Skip to main content

Incident Response Procedures

In today's interconnected world, every organization suffers cybersecurity incident of one kind or another. Your team's ability to respond efficiently and effectively to incidents may be the difference between success and serious financial loss or reputational damage for your organization. Careful planning and preparation is crucial to ensure business continuity during the most challenging security incidents.

Preparation

To prepare for incidents, ensure that you formally assign responsibility, document response policies and procedures, establish an incident response team, publish accurate contact information, and train your incident handlers.

Assign Responsibility

Identification

The identification phase begins when defenders discover signs of an incident. Signs can take a wide range of forms, from intrusion detection system (IDS) alerts to system outages. Immediately after identification of a potential incident, a common reaction is to skip directly to the containment and recovery steps. However, resist the urge to skip steps. Skipping to containment before identifying all affected systems can allow attackers change tactics and entrench themselves more deeply. Also, moving to containment before resources are in place to collect forensic evidence can destroy vital information and place an organization at risk.

Once a suspected incident has been reported or detected, the following steps should be executed in a methodical and controlled manner to validate the incident and identify its scope.

Containment

The goal of the containment phase is to limit damage the attacker can cause and preserve evidence for later analysis. Once the Incident Handler has determined which systems are affected and the potential impact, move to the containment phase.

Always develop a containment plan before putting measures into place. This will allow defenders to execute containment quickly and methodically, while giving attackers little time to react once containment begins.

The plan should contain the incident while preserving evidence whenever possible. For instance, if a web server has been compromised, coordinate with the system's administrator to acquire a live memory image before disconnecting the server and imaging the hard drives.

Recovery

The goal of the recovery phase is to get the organization back to normal operations. During this phase compromised systems should be rebuilt, affected customers should be notified, and attack vectors identified during the Identification and Containment phases should be remediated.

Post-Incident

The goal of the post-incident phase is to assess and improve the incident response process. During this phase the notes Incident Handler's notes, timeline of the incident, evidence collected, and any other information about the incident should be archived.

The Incident Handler should also file a brief after-action report that summarizes causes and impacts of the incident, as well as steps taken to identify, contain, and recover from the incident. Special attention should be given to parts of the incident response process that were successful or need improvement. These after-action reports should be regularly incorporated into the preparation phase.

General Tips

  • Take detailed notes during every phase of the incident response. Detailed notes act as a speed limiter, as well as preserve vital information for later. If decisions are being made faster than notes can be taken, it is likely the decisions are not being well considered.
  • Complete each step before moving on to the next.
  • Collect evidence before disconnecting power. Many organizations place themselves at risk by disconnecting or reimaging systems without collecting evidence required to prove that regulated data was not exfiltrated. The relatively short time required to collect a memory image is well worth the ability to prove that an incident did not result in a breach of regulated data.
  • Prepare. Provide incident handlers with formal training. Conduct mock incidents to train supporting personnel and identify gaps in information gathering. You can conduct these internally, or have a third-party company run "tabletop exercises" or even simulate real events to test your incident response capabilities. Often, these exercises uncover critical gaps in communications capabilities and response procedures, which you can address proactively.