Incident response (IR) is the systematic approach to managing a cyber security incident. The primary objective of IR is to minimize the impact of a cyber attack, offer rapid recovery, and limit business interruption loss for organizations.
Incident response is carried out by specialists—via an in-house security operations unit or an outsourced incident response firm like Blackpanda—in the event of a cyber breach.
Experts like our incident response specialists are trained to handle various types of security incidents, cyber threats, and data breaches. The main goals of an incident response methodology are to identify, contain, eradicate, and minimize the duration and cost of a cyber breach.
What are the Governing Frameworks of Incident Response?
Thought leaders in the field of cyber security have established frameworks that serve as industry standard reference points to guide incident responders in the event of a cyber breach.
These frameworks include:
- The National Institute of Standards and Technology ( NIST) framework
- The System Admin, Audit, Network and Security (SANS) framework
- The Observe, Orient, Decide, Act (OODA) loop
While each framework of reference has different terminology, it serves to address the same fundamental goal of incident response—respond rapidly, limit/eradicate the threat, and minimize business interruption loss.
First and foremost, it is important to determine whether a true breach or incident has occurred, or if it was a false positive, and document it accordingly. Then it is crucial to identify the causes of the incident and minimize the impact of future incidents. Finally, the incident response team should guide the organization in applying lessons learned to improve the process.
Improving an organization’s security posture and ensuring thorough incident response planning is at the crux of all incident response frameworks. Whilst prosecuting illegal activity is never explicitly mentioned but always included in the considerations for remediation, as well as keeping management, staff and appropriate clients informed of the situation and response.
The NIST Framework
The NIST Institute cyber security framework identifies five core functions of incident response:
- Identify: This includes identifying physical and software assets, the organization’s business environment, established cybersecurity policies, asset vulnerabilities, threats to internal and external organizational resources, and risk response activities to assess risk.
- Protect: This includes implementing protections for Identity Management and Access Control, empowering staff through security awareness training including role-based and privileged user training. It also involves establishing data security protection best practices and implementing processes and procedures to maintain and manage the protection of information systems and assets.
- Detect: Detecting potential cyber security incidents early is critical. This step aims to ensure anomalies and events are detected, with their potential impact understood.
- Respond: This step centers around the implementation and execution of the incident response plan in a swift manner, while managing communications with internal and external stakeholders during and after an event. Further, continuous analysis of the incident as it develops is crucial to ensure effective response and supporting recovery activities. These include forensic analysis, incident impact determination, and mitigation.
Recover: Recovery is the ultimate goal of incident response. It includes implementing improvements based on lessons learned and reviews of existing strategies, and coordinating with internal and external communications to restore business as usual.
The SANS Framework
The SANS Institute delineates six phases that must be included in an incident response plan:
- Preparation: Training and equipping the IR team and all involved individuals to manage cybersecurity incidents when they arise. Deploying monitoring tools and drafting IR plans are examples of preparation.
- Identification: Determining and qualifying whether a particular event can be considered a security incident, and identifying the full scope of systems, devices, and endpoints involved.
- Containment: Containing the incident across all systems in scope, and limiting the damage to prevent data loss and destruction of evidence.
- Eradication: Identifying the root cause of the attack and mitigating the impact to the affected systems, either by removing or patching affected endpoints.
- Recovery: Following the removal of corrupted elements, this phase ensures that affected systems are safely brought back to the operational environment and no threat remains.
- Lessons Learned: The last but most critical phase includes completing all documentation requirements from all actions taken during the incident, conducting analysis and assessment of the response efforts to provide recommendations for the future.
The OODA Framework
Lastly, the OODA (Observe, Orient, Decide, and Act) loop was developed by the US Air Force military strategist John Boyd. The OODA loop is often seen applied to cyber incident response in order to tackle incident handling in a real-time environment.
- Observe: Continuous security monitoring helps in identifying abnormal network/system behavior. The observation goal is fulfilled through log analysis, SIEM and IDS alerts, network monitoring, vulnerability analysis, service/application performance monitoring.
- Orient: This focuses on the evaluation of the cyber threat landscape of the organization through incident triage, threat intelligence, awareness regarding the current situation, and security research.
- Decide: Based on observations and context, deciding an action plan that offers minimal downtime and fastest system recovery is a fundamental goal of rapid incident response.
- Act: Thanks to forensic analysis tools, system backup, data recovery tools, security awareness training tools and programs, patch management, the incident response team should carry out remediation, recovery, and document lessons learned for future use.