Heather
Gray

How to build a successful incident response procedure

Heather Gray

May 5, 2022

13 min read

Incident response is a process that identifies, isolates and eliminates cyberattacks and other vulnerabilities. They aim to protect the organization’s assets with timely detection of threats and prevent the occurrence of these attacks in the future.

The latest report by the World Economic Forum, paints a rather grim picture of cyberattacks. They no longer follow a predictable pattern and are becoming increasingly sophisticated. By not staying in loop with the current threats, you’ll risk exposing critical business assets to malicious actors and render all the security measures you’ve taken up obsolete.

So, how do you get out of this conundrum? The best way is to continually educate your management and staff on the latest cybersecurity threats. Hold meetings with relevant teams on a regular basis to decide the best technical controls you need to implement and most importantly, document enough policies to keep all your employees and other interested parties on board. This not only helps improve awareness but also presents compliance auditors and other authorities with a clear idea of the current status of the security posture of your company.

No matter how strong your security infrastructure is, incidents are bound to happen. By documenting an incident response procedure, you encourage your employees to be more proactive in detecting and reporting the incidents in a timely and efficient manner. It also sets guidelines on how these incidents should be properly analyzed and contained.

Stages of an incident response procedure

An incident response procedure is not a linear activity but rather a cyclic process with constant improvements being made over time. According to NIST, the incident response lifecycle can be broken down into these four stages:

  • Preparation
  • Detection and analysis
  • Containment, eradication and recovery
  • Post-incident activity

Preparation

Conduct regular training sessions to prepare your staff and create a list of all the software and hardware assets your organization maintains. Your employees should be properly briefed about the role and responsibilities they hold during the event of a data breach. You need to set up a proper communication channel to ensure these incidents are swiftly reported to concerned managers and other members of your IT security team. In this way, your management will be instantly notified when a breach occurs and take steps to consult with external authorities if the breach warrants the need for one.

In addition to documenting the response procedure, you need to carry out multiple mock security incidents to evaluate the efficiency of the procedure. This would help your employees to be on guard and follow the instructions documented within the procedure. Some of the IT assets you can keep track of includes networks, servers and endpoints. When creating the asset inventory, make sure you evaluate the criticality of each asset and conduct periodic risk assessments to check for risks these assets could be prone to. Also create a list of anticipated security events and note down a detailed response plan that needs to be followed if these events occur.

Detection and analysis

Detection

The presence of an incident can be detected when there are anomalies or deviations from normal operations. Although they often tend to be grouped together, a data breach is separate from a security incident and requires following a different set of protocols. This is the phase where you determine whether the incident has really occurred or chalk it up to a false alarm.

Once identified, NIST recommends categorizing the incidents into two groups – precursors and indicators. Precursors are those incidents with good likelihood to occur in the future. Indicators on the other hand, are incidents that may have occurred or are happening right now. You can use multiple technical tools to spot the presence of an incident within your systems and networks.

Analysis

Once you’ve located the source of the incident, your team should immediately begin collecting evidence and prioritize it by determining the impact it has over your organization’s operations and services.

According to NIST SP 800-61, a computer security incident handling guide, the detection and analysis phase involves the following steps:

  • Identification of an incident.
  • Analyzing the incident.
  • Documenting the incident.
  • Prioritizing the incident.
  • Notifying the incident.

Containment, eradication and recovery

Containment

Once the incident has been identified, the next step should be to contain it to check for further damage to your systems. You could apply short-term and long-term containment strategies, isolate affected systems, and have sufficient backups to resume normal business operations. The whole point of implementing a good containment strategy is to limit the impact a security incident could have on your organization. It’s also equally important to collect critical evidence. Your incident response procedure should document the way in which this can be done.

What should a containment strategy consist of?
  • Identify and evaluate the incident to check whether it needs to be isolated.
  • Document the steps of the isolation process.
  • Understand the need for isolating the incident and determine whether the steps you’ve implemented are effective.
  • Maintain copies of the affected systems to aid in the investigation process.
  • Ensure backups are available for the affected systems.

Eradication

In the eradication phase you determine the root cause of the incident and implement measures to eliminate all traces of it from your systems and servers. This can be done by patching your systems, reconfiguring applications, reviewing all implemented access control measures and hardening passwords. You strengthen the entry points attackers used to enter the networks by identifying and alleviating all their vulnerabilities.

Recovery

Once the threat has been removed from the system, it should be immediately restored to function under normal operations. Adequate steps should be taken to ensure these systems are not attacked again. Recovery is a crucial component of cybersecurity as it helps maintain business continuity and minimize the negative effects a downtime could have on your organization.

What should you include in your recovery process?
  • Make an inventory of all the assets that should be recovered.
  • Have a good data backup strategy by defining the RTO and RPO of the backed up data.
  • Define the backup frequency and storage location of the backup.
  • Keep copies of all critical files.
  • Carryout recovery tests for backups to ensure they are available within the specified RTO timeframe.
  • Have a dedicated team to carryout the recovery procedures.
  • Clearly define roles and responsibilities.
  • Set up an effective communication channel for easier coordination.
  • Test the recovery plan at regular intervals.

Post-incident activity

Being the final stage of the incident response procedure, it helps organizations take a good look at the incident and properly understand the technologies and individuals involved to determine the root cause and come into terms with the full scope of the attack. Conducting a post-incident analysis greatly limits the chances of the incident from ever happening again.

What does it involve?
  • Spot weaknesses by determining the vulnerabilities found within the systems and networks.
  • Identify weak access points and other internal issues threat actors manipulated to gain entry.
  • Document and implement action plans to address these issues.
  • Conduct training sessions to improve awareness of new threats and lessons learnt from previous incidents.
  • Determine the inclusion of additional tools to mitigate future incidents.
  • Set up a documented process for proper evidence collection.
  • Prioritize the maintenance of logs while handling sensitive data.

Why do you need an incident response procedure?

“Data
Data breaches are more common than you think
 

Handling information security incidents can be difficult. Setting up an incident response procedure makes it easier for businesses to have a more organized approach to continually evaluate and improve the technical and administrative controls they’ve implemented. Other benefits of having an incident response procedure include:

  • Guiding organizations to prepare for an emergency.
  • Educating employees on their responsibilities.
  • Improving the prioritization of information and data security.
  • Exposing all vulnerabilities and weaknesses within the security process.
  • Educate employees on the steps they need to follow when an incident occurs.

How to implement a successful information response procedure?

Implementing a successful incident response procedure shouldn’t be as hard as it sounds. Here are some of the guidelines you can follow to ensure you’ve included every stage defined within the response plan:

  • Define roles and responsibilities.
  • Make a detailed inventory of all hardware, software, digital assets and data.
  • Document their storage location.
  • Have network diagrams in place.
  • Document all IT systems and software versions.
  • Ensure periodic and daily backup of critical data.
  • Conduct recovery tests for the backups.
  • Identify attack types relevant to your organization.
  • Develop an action plan to handle those attacks.
  • Document the action plans and make it available to relevant parties.
  • Conduct regular reviews and updates to the action plans.
  • Test the action plan at regular intervals and document its results to check its effectiveness.
  • Conduct periodic training sessions regarding the incidents and latest threats.
  • Prioritize incidents and evaluate their risks and impact they hold over the organization.

How UEM help organizations prepare for an information security incident

“Getting
Getting organizations to be more proactive
 

Now you might be wondering where endpoint management comes into all of this. When you think about all the patching and reconfigurations you need to do during the containment and eradication phase, you’ll begin to see why having a UEM solution onboard makes perfect sense. Imagine all the tediousness one must undergo when this process has to be done manually. A UEM provides your team with complete device visibility and displays all policies and configurations associated with it from a single dashboard. It also helps IT admins accomplish multiple tasks such as managing assets, and software inventory, set security configurations and scheduling OS updates.

Device visibility

The devices can be enrolled with a wide range of enrollment options. Admins can pre-define configurations on the devices to make sure they continue to function according to your organization’s business requirements. Instead of checking up each device individually, admins can make use of a UEM solution’s centralized dashboard to get a complete overview of the devices managed by your organization, this includes various attributes such as the device and username, model name, status, device type, ownership level, last enrolled time and compliance status. This would give admins an idea of the number of devices that are currently in compliance with your organization’s deployed policies.

Hardware and software inventory

Maintaining a proper asset inventory would give your organization the visibility it needs in implementing the right incident response procedure. It helps in the early detection and mitigation of threats. As mentioned earlier in the blog, your asset inventory could include hardware, software, digital assets and data. Hardware could be anything from traditional devices such as PCs and laptops to IoT devices and wearables. Software assets would include the applications, files and other content employees use for their work. Having an updated asset inventory and documenting a proper asset management process is a great way for organizations to be proactive and detect the presence of any vulnerabilities before they escalate. Applications are one of the vulnerable point of entries for attackers.

Minimizing the amount of control users have over the applications limits the chances for various risks and vulnerabilities to occur. It also takes away any dependencies on users leaving them free to carry on with their tasks without worrying about the installation and configuration process. Maintaining a proper app inventory not only help admins identify the applications present on the managed devices but also makes it easier for them to set the restrictions they need to limit unnecessary access to those applications and keep them secure.

Remote management

The number of employees accessing corporate data remotely has increased. It can be hard to manage these devices remotely and make sure they are not the source for any data leakage. UEM solutions come with remote management capabilities that makes it easier for admins to ensure the devices are properly configured and updated. It also guides your team in identifying devices that are out of compliance. These devices can immediately be isolated and restricted from accessing your organization’s data and networks, further decreasing the chances for any outsider threats to occur.

Employees are bound to lose their devices at some point or another. When an employee reports their device as lost, you can immediately set about securing the device by initiating a remote lock and data wipe to keep its contents secure.

Custom scripts

Scripts can be used to run a series of simple system commands to using complex scripting languages to define system configurations and automating a number of manual tasks. Some of the most commonly used scripting languages include PowerShell, JavaScript and VBScript. These scripts can be run remotely on the managed devices with the help of a UEM solution.

Application logs

If any of the devices fails to function properly or you’ve detected the presence of abnormal behavior, you can set about immediately diagnosing the problem by retrieving app logs from the device. Various settings such as the logging level and retention period of the logs can be customized remotely through the UEM console. Maintaining logs is an integral part in implementing a successful incident response procedure. It provides admins with a detailed insight on the issues faced at the device end applications.

Threat protection

Chances are high that your organization either fully runs on Windows devices or atleast some percentage of your staff do. Microsoft Defender is an endpoint security solution that offers businesses with the capability to detect and aptly respond to threats detected within the networks. Admins can ensure that the devices stay protected at all times by remotely enabling Microsoft Defender settings from the UEM console. Settings for Microsoft Defender Application Guard can be configured to further protect the devices from multiple vulnerability types by running isolated browsing sessions.

Final thoughts

Though an incident response procedure provides your employees with a guideline to deal with information security incidents of varying magnitudes, it wouldn’t hurt to adapt additional policies to ensure full continuity of your business operations, such as documenting and testing out a business continuity plan.

A business continuity plan documents all the processes your organization needs to follow to ensure critical services remain operational in the event of any disasters or breaches. This includes defining responsibilities and ensuring adequate backup resources are in place to maintain continuity. The plan should be tested out at periodic intervals to check its efficiency and also determine how quickly the resources can be recovered within the necessary time frame.

UEM solutions offer your team with the strong protection capabilities they need in securing endpoints and keeping a wide range of vulnerabilities at bay, such as identifying potential threats across devices and applications, deploying multiple data loss prevention policies and ensuring devices stay compliant to the various requirements set by regulatory compliances like HIPAA, PCI DSS, SOC 2 and GDPR.

Share

Heather Gray

Technical Blogger @ Hexnode. Reading and writing helps me to stay sane.

Share your thoughts