In a treacherous global threat landscape, avoiding danger completely is at best unrealistic – sooner or later, your organisation is going to have to deal with some form of cyber attack, and implement an appropriate response. The more effective your response to a cyber attack, the more likely it is that you’ll be able to mitigate or minimise negative consequences, and ensure your business and employees are protected.
What is incident response?
Incident response refers to the policies and procedures that a business implements to help it minimise and manage the consequences of a security incident, such as a cyber attack, or even prevent the attack in the first place. In practice, that means not only reducing damage but addressing other critical factors, such as business recovery time, and the overall cost of the attack.
The incident response process goes beyond the investigation and containment of threats, and extends to analysing those threats, learning from them, educating employees, and developing new policies to enhance security outcomes in the future.
What are security incidents?
To understand incident response, it’s important to know what ‘security incident’ means in the context of cyber threats. A threat may manifest physically via employee conduct or behaviour, or digitally as a virus, malware or hack that penetrates a network. With those factors in mind, some of the most common types of security incident include:
Phishing
Phishing is a speculative strategy designed to convince an individual to reveal sensitive information to hackers. In perpetrating a phishing attack, hackers will usually craft an email or voice message that appears to be from a source trusted by the target, with the goal of having the target reveal sensitive information in their response.
Phishing attacks may be incredibly sophisticated in their execution, often employing creative means to convince the target of their authenticity. Since they rely on the manipulation of human nature, phishing attacks may be classified as a type of social engineering.
Ransomware
A form of malware, ransomware is a type of cyber attack that encrypts and then holds a user’s or an organisation’s files to ransom after it has penetrated a network. Since those files are often valuable or critical to operations, victims of ransomware are often highly motivated to pay the hacker, even if doing so would be a contravention of the law. Given its effectiveness, ransomware has become the most popular global cyber crime, with around 493.3 million attacks in 2022.
DDOS attacks
A distributed denial of service attack (DDOS) refers to large numbers of hacker-controlled computers or bots attacking a target network simultaneously in an effort to overwhelm security measures. DDOS attacks clog up networks with bogus traffic, preventing them from functioning normally and making them inaccessible to users.
Insider threats
An insider threat refers to either a user inside an organisation who attempts to compromise its network security maliciously, or a user who does so unintentionally as a result of negligence. Malicious insider threats may exploit network weak points and vulnerabilities, while negligent insider threats compromise security by not following protocol, for example, failing to protect log-in information, or using weak passwords. Insider threats do not necessarily need to compromise network security and may be as simple as the knowing or unknowing exfiltration of data – even copying to a USB drive which is subsequently taken off-site.
Privilege escalation
In privilege escalation attacks, hackers attempt to gain low-level or limited system access capabilities and then use that status as a foundation to escalate their access. Hackers typically gain higher-level access by moving laterally around a network until an opportunity presents itself, and often attempt to acquire or steal security credentials to facilitate their efforts.
Man-in-the-middle
If a hacker is able to intercept legitimate communication between two network users, they may be able to manipulate it to execute a man-in-the-middle attack. In this type of attack, legitimate users may be more willing to reveal sensitive information, or download malicious software, because they believe they are communicating with a fellow legitimate network user. Man-in-the-middle attacks do not necessarily need to be user-to-user: hackers may trick users by mimicking trusted wireless networks, such as coffee shops, penetrating secure networks when they log in with work devices.
Planning Incident Response
One of the foundations of incident response is the development of an incident response plan.
The plan should be organisation-specific and should be accessible and actionable for employees at every level of seniority. Accordingly, the plan should be developed by a team representative of the entire company, including not only security and IT experts but stakeholders from senior management, HR, compliance and risk management, or any department that may be affected by a security breach. It may also be helpful to engage third-party experts to shape the plan as it is being developed.
The incident response plan should be a living document, and be reviewed, tested, and updated regularly to ensure ongoing effectiveness. Key components of a incident response plan include:
- A definition of “security incident” as it pertains to the organisation.
- Step-by-step detail on how the organisation and its employees should execute their response to a security incident.
- A list of employee roles and responsibilities during an incident response period.
- The security software and hardware tools that the organisation has implemented to manage a network breach.
- A business continuity plan to restore critical operations and systems.
- A plan for communicating information about the security incident to internal stakeholders, employees and customers.
- Guidelines for documenting the incident and collecting and preserving evidence for subsequent internal and legal investigations. It may also be useful to know which regulatory or law enforcement authorities should be notified.
Given the broad spectrum of threats that an organisation may face, it may be necessary to develop multiple incident response plans, adjusting the content of each to fit the unique challenges of the situation.
Executing an Incident Response Plan
The practical actions that a company should take before, during, and following a security incident typically align with the following sequence of steps:
- Research and preparation: Pre-incident, firms should conduct research into their threat environment in order to understand what kinds of attacks they may have to deal with, and how their networks may be vulnerable. Firms should use this insight and other forms of threat intelligence to develop their incident response plan.
- Monitoring: Firms should begin monitoring their network for suspicious activity, including indicators of compromise (IoC). It may be useful to conduct threat hunting activities to identify potential breaches and shape any necessary response.
- Mitigation: If a network breach is detected, firms should be prepared to implement measures to contain and mitigate negative effects. In this situation, the response plan should guide security activities.
- Remediation: Once a threat is contained, and further damage prevented, firms should work to secure their network and ensure that all traces of the threat are removed.
- System recovery: Following successful removal of a threat, firms should seek to restore normal operational activity as soon as possible. Recovery activities may involve patching compromised security measures, reinstalling or resetting software, and bringing critical systems back online.
- Review: It’s critical that firms understand and learn from the threats they face. To that end, security teams should seek to preserve, collect, and analyse data from an attack in order to determine its cause and address vulnerabilities. It may also be necessary to pass data to law enforcement authorities for forensic analysis.
Automating Incident Response
Effective incident response involves the coordination of multiple workflows and a depth of technical expertise. To reduce friction, pressure on employees, and the chance of positive outcomes, firms should seek to automate as much of the process as possible through the integration of technology solutions.
Data management tools are particularly useful in cyber security contexts: the more security teams learn about the threats they face, the more efficient and impactful they can make their response when an attack occurs. Network traffic analysis (NTA), endpoint detection and response (EDR), and security information and event management (SIEM) tools all offer a level of automated vigilance that can be critical to incident response outcomes.
Integrating AI Advantages
Artificial intelligence (AI) has the power to transform incident response by providing security teams with an unprecedented analytic power and versatility. In addition to automated speed and accuracy, AI innovations can automatically identify anomalies within vast data sets, infer connections between seemingly discrete data points, and even predict attack vectors based on historical information.
Ripjar’s Labyrinth for Threat Investigations (LTI) is used by some of the world’s largest MSSPs to maintain a sophisticated knowledge store of threats and historic incidents that can be applied to protect customers from incidents as they occur. Harnessing the latest AI innovation, Ripjar’s LTI solution delivers powerful new incident response possibilities, including cutting-edge threat intelligence, threat hunting, and data management features. Combining those industry-leading AI tools with machine learning and data fusion capabilities, LTI enables firms to visualise the threats they face quickly and effectively, and provides analysts with the flexibility and depth they need to deliver positive investigatory outcomes.
Build your incident response process with AI-enabled threat intelligence