IR Teams, Planning,
and Phases of Response
Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox
Cyberattacks have increased both in scale and frequency in recent years due to rapid global digitization. The threats we see are constantly evolving and have become more sophisticated than ever, causing both operational damage and substantial financial loss.
As such, an attack is no longer a matter of if, but when it will affect your business. When that happens, you may require the help of incident response specialists to contain and eradicate the threat.
But what exactly is Incident Response, anyway?
What is incident response?
Incident Response (IR) is the systematic approach to managing a cyber security incident. Like firefighters to a burning building, we help identify the source of danger, the scope of damage, and strategize an approach to contain and exterminate the threat.
Incident response often also includes aspects of crisis management, digital forensic investigation, and legal or public relations support (as needed). The ultimate goal of incident response is to limit damage and identify the root cause of the incident to better manage future risks. Effective incident response allows you to remediate a situation faster, protecting sensitive data, your company’s reputation, and revenue streams.
What makes up an incident response team?
Planning and preparing for the unexpected compromise includes designating a team that handles the attack head on. Based on the guidelines from the SANS Institute, IR efforts should primarily be led by the organization’s Computer Security Incident Response Team (CSIRT).
The CSIRT is composed of members from top management such as the Chief Information Officer or Chief Information Security Officer, the IT department, the Information Security team, IT auditors, as well as general IT and physical security staff. Ideally, the team is also supported by representatives from human resources, legal, and public relations departments.
The CSIRT act as first responders who provide on-call professional support for cyber emergencies. The team follows the organization’s established Incident Response Plan, which is a formally documented set of guidelines and standard operating procedures that determine the chain of command and actions in a cybersecurity incident.
When companies lack these particular roles or expertise in-house, they may turn to third-party incident response firms like Blackpanda to conduct digital forensic investigations, provide crisis management support, and coordinate efforts with legal, PR, or law enforcement agencies (as required).
What is an incident response plan?
As mentioned, an incident response plan is a documented set of guidelines and standard operating procedures that determine the chain of command and actions in a cybersecurity incident.
Having an incident response strategy is an important part of incident response, irrespective of industry or size, as it allows a company to plan out the most effective response before an attack occurs. Without a plan, your organization wastes valuable time and resources on reactive efforts that can be ineffective or lead to greater losses.
Instead of just being an IT concern, your incident response strategy should be an important part of your overall business strategy to ensure that immediate decisions can be made based on verified information, affecting the rest of business operations as little as possible.
A well-designed incident response plan lays out the procedures and protocols to be taken, as well as contingencies across a range of attack types—whether a data breach, denial of service/distributed denial of service attack, network intrusion, malware outbreak, or even malicious actors within the company itself.
Your plan should cover how to detect, respond to, and reduce the damages of an incident. Putting this plan in place helps a firm gain the confidence of all stakeholders, including its customers.
Lastly, the specific roles and responsibilities of employees must be detailed in the incident response plan to establish accountability. List the tools, technologies, and resources that these responsible parties will require throughout the processes.
"A well-designed incident response plan lays out the procedures and protocols to be taken, as well as contingencies across a range of attack types"
The 6 Phases of an Incident Response Plan
The SANS Institute delineates six phases that must be included in an incident response plan:
Preparation. Training and equipping the IR team and all involved individuals to manage cybersecurity incidents when they arise. Deploying monitoring tools and drafting IR plans are examples of preparation.
Identification. Determining and qualifying whether a particular event can be considered a security incident, and identifying the full scope of systems involved.
Containment. Containing the incident across all systems in scope and limiting the damage to prevent data loss and destruction of evidence.
Eradication. Identifying the root cause of the attack and attending to the affected systems, either removing or patching affected endpoints.
Recovery. Following the removal of corrupted elements, this phase ensures that affected systems are safely brought back to the operational environment and no threat remains.
Lessons Learned. The last but most critical phase includes completing all documentation requirements from all actions taken during the incident, conducting analysis and assessment of the response efforts to provide recommendations for the future.
Incident response planning is a lot of work, but it is important work. If your team is feeling lost, looking to upgrade your strategy, or could use some specialist support, Blackpanda offers incident response consulting services to help businesses of all types and sizes best prepare for the security threats they face.
For more information, contact us to schedule an exploratory call with one of our experts here.
Interested in speaking to a DFIR specialist?