What is incident response?
Explore how effective incident response helps organizations detect, address, and stop cyberattacks.
Incident response defined
Before defining incident response it’s important to be clear on what an incident is. In IT, there are three terms that are sometimes used interchangeably but mean different things:
- An event is an innocuous action that happens frequently such as creating a file, deleting a folder, or opening an email. On its own an event typically isn’t an indication of a breach but when paired with other events may signal a threat.
- An alert is a notification triggered by an event, which may or may not be a threat.
- An incident is a group of correlated alerts that humans or automation tools have deemed likely to be a genuine threat. On their own, each alert may not appear to be a major threat but when combined, they indicate a possible breach.
Incident response is the actions that an organization takes when it believes IT systems or data may have been breached. For example, security professionals will act if they see evidence of an unauthorized user, malware, or failure of security measures.
The goals of the response are to eliminate a cyberattack as quickly as possible, recover, notify any customers or government agencies as required by regional laws, and learn how to reduce the risk of a similar breach in the future.
How does incident response work?
Incident response typically starts when the security team gets a credible alert from a security information and event management (SIEM) system.
Team members need to verify that the event qualifies as an incident and then isolate infected systems and remove the threat. If the incident is severe or takes a long time to resolve, organizations may need to restore back up data, deal with a ransom, or notify customers that their data was compromised.
For this reason, people other than the cybersecurity team are typically involved in the response. Privacy experts, lawyers, and business decision makers will help determine the organization’s approach to an incident and its aftermath.
Types of security incidents
There are several ways that attackers try to access a company’s data or otherwise compromise its systems and business operations. Here are several of the most common:
-
Phishing
Phishing is a type of social engineering where an attacker uses email, text, or a phone call to impersonate a reputable brand or person. A typical phishing attack tries to persuade recipients to download malware or provide their password. These attacks exploit people’s trust and deploy psychological techniques like fear to get people to act. Many of these attacks are untargeted, going out to thousands of people in the hopes that just one responds. However, a more sophisticated version called spear phishing uses deep research to craft a message that is intended to be persuasive to a single individual. -
Malware
Malware refers to any software that’s designed to harm a computer system or exfiltrate data. It comes in many different forms including viruses, ransomware, spyware, and trojan horses. Bad actors install malware by taking advantage of hardware and software vulnerabilities or by convincing an employee to do it using a social engineering technique.
-
Ransomware
In a ransomware attack, bad actors use malware to encrypt critical data and systems and then threaten to make the data public or destroy it if the victim doesn’t pay a ransom.
-
Denial of service
In a denial-of-service attack (DDoS attack), a threat actor overwhelms a network or system with traffic until it slows or crashes. Typically, attackers target high-profile companies like banks or governments with the goal of costing them time and money, but organizations of all sizes can be victims of this type of attack.
-
Man in the middle
Another method that cybercriminals use to steal personal data is to insert themselves in the middle of an online conversation between people who believe they are communicating privately. By intercepting messages and copying them or changing them before sending them to the intended recipient, they try to manipulate one of the participants into giving them valuable data.
-
Insider threat
Although most attacks are conducted by people outside an organization, security teams also need to be on the lookout for insider threats. Employees and other people who legitimately have access to restricted resources may inadvertently or in some cases intentionally leak sensitive data.
-
Unauthorized access
A lot of security breaches start with stolen account credentials. Whether bad actors acquire passwords via a phishing campaign or by guessing a common password, once they gain access to a system they can install malware, do network reconnaissance, or escalate their privileges to allow them access to more sensitive systems and data.
What is an incident response plan?
Responding to an incident requires a team to work together efficiently and effectively to eliminate the threat and satisfy regulatory requirements. In these high-stress situations, it’s easy to become flustered and make mistakes, which is why many companies develop an incident response plan. The plan defines roles and responsibilities and includes the steps needed to properly resolve, document, and communicate about an incident.
Importance of an incident response plan
A significant attack doesn’t just damage the operations of an organization, it also affects the business’s reputation among customers and the community, and it may have legal ramifications too. Everything, including how quickly the security team responds to the attack and how executives communicate about the incident, influences its overall cost.
Companies that hide the damage from customers and governments or who don’t take a threat seriously enough may run afoul of regulations. These types of mistakes are more common when participants don’t have a plan. In the heat of the moment, there’s a risk that people will make rash decisions driven by fear that wind up hurting the organization.
A well-thought-out plan lets people know what they should be doing at each phase of an attack, so they don’t have to make it up on the fly. And after recovery if there are questions from the public, the organization will be able to show exactly how it responded and give customers peace of mind that it took the incident seriously and implemented the steps necessary to prevent a worse outcome.
Incident response steps
There’s more than one way to approach incident response, and many organizations rely on a security standards organization to guide their approach. SysAdmin Audit Network Security (SANS) is a private organization that offers a six-step response framework, which is outlined below. Many organizations also adopt the National Institute of Standards and Technology (NIST) incident recovery framework.
- Preparation - Before an incident occurs, it’s important to reduce vulnerabilities and define security policies and procedures. In the preparation phase, organizations conduct a risk assessment to determine where they have weaknesses and prioritize assets. This phase includes writing and refining security procedures, defining roles and responsibilities, and updating systems to reduce risk. Most organizations regularly revisit this stage and make improvements to policies, procedures, and systems as they learn lessons or technologies change.
- Threat identification - In any given day, a security team may receive thousands of alerts that indicate suspicious activity. Some of them are false positives or may not rise to the level of an incident. Once an incident has been identified, the team digs into the nature of the breach and documents findings, including the source of the breach, the type of attack, and attacker goals. In this stage, the team also needs to inform stakeholders and communicate next steps.
- Threat containment - Containing a threat as quickly as possible is the next priority. The longer bad actors are allowed access, the greater damage they can do. The security team works to rapidly isolate applications or systems that are under attack from the rest of the networks. This helps prevent the attackers from accessing other parts of the business.
- Threat elimination - Once containment is complete, the team removes the attacker and any malware from affected systems and resources. This may involve taking systems offline. The team also continues to keep stakeholders informed of progress.
- Recovery and restoration - Recovering from an incident may take several hours. Once the threat is gone, the team restores systems, recovers data from backup, and monitors affected areas to ensure the attacker doesn’t return.
- Feedback and refinement - When the incident is resolved, the team reviews what happened and identifies improvements that can be made to the process. Learning from this phase helps the team enhance the organization’s defenses.
What is an incident response team?
An incident response team, which is also called a computer security incident response team (CSIRT), a cyber incident response team (CIRT), or a computer emergency response team (CERT), includes a cross-functional group of people in the organization who are responsible for executing the incident response plan. This includes not only the people who remove the threat but also those who make business or legal decisions related to an incident. A typical team includes the following members:
An incident response manager, often the director of IT, supervises all phases of the response and keeps internal stakeholders informed.
Security analysts research the incident to try to understand what is happening. They also document their findings and gather forensic evidence.
Threat researchers look outside the organization to gather intelligence that provides additional context.
Someone from management, such as a chief information security officer or a chief information officer, provides guidance and serves as a liaison to other executives.
Human resources specialists help manage insider threats.
General counsel helps the team navigate liability issues and ensures that forensic evidence is collected.
- Public relations specialists coordinate accurate external communication to the media, customers, and other stakeholders.
An incident response team may be a subset of a security operations center (SOC), which handles security operations beyond incident response.
Incident response automation
In most organizations, networks and security solutions generate far more security alerts than the incident response team can realistically manage. To help it focus on legitimate threats, many businesses implement incident response automation. Automation uses AI and machine learning to triage alerts, identify incidents, and root out threats by executing a response playbook based on programmatic scripts.
Security orchestration automation and response (SOAR) is a category of security tools that businesses use to automate incident response. These solutions offer the following capabilities:
Correlate data across multiple endpoints and security solutions to identify incidents for humans to follow up on.
Run a pre-scripted playbook to isolate and address known incident types.
Generate an investigative timeline that includes actions, decisions and forensic evidence that can be used for analysis.
Bring in relevant external intelligence for human analysis.
How to implement an incident response plan
Developing an incident response plan may seem daunting, but it can significantly reduce the risk that your business will be unprepared during a major incident. Here’s how to get started:
-
Identify and prioritize assets
The first step in an incident response plan is knowing what you’re protecting. Document your organization’s critical data, including where it lives and its level of importance to the business.
-
Determine potential risks
Every organization has different risks. Become familiar with your organization’s greatest vulnerabilities and evaluate the ways an attacker could exploit them.
-
Develop response procedures
During a stressful incident, clear procedures will go a long way toward making sure the incident is addressed quickly and effectively. Start by defining what qualifies as an incident and then determine the steps your team should take to detect, isolate, and recover from the incident, including procedures for documenting decisions and collecting evidence.
-
Create an incident response team
Build a cross-functional team that is responsible for understanding the response procedures and mobilizing if there’s an incident. Be sure to clearly define roles and account for nontechnical roles that can help make decisions related to communication and liability. Include someone on the executive team who will be an advocate for the team and its needs at the highest levels of the company.
-
Define your communication plan
A communication plan will take the guesswork out of when and how to tell others inside and outside the organization what’s happening. Think through various scenarios to help you determine under what circumstances you need to inform executives, the entire organization, customers, and the media or other external stakeholders.
-
Train employees
Bad actors target employees at all levels of the organization, which is why it’s so important that everyone understands your response plan and knows what to do if they suspect that they’ve been the victim of an attack. Periodically, test your employees to confirm they can recognize phishing emails and make it easy for them to notify the incident response team if they accidentally click on a bad link or open an infected attachment.
Incident response solutions
Being prepared for a major incident is an important part of keeping your organization safe from threats. Setting up an internal incident response team will give you the confidence that you’ll be ready if you are victimized by a bad actor.
Take advantage of SIEM and SOAR solutions like Microsoft Sentinel that use automation to help you identify and automatically respond to incidents. Organizations with fewer resources can augment their teams with a service provider that can handle multiple phases of incident response. But whether you staff incident response internally or externally, make sure you have a plan.
Learn more about Microsoft Security
Microsoft threat protection
Identify and respond to incidents across your organization with the latest in threat protection.
Microsoft Sentinel
Uncover sophisticated threats and respond decisively with a powerful SIEM solution, powered by the cloud and AI.
Microsoft Defender XDR
Stop attacks across endpoints, email, identities, applications, and data.
Frequently asked questions
-
Incident response is all the activities that an organization takes when it suspects a security breach. The goal is to isolate and root out attackers as quickly as possible, comply with data privacy regulations, and recover safely with as little damage to the organization as possible.
-
A cross-functional team is responsible for incident response. IT will typically be in charge of identifying, isolating, and recovering from threats, however there is more to incident response than finding and getting rid of bad actors. Depending on the type of attack, someone may have to make a business decision, such as how to address a ransom. Legal counsel and public relations professionals help ensure that the organization complies with data privacy laws, including appropriate notification of customers and governments. If the threat is perpetrated by an employee, human resources advises on appropriate action.
-
CSIRT is another name for an incident response team. It includes a cross-functional team of people who are responsible for managing all aspects of incident response, including detecting, isolating, and eliminating the threat, recovery, internal and external communication, documentation, and forensic analysis.
-
Most organizations use a SIEM or a SOAR solution to help them identify and respond to threats. These solutions typically aggregate data from multiple systems and use machine learning to help identify true threats. They can also automate response for certain kinds of threat based on pre-scripted playbooks.
-
The incident response lifecycle includes six stages:
- Preparation occurs before an incident has been identified and includes a definition of what the organization considers an incident and all the policies and procedures necessary to prevent, detect, eliminate, and recover from an attack.
- Threat identification is a process that uses both human analysts and automation to identify which events are real threats that need to be addressed.
- Threat containment is the actions that the team takes to isolate the threat and prevent it from infecting other areas of the business.
- Threat elimination includes steps to remove malware and attackers from an organization.
- Recovery and restoration include restarting systems and machines and restoring any data that was lost.
- Feedback and refinement is the process the team takes to uncover lessons from the incident and apply those learnings to policies and procedures.
Follow Microsoft Security