8 Crucial Incident Response Steps
While many of you have likely heard of and even given thought to incident response, you may not have taken the time to fully flesh out the exact incident response steps you should follow when an incident occurs. Yes, you read that right, I said when. Data breaches increased 68% in 2021 – and organizations faced many additional suspect incidents on top of these confirmed breaches. Given the proliferation of technology in our world, your organization will experience an “incident” (or more likely many incidents) during your tenure. Your organization’s response has the power to make or break its future viability. Or, to put it another way, a poor response can turn one minor incident into two major incidents.
Before we go through incident response steps, let’s define “incident” so that we are all starting from the same point. An incident, for our purposes, is anything that disrupts or has the potential to disrupt normal operations at your organization. Whether a short, limited reach disruption or a major outage, having the appropriate incident response steps in place is crucial to limit the damage and prevent further or ongoing disruption.
Determining Incident Response Steps and Policies BEFORE You Need Them
The steps outlined below may occur simultaneously, in concert, or in a slightly different order, depending on your organization, operations, and available staff. Incident response is not a linear process. This blog will focus on the incident response steps themselves, but I have also included multiple links for many incident response resources. You can also check out our in-depth video, New Trends in Incident Response, or watch a quick 3-minute video on Incident Response Monitoring and Logging.
The incident response steps included in this blog assume that you have already done some preparation such as identifying an incident response team and creating an incident response plan. If you don’t have these steps in place yet, contact us and we can guide you through the process.
8 Crucial Incident Response Steps
- Activate Your Organization’s Response Team: Depending on the severity of the incident, you may not need the whole team to jump into action, however there should be some planned communication to the team that an incident has occurred so that they are prepared should it be determined to be bigger than initially thought. In some situations, you may only need IT members of the Response Team, but for larger incidents members from the executive team, legal counsel, communications, and others should be included. Identify the team member who will be the primary incident handler or manager for this particular incident. They will guide your team through all the incident response steps. Ideally, you will also have a Business Continuity and Disaster Recovery plan in place to provide additional guidance. For tips on including cybersecurity incidents in your BCDR plan, read this blog.
- Establish Plans for Status Updates: During an incident, communication is critical. First, you’ll want to consider whether you need to use out-of-band communications. Second, your Response Team should determine how frequently status updates will be shared and the means of communicating those status updates. For example, the team might decide initially that updates will occur every 30 minutes via a text message to the team, or every hour via email to the incident manager. These status updates are not meant to be public facing (although they could then be used by other team members to update non-Response Team members and the public), they are updates to the Response Team only. A big benefit of establishing and following a status update plan is that the team working on the incident will not be subjected to questions from multiple teams, such as “When will this be fixed?” Also, those not working on fixing it won’t have to track them down to ask for status updates – saving everyone time and effort – and allowing the team fixing the issue to focus on response.
- Contain the Incident: You’re probably thinking, “Well, that’s obvious!” but it’s important to mention anyway because containment needs to be done thoughtfully. For example, if you have malware on a server or workstation, rather than powering either one off, consider whether disconnecting network connections and “air-gapping” or isolating the system may be more efficient, while still preserving evidence. Containment also may not be limited to systems that are directly impacted – it may mean creating new firewall policies, resetting all passwords, or temporarily disabling an email account or tenant. Your primary goal with containment is to stop the bleeding, limit the damage, and prevent further infection–without causing later casualties. Read more specific tips in 4 Crucial Steps for Data Breach Containment and What to Do When Malware Strikes.
- Create a Plan: While containing the incident, you and your team will also be learning more about it. Use that information to then come together as a Response Team and create a plan for eradication and recovery. Most organizations skip this step and move directly into recovery, but without a plan, team members are likely to make changes or take steps that conflict, creating further chaos. Your plan does not need to be fancy – it can be scribbles on a whiteboard or a text document with no formatting – but it needs to be something that the whole team knows about, can access, and follows.
- Preserve Evidence: One of the crucial incident response steps that is often overlooked or skipped outright in favor of recovery is preserving any forensic evidence that will inform the investigation that is sure to happen after the incident. That investigation might narrow the scope or eliminate liability for the incident, saving the company money and reputation. One of the quickest, easiest ways to preserve evidence is to replace hard drives. If the incident is impacting a system with replaceable internal storage media, like hard drives, pull the drives that contain the evidence (whether it’s malware, data exfiltration, or unauthorized access, etc.), store them someplace safe, put new drives in and rebuild the system. Some evidence preservation may require backing up configurations or copying log files to other systems before they are overwritten. (If you are not certain what sources of evidence should be preserved, you may benefit from our Cyber First Responders course.)
- Recover: Get operations back to normal as quickly as possible. During your planning session in step 4, you likely considered if temporary solutions will be needed, if you’ll need additional staff, or whether purchases will be needed to recover. Make sure everything is outlined as best you can and follow the plan.
- Implement Improvements: Can you make changes to the environment that will reduce the likelihood of a similar incident happening again? For example, in the case of unauthorized access, would multi-factor authentication have prevented the attack? Did you have all of the log files you needed, or should you increase the retention period? As operations are returned to normal, improvements to security should be put into place AND documented. Often, eradication, recovery, and improvements overlap so documentation throughout the process is especially crucial. Changes put in place quickly need to be enumerated so that they can be supported going forward.
- Hold Lessons Learned Meeting: Once the incident is over, gather the Response Team for a debrief session. Consider and discuss what worked, what didn’t work, what could be improved, and how to improve it. Then update your IR plan document to reflect those lessons learned so that you’ll continue to be more efficient and effective in your response. If you’re interested in reading some of the key lessons learned by our team over the years, read our blog, Memorable Hacks and the Takeaways for Your Incident Response Strategy.
Incident response can feel like a disaster, but it doesn’t have to. Creating an incident response plan, practicing the plan, and following the general incident response steps outlined here can improve your team’s response and lead to smooth recovery. Better yet, you can also simulate an incident with a tabletop exercise (I outline three of my favorite IR tabletops in this blog) and proactively test your incident response plan to proactively uncover and close any gaps.
If you need help creating an incident response plan, conducting a tabletop exercise, or responding to an incident, contact our experienced team. We’re ready to help!