way to compromise their IT systems, making incident response and data breach investigation efforts critical. Whether they're state-backed hackers or financially motivated cyber crime groups, those launching attacks usually have the advantage of surprise. And they're increasingly well resourced. In fact, cyber crime is predicted to cost the world $7 trillion in 2022.
The widespread digital investment during and after the pandemic also makes cyber criminals' jobs easier. These transformation initiatives are necessary to drive cost efficiencies, business agility and competitive advantage, but they also create a larger attack surface for threat actors to target. This has resulted in:
An 11% increase in security incidents from 2020 to 2021, related to over 5 billion breached records
A 13% year-on-year surge in ransomware according to the 2022 DBIR
Cloud security incidents impacting 80% of organizations in 2021
45% of organizations facing a compromise involving a mobile device over the past year, with 73% saying the impact was major and 42% saying there were lasting repercussions, according to Verizon's 2022 Mobile Security Index report3
The challenge for many organizations is realizing they've been compromised. The global median dwell time—the period of time attackers are allowed to reside inside networks without being discovered—stood at 21 days in 2021. That's three weeks for threat actors to find and steal sensitive data, deploy ransomware and crypto miners, and carry out other nefarious activities.