Your Ultimate Guide to
Incident Response

What is Incident Response?

Incident response is a structured approach to handle various types of security incidents, cyber threats, and data breaches. The incident response methodology aims to identify, contain, and minimize the cost of a cyberattack or a live incident. A well-built incident response (IR) plan can fix a potential vulnerability to prevent future attacks, but it is not the sum game.Response is a part of Incident Handling which in turn looks at the logistics, communications, synchronicity, and planning required to resolve an incident. This type of work is generally done by the Computer Security Incident Response Team (CSIRT) with the help of the Security Operation Center. While the core of CSIRT is incident management, its role also includes reporting, analysis, and response. However, prior to these stages, it is important that the incident is identified and reported on time. It is during this stage that the role of a SOC Analyst becomes important. All of this is best taught in EC-Council’s Incident Handling Program – a course made by some of the best industry practitioners.

“With a successful incident response program, damage can be mitigated or avoided altogether.”

Chris Morales, Head of Security Analytics, Vectra

 

Why Is Incident Response Important?

Data breaches cost companies’ operational downtime, reputational, and financial loss. The longer any vulnerability stays in a system, the more lethal it becomes. For most of the organizations, breaches lead to devaluation of stock value and loss of customer trust. To eliminate such risks, companies need a well-planned cybersecurity incident response plan, which aims at –

  • Restoring daily business operations
  • Minimizing financial and reputational losses
  • Fixing cyber vulnerabilities comprehensively and quickly
  • Strengthening security posture to avoid future attacks

Know Incident Response Fundamentals

Another important objective is to align the security posture with applicable regulatory standards. Organizations should comply with these standards to avoid hefty fines and penalties. A few of the significant acts and regulations are listed below –
HIPAA
(for the healthcare industry)
PCI DSS
(for payment industry)
Gramm-Leach-Bliley Act
(for the financial services industry)
FISMA
(for federal agencies)

HIPAA (for the healthcare industry)

The Health Insurance Probability and Accountability Act (HIPAA) is designed to safeguard Protected Health Information (PHI) stored in an electronic form. Being HIPAA compliant, the healthcare institutions follow the HIPAA Security Rule and ensure to implement administrative, technical, and physical safeguards, thus, protect sensitive personal and health information.

To learn more: HIPAA: All That You Should Know

PCI DSS (for payment industry)

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard with the primary objective of protecting credit and debit card transactions against data theft and fraud. Even though PCI DSS compliance is not mandatory, businesses should follow their guidelines to secure their credit and debit card transactions. Being PCI DSS compliant helps in building trust relationships with stakeholders and customers.

To learn more: A Introduction to PCI DSS

Gramm-Leach-Bliley Act (for the financial services industry)

Gramm–Leach–Bliley Act (GLBA) is an act that helps in improving competition in the industry. Its main aim is to ensure security and confidentiality of customer data, safeguard integrity by protection against potential cyber threats and unauthorized access, and proper disposal of customer data.

To learn more: All About Gramm- Leach-Bliley Act

FISMA (for federal agencies)

The Federal Information Security Management Act (FISMA) is a comprehensive framework applicable to US-based federal agencies. The act protects government information, operations, and information assets against natural disasters and cyberattacks.

To learn more: Federal Information Security Management Act of 2002

What are the common types of incidents?

icon box image

Phishing attacks

350% rise in phishing websites at the start of 2020 – United Nations

icon box image

Denial-of-Service attacks

595% year-over-year increase in DDoS attacks against utilities worldwide – NETSCOUT

icon box image

Ransomware attacks

20% hike in ransomware attacks within 6-months, amounting to 121.4 million events – SonicWall

icon box image

SQL injections

8000% rise in SQL Injection attacks in 2019, versus 2018 – WatchGuard

icon box image

Malware attacks

176% increase in new malware attacks disguised as Microsoft Office file types – SonicWall

Incident Handling Vs. Incident Management Vs. Incident Response

Incident Response
It is a set of technical activities done in order to analyze, detect, defend against, and respond to an incident. It is a part of the incident handling and incident management process. It is often used in synchrony with the term incident handling.

Incident Handling
It is the process and procedures that are predefined to manage an incident. It involves the planning and the actionable stage, before, during, and after an incident is detected.

Incident Management
Both incident handling and incident response go hand in hand. It is often assumed as one function for better ease in processes. This is where incident management comes in. Incident management is the scope of having both incident response and incident handling come together to ensure the end-to-end process, right from reporting an issue to planning and resolving the issue.

Incident Management and Business Continuity

One of the biggest challenges of incident management is the unpredictability of an ongoing security incident and communication gaps. Building a quick, effective, transparent, and real-time incident response plan helps minimize the downtime and impacts of the cyberattack. It also allows implementing a thorough Business Continuity Plan. To simply put, an incident response plan (IRP) and a business continuity plan (BCP) goes hand-in-hand.

What is an Incident Response Plan?

An incident response plan (IRP) is a documented set of instructions that help incident responders to detect and respond to security incidents. The plan also ensures the successful recovery of the affected system. An IRP is a well-strategized plan against security breaches, data loss, and service outages.

Why should you have an Incident Response Plan?

No organizational system or network is safe from cyberattacks. In such an environment, an incident response plan helps mitigate the security risks and fight against crippling cybercrimes.

What should an incident response plan include?

An incident that activates an IR plan also initiates the BCP for continuous business operations. Both incident handlers and BCP team leaders need timely and accurate information to take proper steps against the unanticipated event. The following elements of incident management systems help in offering effective business continuity –

1. Initial Response Statistics

For initial response statistics, employees need important information in a real-time environment. This data helps incident responders to take resolutions against escalating situations swiftly. Being capable of establishing an intuitive, customizable system is important for incident management.

2. Reporting

Incident managers can take proper actions against a computer security incident only if they have accurately reported information. This process needs real-time details of the incident to customize a proper response.

3. Feedback

After the resolution of the incident, honest feedback from the stakeholders can improve the existing incident management system.

To know more about the incident response in a distributed workforce using cloud forensics, check out this amazing video by Michael Weeks, Lead Incident Response Engineer at FICO.

What is an Incident Response Process?

An incident response process helps an organization to remain in business. It is an accumulation of various procedures targeted at identifying, analyzing, and responding to potential security incidents. The primary objective of the process is to minimize the impact and offer rapid recovery.

In simple words, incident response methodology handles security incidents, breaches, and possible cyber threats. It comes with an incident response plan designed to identify the cyber-attack, minimize its impact, and reduce the financial burden.

How is Incident Response Process (OODA Loop) Different from NIST Incident Response Life Cycle?

OODA loop was developed by the US Air Force military strategist John Boyd. OODA stands for Observe, Orient, Decide, and Act. It is used to tackle incident handling in a real-time environment.

Cycle Description Tools and Tactics Key Takeaways
Observe Continuous security monitoring helps in identifying abnormal network/system behavior Log analysis, SIEM and IDS alerts, network monitoring, vulnerability analysis, service/application performance monitoring Observe as much as you can, and document all the findings related to the security system, network, and business operations. This phase helps in successfully responding and defending the incident.
Orient Evaluation of the cyber threat landscape of the organization. Logically connect and bring out real-time context to prioritize security incidents. Incident triage, threat intelligence, awareness regarding the current situation, security research Think like the cybercriminal to build thorough defense strategies. Take the help of threat intel to capture the right information.
Decide Based on observations and context, decide an action plan that offers minimal downtime and fastest system recovery Organization’s own corporate security policy Document different aspects of the process
Act Remediation, recovery, and documenting lessons learned for future use Forensic analysis tools, system backup, data recovery tools, security awareness training tools and programs, patch management Improve the training methods and communication to eliminate the incident effectively
The NIST cybersecurity framework helps the private sector organizations of the United States to improve their prevent, detect, and response processes against cyberattacks. The framework offers high-level outcomes to assess and manage security incidents. The US National Institute of Standards and Technology released the first version of the NIST framework in 2014; it has continuously evolved since then. Its recent version includes guidance on conducting self-assessments, interacting with supply chain stakeholders, and developing a vulnerability disclosure process.

What are the phases of the incident response lifecycle defined by NIST?

The NIST framework is organized into five major functions/phases – Identify, Protect, Detect, Respond, and Recover, which are later subdivided into 23 categories.

Take a look at the five phases of incident response:

Function Description Categories
Identify Developing organizational understanding to manage various security risks related to systems, information assets, data, and operations
  • Asset Management (AM)
  • Business Environment (BE)
  • Governance (GV)
  • Risk Assessment (RA)
  • Risk Management Strategy (RM)
Protect Developing and implementing suitable safeguards for better delivery of critical infrastructure services
  • Access Control (AC)
  • Awareness and Training (AT)
  • Data Security (DS)
  • Information Protection Processes and Procedures (IP)
  • Maintenance (MA)
  • Protective Technology (PT)
Detect Developing and implementing processes to identify security incidents
  • Anomalies and Events (AE)
  • Security Continuous Monitoring (CM)
  • Detection Processes (DP)
Respond Developing and implementing strategies to respond to the detected incidents
  • Response Planning (RP)
  • Communications (CO)
  • Analysis (AN)
  • Mitigation (MI)
  • Improvements (IM)
Recover Developing and implementing a plan to restore the business operations after the occurrence of the incident
  • Recovery Planning (RP)
  • Improvements (IM)
  • Communications (CO)

To learn more: 5 Steps to Building an Incident Response Plan for a Large Organization

What are the five steps of an incident response plan?

Here are the five incident response steps –

Step 1: Determine the critical components of the network

To avoid major damages, replicate your organizational data, and store it in a remote location. As business networks are complex, note the backup locations, which will help the IT staff to recover the network quickly, whenever required.

Step 2: Identify points of failure in the network and address them

Once you identify the critical components, create a plan to protect these assets. The points of failure can jeopardize the entire network. So, address them with software failover features and other required tools.

Step 3: Develop a workforce continuity plan

During a disaster or a security breach, some locations or processes become inoperable and inaccessible, but this should not affect the regular business operations and employee security. Build a plan with virtual private networks (VPNs) and secure web gateways to help the staff continue their work without stress.

Step 4: Form a cyber security incident response plan

Document a formal plan with the list of roles and responsibilities of incident responders, tools and technologies involved, and effective data recovery processes.

Step 5: Staff training

Every employee should be well-aware of different types of cyberattacks and how to avoid them.

What is an Incident Response Team?

A computer security incident response team (CSIRT) helps in mitigating the impact of security threats. With the rising number of security threats, organizations need a dedicated team for incident response.

What does an incident response team do?

The CSIRT comes into action whenever an unexpected event occurs. The roles and responsibilities of an incident response team are listed below. The team generally comprises of incident response analysts, incident handlers, network engineers, and a few other dedicated professionals.

  • Create and maintain an IR plan
  • Analyze the security incident
  • Manage internal communications and alerts whenever an incident occurs
  • Offer easy communication with stakeholders and the press whenever needed
  • Remediate incident
  • Recommend tools, technologies, policy, and governance after the incident

How to build an incident response team?

A core incident response team consists of –

  1. Incident Response Manager: The manager supervises the entire process and prioritizes the actions during the detection, analysis, containment, and recovery phases.
  2. Security Analysts: These professionals work to recover the affected network. There are two types of security analysts in an IR team –
    • Triage Analysts – They look for potential threats and filter out false positives.
    • Forensic Analysts – They keep digital evidence preserved to conduct forensic investigation against the incident.
  3. Threat Researchers: They offer threat intelligence and context related to the incident.

Also check out: 5 Common Challenges Incident Handling and Response Teams Face

Professional Tools Used in Incident Response

Businesses are facing a rise in security incidents. In the technologically driven world, these incidents have become unavoidable. That is why the incident response team needs powerful tools to defeat and contain security events.

Security incidents are capable of crippling a business. They can lead to financial loss, reputational loss, negative publicity, and even a negative impact on the sales and stock market. It can strip down an organization from its long-earned credibility. With the help of tools, incident responders can quickly detect, analyze, and respond to intrusions.

Best Incident Response Tools

LogRhythm It is a NextGen SIEM platform that offers comprehensive security analytics, user and entity behavior analytics (UEBA), network detection and response (NDR), and security orchestration, automation, and response (SOAR).
Sumo Logic The tool is best for securing cloud infrastructures and advanced applications. It provides the required analytics and insights.
InsightIDR This SaaS SIEM tool is used for modern threat detection and response.
CB Response It arms incident response team with real-time response capabilities and expert threat analysis.
IBM QRadar This tool accurately detects and prioritizes security threats.

Incident Response Jobs

The results are for the US alone

Incident Response Manager Jobs

Security Analysts Jobs

Triage Analysts Jobs

Forensic Analysts Jobs

Threat Intelligence Researchers Jobs

Average Salary of an Incident Handler

According to salary.com, the average salary of an Incident Handler in the United States ranges from $79,213 to $100,341.

The fluctuation in salary relies on a few factors, such as the qualification and skills of the candidate. An expertise in several incident response tools helps an incident responder earn more. Apart from that, the location of work can also have an impact on earning.

A Day in the Life of An Incident Responder

An incident responder must have visibility of how everyone is contributing to the network traffic. The actions of these professionals revolve around the primary objectives of reducing security risks and improving customer trust.

The day of an incident responder starts with looking for malware in the user systems. These professionals use Endpoint Detection and Response (EDR) for monitoring and responding to cyber threats. Once done, they shift to the detection of malware in the servers. They also perform threat hunting and proactive monitoring. They build phishing campaigns to understand internal and external threats. They are also responsible for device management that includes creating a sandbox environment or honeypot. These professionals take part in several meetings and draft important reports.

How to Become a Certified Incident Handler?

EC-Council designed a comprehensive incident handling certification course that offers a specialist level incident response skills and knowledge. The incident handling training program will help you detect, analyze, contain, respond to, and recover from a security incident. To gain next level incident handling skills, join EC-Council Certified Incident Handler today!

Get Trained