Responding to a cybersecurity incident is a process. It’s not an isolated event.

For an incident response (IR) plan to be successful, your organization should take a coordinated and organized approach to any cybersecurity occurrence.

But what is an incident response plan?

An incident response plan, as it pertains to the world of cybersecurity, is an organized approach to preparing, detecting, controlling, and recovering from a data breach.

Cybersecurity incidents are detrimental to the health of a company. In many cases, serious incidents can lead to data loss. It can also fail the services, operations, and functions of the company.

To prevent catastrophic outcomes of a cybersecurity breach, you should have a plan to respond to the incident. 

What happens during an incident response? What are the stages and steps? 

There are seven important incident response stages that every response program should cover. These steps exist to effectively address the wide range of security incidents that a company can experience.

• Stage 1: Preparation

• Stage 2: Identification

• Stage 3: Containment

• Stage 4: Eradication

• Stage 5: Recovery

• Stage 6: Learning

• Stage 7: Re-testing

• Conclusion

When in the middle of a cybersecurity incident, it's nearly impossible to create a well-organized response to the threat at hand. Thus, an incident response plan needs to be carefully prepared in advance. This will give your organization a fighting chance against the situation as it plays out in real-time.

To do so, your organization needs to conduct a risk assessment. This assessment should identify and address all potential threats within and outside your organization. Once the assessment is complete, there should be consistent maintenance to prevent cyberattacks. 

For example, let's say your information system has a vulnerability due to a recent update. You need to make sure it’s immediately addressed and maintained over time. Otherwise, hackers will use that vulnerability to enter your system. 

You need to create a strong plan to support your team. To be successful, you should include these features in an incident response plan…

• Develop and Document IR Policies 

• Establish policies, procedures, and agreements for incident response management.

• Define Communication Guidelines

• Create communication standards and guidelines to enable seamless communication during and after an incident.

• Incorporate Threat Intelligence Feeds

• Perform ongoing collection, analysis, and synchronization of your threat intelligence feeds.

• Conduct Cyber Hunting Exercises

• Conduct operational threat-hunting exercises to find incidents occurring within your environment.

• Assess Your Threat Detection Capability

• Assess your current threat detection capability

• Update risk assessment and improvement programs.

All phases of an incident response plan are important. That said, identification could arguably be the most important phase.

Organizations that can identify potential threats and determine their severity of them can prioritize situational management. You can also prioritize which threats are most likely going to cause problems, allowing you to minimize the consequences.

The identification phase involves completing something called “penetration testing”. If you are asking yourself, “What the heck is that?” Let me explain. A penetration test is a simulated attack on your system. You do this to evaluate the security and understand the likelihood of an event. It also helps you evaluate the potential impact of the breach.

By identifying current and potential threats, your organization is better prepared. You will have an easier time to contain the threat.

Speaking of containing the threat, that’s the next step.

When a breach happens, don’t panic. Your first thought might be to delete everything and turn your systems offline. Don’t do that. There are better ways to contain a breach. 

If you turn your system online and/or delete data, you risk losing valuable information. You want to learn how the breach occurred, whether it happened, and devise a plan based on the evidence. If you panic, you can’t do anything.

Instead, take the following actions…

• Disconnect infected systems from the internet to prevent data leaking 

• Change access control credentials to strengthen security 

• Quarantine-identified malware for evidence and future analysis

• Disable remote access capability and wireless access points 

• Create a backup of your data

After you contain the threat, it will be much easier to eradicate it.

Now that you’ve contained the breach, it’s time to eliminate it. This is one of the most critical stages of an incident response.

The strategy for neutralization revolves around the intelligence and indicators of compromise during the identification and containment phases.

Here is what you should do…

• Coordinated Shutdown

• Once you contain all the compromised systems within the environment, perform a coordinated shutdown of these devices. 

• Send a notification to all IR team members to ensure proper timing.

• Wipe and Rebuild 

• Wipe the infected devices and rebuild the operating system from the ground up

• Change passwords of all compromised accounts

• Threat Mitigation Requests

• If you identified domains or IP addresses that are common targets for bad actors, issue threat mitigation requests. This blocks communication from all egress channels connected to these domains.

In a nutshell, the eradication process involves a complete reimagining of a system’s hard drive. This ensures all malicious content is thoroughly wiped and is no longer present for reinfection.

Now that you’ve eradicated all of the malicious activity from your computer systems, it’s finally time to recharge.

The main goal of this stage is to bring the systems back online and continue business as usual. You can now restore full service. You need to test, monitor, and validate previously infected systems/networks to make sure the same assets aren’t reinfected. 

Additionally, all affected users, both inside and outside your organization, should receive notification of the breach and its present status. In cases where account credentials were part of the compromised information, you should take the necessary steps to reset passwords and/or deactivate accounts.

The best thing to do after you recover from a cybersecurity incident is to learn from it. You need to make sure it doesn’t happen again. 

The first thing to do is create a report detailing a play-by-play review of the incident. This report should answer who, what, where, when, and why the situation happened.

The purpose of documenting this is to learn from the incidents that happened. This can help you identify weaknesses and prevent reoccurrence. You can use this information to create or implement cybersecurity training for employees. The document can also act as reference material in the event of another similar breach.

Now that you completed the first six phases of an incident response plan, it’s time for the seventh and final step. 

An incident response plan should end with a re-testing element. Re-testing allows you to fine-tune your plan. You can ensure your plan covers all necessary areas of security within your organization.

After your retest, you can use your findings to improve the process, adjust your plans/procedures, and find any gaps that you may not have noticed. 

If you followed all of these incident response stages, congratulations! You’ve survived a cybersecurity incident with minimal damage. 

Unfortunately, there is no time to celebrate. Cyberattacks are skyrocketing, especially since the push for digitalization and remote work due to COVID-19.  In fact, 2019 saw the highest amount of ransomware incidents to date. Now that the internet hosts more confidential information, it serves as a goldmine for hackers. Therefore, you need to be on your toes.

The success of a cybersecurity indecent plan is only as great as the people who created it. No matter how much your organization tries to prevent data breaches, they could still happen. That’s why you need to have a good incident response plan.