By Richard Conn
Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack. It involves team management and closely coordinated teams carrying out procedures and actions that respond to these critical events.
Why is incident management important?
When an incident occurs, it is paramount for IT teams to have an established set of practices and procedures that allow them to address the problem and then respond accordingly. Incident management is vital for any business—from a small online retailer to a VoIP contact center. It’s also a requirement for most data compliance standards.
With a strong incident management process established, IT teams will be able to rapidly reduce the seriousness of incidents and mitigate any negative impacts as they can speedily address whatever vulnerability or a problem caused the incident. This will allow companies’ operations to remain unaffected.
Even if the incident is not serious, IT departments must manage their time correctly by ensuring they spend valued resources on investigating the event and endeavoring to make sure it does not happen again. A worst-case scenario could involve your company losing data, being less productive, making less profit, and even being charged with breaching service level agreements. As a result, whether working on-site or remotely, getting incident management and communication right is critical.
If an incident management strategy is successfully implemented, you’ll reduce long-term costs. It will mean an up-front investment, but at least this is a controllable cost. Not doing so, in the event of an incident, could cost $300k per hour, plus subsequent regulatory fines, plus a boost in customer churn.
An effective incident management and communication process will help your company with the following:
- Prevent incidents by anticipating them
- Resolving any incidents quickly
- Reducing downtime
- Increasing customer confidence and experience
The key to effectively address the wide range of security incidents your company could experience is to follow these five steps.
Step 1: Preparation for the incident
Proper planning and preparation prevent poor performance—this is the key to effective incident response. Planning for an event will mean the whole process is mapped out, and whenever it occurs, your team will automatically know what to do. Even the strongest IT team will still be more effective if there is an established framework detailing the plan together with a quick set up automatic dialing software between team members.
We strongly recommend that you do these as part of your incident management plan:
- Establish a procedure outlining how your company will implement incident response management.
- Write guidelines stipulating communication standards, which will enable teams and individuals to communicate without hindrance throughout the event.
- Constantly gather information on your threat intelligence.
- Organize threat hunting exercises to discover issues that are already active within your company. This will allow you to be one step ahead of the game.
- Evaluate your threat detection capability and implement improvements based on the findings.
Step 2: Identification of the incident
The alert might be made via email, SMS, automated system notice, phone, or even by personal notification. The incident will be the result of a problem that has been detected by a user or member of the IT department and must be immediately recorded by the help desk. The ITIL defines an incident as an “unplanned interruption to a service or reduction in the quality of a service.”
Examples of common incidents include when a user needs to change a password, an account needs to be created for a new employee/user, or an upgrade to hardware is requested. It is optimal if automatic monitoring can identify an incident early on, in which case it will be caught before escalating. However, there are situations when this will not happen, and the notification will be the result of a user having been affected.
Once the incident has been identified, the IT team can move on and record it.
Step 3: Logging and categorization of the incident
The IT team now needs to log and categorize what type of incident they are dealing with. Over time, you will be able to recognize patterns, which can then be addressed before they escalate into more serious issues. This process will allow your team to visualize incidents and tackle them with the most appropriate resources for the situation.
Additionally, through allocating incidents to relevant categories, it will be easier for the help desk to assign, escalate, and then monitor the patterns and timeframes of the incidents. If this is accurately carried out, the process will simplify how incidents are logged, prevent them from being logged on multiple occasions, and reduce the time it takes to resolve the incident.
The IT team also needs to have a ticketing system to record every incident—regardless of size or severity. Ticket management should include the following four pieces of information, and remember that the more information you have, the better your incident management will be.
- User name
- User contact information
- Date and time of the report
- Description of the incident
Your focus should be on collecting the largest amount of data possible as this will make future incident management more effective. Ask yourselves what is continuous testing? This testing and data collection process will allow you to identify sequences and trends, which can then be interpreted to recognize the fundamental cause of persistent incidents.
Knowledge is power, so with this information, your IT team will be able to establish effective processes to help resolve issues as well as outline standard responses for recurring problems.
Step 4: Containment and neutralization of the incident
The steps you take to contain and neutralize the incident is paramount. How you decide to do this will depend on the information and metrics available. Normality can only be resumed after the system has been restored and security has been confirmed.
The process to contain and neutralize the incident involves three stages:
1. A coordinated shutdown
A coordinated shutdown should be carried out for every system within the environment that has been affected by a threat. The correct timing of this procedure is key.
2. Wipe, rebuild, and reset
Infected devices should be completely wiped, and the operating systems should then be totally rebuilt. Remember to change the password for any account that has been compromised.
3. Threat mitigation requests
If you have identified domains or IP addresses that are known to be leveraged by threat actors for command and control, issue threat mitigation requests to block communication from all egress channels connected to these domains.
Step 5: Incident closure
Incident closure usually involves signing off on the process and then reflecting on how the team handled the situation. This can ensure continuous improvement and steps can be taken to prevent any issues in the future. The IT team might also draft a report that can help to show transparency, improve sales management, and build any trust that has been lost over the course of the incident management lifecycle.
Even if no report is written, it’s still important for teams to correctly document findings that could be harnessed to either improve the process or prevent future incidents. Make sure to create a space to plan how extra security features can be implemented and communication can be sharpened.
Ideally, the incident closure procedure should consist of a three-step process:
- Monitor post-incident activities, as threats can re-appear
- Update the organization’s threat intelligence to prevent future incidents
- Coordinate communication, using a channel such as Slack or Slack competitors, throughout the whole company to implement new security initiatives
Planning your incident management processes and establishing the procedures you will undertake in each of the previous steps will ensure efficient incident resolution. First, providing your team with training and support will give them the skills they need to be effective. They should also be prepared for incidents before they happen. Second, establishing effective communications like the usage of a business mobile phone will ensure all members of the team are speaking to each other. And finally, don’t forget to improve your systems based on the lessons learned.
About the Author
Richard Conn is the Senior Director for Demand Generation at 8×8, a leading communication platform with integrated outbound contact center, voice, video, and chat functionality. Richard is an analytical & results-driven digital marketing leader with a track record of achieving major ROI improvements in fast-paced, competitive B2B environments. Here is his LinkedIn.