Skip to content
Home » Blog » How to handle an Incident Response

How to handle an Incident Response

Incident Response

Introduction

The goal of any incident response plan is to quickly detect and mitigate an incident. To do this, you need to have a comprehensive plan in place that involves preparedness, establishing a team, creating an incident response timeline, and providing training.

Prepare for the worst

This is one of the most important steps in preparing for an incident. You need to make sure you have a plan in place to deal with a breach, and you should have this plan reviewed and updated on a regular basis.

The first thing you need to do is gather information about your overall security posture, including what tools are available and how well they work. You also need to understand the current state of your network, including potential vulnerabilities that might be exploited by attackers or other threats like malware infections.

Once this has been done, it’s time to start thinking about what would happen if something bad did happen. This can be as simple as imagining yourself getting up in front of all your colleagues at an afternoon meeting and announcing that there was a data breach today—and then explaining what happened next (i.e., who got notified). It may seem silly when written down like this, but imagining yourself actually doing it will help get those juices flowing and make sure you don’t forget anything important when it comes time for real-life implementation!

Establish a team

Establish a team. This can be done by having a meeting with the people from different areas of the company who are involved in incident response, such as IT, HR, Legal and Compliance. They should decide who will lead this team and how it will be organized internally. The team needs to have a secretary for taking minutes during meetings; as well as an email address for communicating with other teams within your organization or outside organizations (e.g., law enforcement). You might also want to consider setting up an online collaboration tool like Slack so that all members of the team can communicate easily and quickly when necessary.

Give the team authority

You should give your team authority to do what they need to do. That means they will be able to make decisions and act without seeking approval from you or other leadership.

The team needs to be able to communicate with each other, so it’s important that everyone on the response team has access to email, calendar invites and any other collaboration tool you use in your organization. It is also helpful if members of the incident response team have direct access to communication channels like Slack or Zoom if those are used by their organization.  It is also recommended to not use company email during an incident in case your email has been compromised.

Finally, when an incident occurs, it’s critical that someone is available 24/7 who can always communicate with public relations teams throughout the investigation process (e.g., during an active investigation). Having a designated spokesperson for law enforcement inquiries related directly back into your IR program will help ensure both accuracy in information sharing as well as timely responses when necessary

Create a preparedness plan

The first step in handling a breach is to create a preparedness plan that includes steps you can take to mitigate the impact of a breach, quickly detect it, contain it, and recover from it.

The ability to quickly detect a breach is critical because time is of the essence. The sooner you know about an incident, the more time you have to contain and recover from it. Your organization needs to implement processes that enable detection of suspicious activity as soon as possible so security incidents can be appropriately addressed before they cause significant damage or disrupt business operations.  Setting up a Security Information and Event Management or SIEM, for short, will then store all of your security logs in one location and then parse the data and display it in a readable setup.

A preparedness plan should include:

  • A process for detecting unusual activity across all systems within your environment.
  • Resources available for investigation (e.g., forensic tools).
  • A means by which IT staff will communicate with one another during investigations.

Create an incident response timeline

  • Create an incident response timeline.
  • In the timeline, include all steps in the incident response plan and their time requirements. Some examples of these steps include:
  • Step 1: Preparation: Actively conduct pre-incident planning, per system (a recurring process).  Examples are enabling NTP, establish a SIEM and have a change management policy in place.
  • Step 2: Identification: Make sure that there is indeed an incident and not a false positive.
  • Step 3: Containment: Once you found where the incident has started take action by segmenting the workstation and any other devices that may contain the malicious item that was the cause.
  • Step 4: Once the issue has been contained then remove the malware in question by other wiping the workstations or by removing any trace of the malware and it’s other files.
  • Step 5: Recovery: Make sure that no sign of the malware is being seen on the network and then return the workstations back into production.
  • Step 6: Lessons Learned: Create a full report of the incident and steps taken to remediate the incident.  Let management know everything is back to normal.

Create and distribute a comprehensive incident response plan

An incident response plan is a document that describes the actions required to be taken in the event of an IT security breach or another type of digital emergency. It should include:

  • A list of who needs to be notified (employees, clients and customers, law enforcement or other government agencies)
  • What information should be shared with those groups
  • How they should be contacted (by phone, email, social media)

Once you’ve created your Incident Response Plan, you’ll want to make sure all members of your team know how it works so they can respond appropriately when an incident occurs. To fully understand how this process works, we recommend taking some time before training begins to review best practices for ensuring that your plan stays relevant and up-to-date.

Incident Response Training

  • Training is key to a successful incident response.
  • You should have training that is relevant, interactive and hands-on. This type of training helps ensure that people understand what they need to do in an incident response situation.
  • It’s important for the training to be repeatable so it can be scaled up easily if your organization expands or shrinks.
  • Training should also be available at all levels of your company so everyone understands their role in an incident response situation.
  • Table top exercises of incidents using real world scenarios can be a great way to train you and your staff on incident response.

Creating a comprehensive Incident Response Plan is essential to quickly detect and mitigate an incident.

A comprehensive Incident Response Plan is essential to quickly detect and mitigate an incident.

The plan should include all the details necessary to respond to an incident in a timely fashion. The plan should include instructions on how you will handle each type of incident and the difference between false positives and false negatives, as well as what actions you should take if an incident occurs.

Conclusion

A well-defined incident response plan is an essential component of any cybersecurity strategy. It can help you quickly detect, mitigate and remediate incidents before they become serious threats. To learn more about creating an incident response plan for your organization, contact us today!