What is incident response?

When a security team detects a threat, it’s essential organizations are ready for
what comes next. That requires having a tightly coordinated incident response
plan (IRP) and sequence of actions and events assigned to specific stakeholders
on a dedicated incident response team. Some businesses may have their own in-
house team, some may outsource their incident response services , while others
might take a hybrid approach where they outsource technical analysis but
manage the rest of the IRP in-house. Either way, this team should have trained
and planned for these incident response events well before any trouble rears its
head. 

 A well-coordinated incident response effort should always include:

 High-level incident management and coordination
 Technical analysis of the incident
 Incident scoping to determine who or what was affected
 Crisis communications to make sure information is released in a coordinated
and beneficial manner
 Legal response to determine any implications and prepare any needed
response or action
 Remediation and mitigation recommendations and actions to ensure a
smooth recovery
Organization-wide preparation

An organization’s incident response team should include people in positions

beyond security and IT. Stakeholders from legal, corporate communications,
human resources, and more should also be involved in the preparation and
execution of any incident response activity. 

Preparation is key  to allow for fast action when minutes matter. It’s not ideal to
wait until a situation becomes a full-fledged escalated incident to start chasing
down and educating stakeholders. Major players should know their
responsibilities well ahead of time so that they only need the signal to jump into
action. To help ensure team members are trained and empowered enough to
take the right actions, at the right time, teams should conduct non-technical
tabletop exercises and full breach simulations to run through the technical and
non-technical processes. 

Know your key players

When preparing for incident response, having the right people on the team is
crucial. Every business has its own unique needs, but it’s recommended for
organizations to identify specific individuals or teams for the following core
functions: 

 Incident management: This central role requires extensive technical

knowledge and prior experience in management and incident response. The
person in this role acts as an overall project manager to oversee technical
task completion, as well as information gathering for all involved
stakeholders.
 Enterprise incident investigation: This is where the challenges of working at
an enterprise can vary from smaller counterparts. A large breach at a large
organization requires leveraging technologies to assist in forensics across
hosts (even remote ones) so that the team can find indicators of compromise,
as well as potential scope, as quickly as possible.
 Technical analysis: These roles require technical know-how, and it's best to
have analysts on the team who specialize in specific areas, such as malware
analysis, forensics analysis, event log analysis, and network analysis. Any
information these analysts find should be shared with the rest of the incident
response team.
 Incident scoping: What was the extent of the breach? That's a crucial
question any incident response team will need to know. The answer to this
question may change over the course of the incident response and
investigation, especially as technical analysis continues.
 Crisis communications: Sharing the findings of the investigation, as well as
the scope and potential outcomes, will need to happen both internally and
externally. An experienced crisis communications team should communicate
the right details to the right audiences. Their responsibilities may include
breach notifications, regulatory notifications, employee and/or victim
notifications, and press briefings if needed.
 Legal, human resources, and regulatory concerns: If a breach has
any regulatory or compliance considerations, it’s important to have someone
on the team with knowledge of how to navigate disclosure requirements or
work with law enforcement groups, such as a government representative. For
teams that do not have in-house expertise for these requirements, specialized
legal expertise on retainer is a worthwhile investment.
 Executive decision making: Any breach can potentially affect an
organization's public image and financial standing, which is why executive
leadership should always be involved. There will be crucial decision points
over the course of an incident response and investigation, and the team will
need executive input on how to proceed at these crucial junctures.
 Reporting and remediation: While working on incident response, it is
important to document everything. With this information, teams should be
able to piece together an entire story for the breach: what the attackers did,
when and how they did it, and what they managed to compromise. This will
make it possible to create a detailed response plan for remediation and
 mitigation recommendations to recover from the breach, and hopefully help
the organization defend against any future attacks that are similar in nature.
The post-mortem

After successfully responding to an incident, it's not time to rest just yet. The
incident response team should conduct a post-mortem to learn from the
experience—both to fine-tune their incident response program specifically, and
also to retune their security program overall. What worked, what didn't work, and
what could work better or faster? There's no better teacher than experience, so
it’ll be important to glean as many lessons as possible from responding to a real
incident.

What is an incident response plan?

An incident response plan delineates what steps need to be taken, and by whom,
when a breach or security crisis occurs in an organization. A robust response
plan should empower teams to leap into action and mitigate damage as quickly
as possible. Emergency responders go through regular training simulations and
process checks, so when a situation arises they know how to act almost by
muscle memory. Information security teams would be wise to follow their
example: When an emergency occurs, you don’t want to waste time figuring out
incident response processes and procedures while precious minutes are ticking
away. Having a plan in place becomes paramount.

No one enjoys a crisis, but when it comes to incident response, it pays to be

prepared. Minutes count when a network has been infiltrated or data has been
breached, and waiting to figure out processes in the heat of the moment will
likely result in confusion, and worse still, slower overall response times to the
incident itself.

To prevent this from happening to your organization, your incident response

team should have a carefully mapped incident response plan, rehearsed regularly
for a variety of possible scenarios with all stakeholders included across a variety
of roles. After all, when a security incident occurs, it’s not just technical teams
that need to act; non-technical resources—such as legal and communications—
as well as outside parties will need to be involved, especially if you partner with
a security service provider.

What’s in a robust incident response plan?

There’s a great deal of groundwork that can be done ahead of time to reduce
complexity and risk during an emergency. An incident response plan should
include:

 Buy-in from key organizational stakeholders: When a crisis hits, your team

needs to know they have the support from key stakeholders to act quickly.
Make sure C-level executives and other stakeholders fully buy in to the
response plan, give it their support, and empower the incident response team
to act quickly and confidently during a crisis.
 Clearly defined roles, responsibilities, and processes: The last thing your
team needs is to be figuring out who owns what and trying to track that
person down. Every element of incident response, from the technical to the
non-technical, should have a named stakeholder attached to it with clear
responsibilities outlined. People in these roles should have the expertise to
carry out what’s expected of them (this is not the time to test your most junior
team members). In addition, each incident response role should know exactly
what processes they’re accountable for and what’s expected of them when an
incident occurs, from determining the initial scope of the breach all the way to
crisis communications. If there’s any ambiguity in the plan about who owns
what, it may well be forgotten during a crisis.  
 Technologies and partnerships to enable quick action: When running your
incident response drills, make sure you have every tool in the toolbox you
need to respond quickly and effectively. You will likely find some areas have
large gaps, and others have some wiggle room to improve; where possible,
make sure you have the internal technologies and tools available to your
teams to do their jobs efficiently, making the most of automation where
possible.

The key here is “quick.” If you don’t have the internal expertise or resources to
conduct a quick response, or your toolset isn’t giving you the information as
quickly as you need it, then you may want to look into external incident response
services to help address these gaps and speed up your incident response times.
(Make sure to include this external team in any drills you conduct!)

External incident response services

If you need some support with your incident response plan, external providers
can help address strategic and tactical gaps by:

 Developing robust security programs: If you’re unsure whether your incident

detection program covers all possible contingencies relevant to your
organization, an incident response service can help you improve your
readiness to incidents and breaches.
  Conducting tabletop exercises: Put your internal incident response team
through their paces with threat simulation exercises conducted by an outside
service to verify your team’s readiness.
 Conducting compromise and/or breach readiness assessments: An external
incident response team can assess the current state of your organization’s
environment and security processes, and identify any potential risks or gaps.
 Providing immediate breach remediation: If you suspect you’re being
breached and need immediate help, an external incident response service can
jump into action to help stop further damage.
 Offering incident response retainers: A retainer with an incident response
service makes sure that your teams are as aligned as possible and that the
external team is ready to go should the worst occur. Many retainers will
include several of the services named above, and they will often guarantee a
certain service level agreement on their response times.

It may sound repetitive, but the worst time to prepare for a breach really is after
one has occurred. Having a robust incident response plan in place—and ensuring
it has been communicated to all stakeholders—is the best way to prepare for this
worst-case scenario.