Skip to content

Cybersecurity Incident Response Process

An introduction to security operations center (SOC) incident response and four stages of processing an incident.

What is incident response?

NIST defines incident response as, “The mitigation of violations of security policies and recommended practices.” Incident response (IR) is the point at which the SOC kicks into high gear to contain, eradicate, and recover from an attack – before data is lost or the business is irreparably harmed. The incident response process is an involved, multi-step process that requires a synchronized team to bring the business back to a normal state of operations.

Top challenges for cybersecurity incident responders

Death by Point Tools

The incident response process requires too many specialized tools – slowing analysts’ efforts and delaying necessary response steps. Rigidly-defined tools also require time-consuming manual efforts to stop an attack.

 

Partial Visibility

Missing or silo’d data across unreliable and disparate tooling obstructs the full picture – leaving defenders pushed to react without sufficient information to mount a full-scale defense.

Architectural Complexity

The shift to the cloud and growth in hybrid, multi-cloud architectures is expanding the defense surface, complicating the investigation and incident response process.

A Simple, Effective Process for Incident Response

Step 1

Prepare an incident response plan

Responding to an incident with no plan in place leads to unnecessary damage, frustration, and wasted resources. A well-conceived, battle-tried incident response plan prepares the SOC to respond, recover, and manage the aftermath of an incident. IR playbooks and plans provide a structure of responsibility, command, and control, and often include steps for specific scenarios, including communication guidelines, business continuity, and more. Top-performing SOCs also test their plans with the broader organization through tabletop exercises to ensure everyone is on their game.

Step 2

Ensure immediate access to all data

IR strategies are more successful when they implement detailed, contextualized investigation tactics. Maturing SOC teams require immediate access to real-time and historical data to determine the scope of an incident. Such solutions support simple, flexible queries across all data with fast, predictable response times and visualization of complex analytics. The net: analysts are able to develop and enrich the full threat story with intelligence at scale and correlate the incident with historical data to speed resolution.

Step 3

Contain and eradicate the threat

During an incident, computer security incident response teams (CSIRT) are called in to stop actors in their tracks. This may include changing passwords on insider accounts or shutting down affected devices. Security orchestration, automation, and response (SOAR) solutions can help shorten time-to-action by taking over repetitive tasks like automating workflows or dealing up best-fit security playbooks. Case management, a critical aspect of the incident response process, leverages SOAR to maintain the chain of custody for incident evidence, while automating data collection and retention.

Step 4

Achieve system restoration and long-term recovery

It’s one thing to close an attack pathway; it’s another to prevent a repeat offense. The IR team’s first priority is to return the organization to steady state and reduce costly downtime. Post-incident, IR teams are then busy patching vulnerabilities, strengthening incident response plans, and instituting preventive security controls. In some cases, organizations are also on the hook for notifying affected parties, regulators, or law enforcement, and preserving evidence. Leading incident response processes include conducting a formal post-mortem to discuss the incident to identify trending incidents, as well as areas for improvement. Organizations like SANS offer templates for incident response and management.