What is Incident Response?
As the name suggests, incident response, or IR, is the process of responding to a cybersecurity incident.
It’s worth noting that an incident in cybersecurity can mean lots of different things—it doesn’t simply refer to an attack.
An incident could be completely accidental, e.g., sending a sensitive email to Donald Davidson rather than David Donaldson. Or, it could be a malicious targeted attack in which data has been leaked, deleted, encrypted, etc.
Either way, the common denominator in incident response is that data has been compromised, which is why incident response planning is so important.
The Basics of Incident Response
Now that we understand what it means, it’s worth looking at the three primary objectives of any incident response plan:
- What happened and how?
- What can we do about it?
- How can we stop it from happening again?
Fundamentally, these are the only three things that matter in any incident response situation. If you cannot identify the cause of the incident, then you cannot fix it, which means you’re setting yourself up to fail—and if you have no means of getting your data back, then you’re in really big trouble.
Thankfully for you (unless you’re reading this after an incident has taken place), by laying the correct groundworks, you can tackle all three of these objectives pretty simply.
What Happened and How Can We Prevent It From Happening Again?
One of the most important aspects of incident response is understanding how the incident occurred and implementing measures and protocols to prevent it from happening again.
In incident response planning, the single most important thing you can do to put yourself in the best position to answer this particular question is data logs.
By not having data logs, you are always putting yourself at a serious disadvantage regardless of how good your incident response team is.
If you have logs, the next common mistakes are not having a team monitor them or not having the logs centrally managed.
If no one is monitoring your data logs, you hamper your incident response time because an incident must be identified before an incident response can take place—the earlier the incident is reported, the better.
After all, if no one spots the incident occurring, it’ll take longer for your incident response team to work out what happened, as they have to waste time finding it in the data logs.
Accidents
When it comes to accidents, the first part is usually pretty straightforward. Using the same example as above, the incident occured because an employee sent sensitive data to the wrong person. Simple.
The second part is the tricky part because 95% of cybersecurity breaches are caused by human error. Which means, you can either accept that incidents are going to happen and, therefore, focus efforts on other areas of cybersecurity, or you can invest in employee cybersecurity training and develop a cyber-conscious company culture.
We would definitely recommend the latter, and to understand why, check out our blog on the importance of cybersecurity training for employees.
Attacks
For targeted attacks, if your cybersecurity team spotted the danger whilst monitoring the logs, then they can begin to piece together what has happened, what vulnerabilities were exploited, and what the attacker did immediately.
From there, to prevent future attacks, they can begin patching the vulnerabilities, hire third-party penetration testing companies like ourselves to find more vulnerabilities, and use strategies like defence-in-depth, which you can read more about here, to give the business a fighting chance of withstanding future attacks.
As highlighted above, if there are no logs, it can sometimes be impossible to completely understand what happened, which makes preventative measures difficult to introduce. If you have logs but no one is monitoring them, it might take a little longer to identify the root cause, but the approach to preventative measures will remain the same.
What Can We Do About the Incident Right Now?
Similar to the importance of data logs in tackling the previous question, this task is much easier to tackle if you have regularly updated backups. These backups can be automated to ensure that a backup is made at least every week, and in the best case scenario, important data should be backed up at least every twenty-four hours.
Since the aim of cyberattacks like ransomware are usually to encrypt data and demand a ransom before data is deleted or leaked, having backups almost completely nullifies this threat.
We say *almost* nullifies this threat because it is common to see ransomware attacks attempt to access and delete backups as well. To deal with this, you must make sure your backups are airtight, i.e., only authorised personnel can access them, they are physically and digitally secure and are not on the company network.
Check out our article on ransomware to understand more about this.
Finally, it is important to say that backups should only be used once you are absolutely certain that the network is clean and the threat has been dealt with. Uploading your backups to a compromised network will just start this cycle all over again.
Should I Hire a Third-Party Incident Response Team?
Naturally, a specialised incident response team is always going to be an asset, but unfortunately, they are a luxury most companies cannot afford. This is because they are extremely expensive—and that’s coming from a penetration testing company!
While there are many reasons for this, a simple one is that penetration testing companies are hired in advance, whereas IR teams have to drop whatever they’re doing at a moments notice and jump into action. You would have to be either the world’s largest pessimist or a time traveller to book an IR team in advance.
So, the verdict here is depending on the size of the incident, you should definitely hire a specialist IR team if you have the resources to do so.
Conclusion
If you want to develop a incident response plan, the process is simple: have fully monitored data logs and airtight backups. Use data logs to identify incidents as they happen, as well as the cause of them, and then use your backups to restore important data and guarantee business continuity.
Hiring a third-party incident response team is an optional alternative, but definitely one you should take if you can afford it. Hiring a penetration testing company is a must regardless of company size if you want to identify as many vulnerabilities as you can.
Then, using the information you have gathered on the attack and from the penetration testing company (and IR team, if you hired one), you can put preventative measures in place and ensure that this never happens again.
To prevent it happening in the first place, it’s important to understand your attack surface by hiring a penetration testing provider who can simulate real-life attacks and offer remediation advice.