Skip to content

How does a Digital Incident Response plan work

The key to a digital incident response plan is to have prepared and gone through simulations of all the different types of incidents that can happen and to have a methodology to detect and alert the necessary people in an organisation’s teams that can perform the required analysis, identify the actual threat, take the necessary steps of containment and neutralization and then learn via a post incident review all the lessons that have been delivered by the incident.

We suggest that organisations should do simulations on a regular basis to ensure preparedness as well as to be aware of changes in the environment that may need to be refactored into response plans.

Standard methods of responding enable an efficient process flow. An incident response (IR) plan outlines steps for responding to computer security incidents. It identifies the stakeholders in an organisation and establishes their roles and responsibilities. It describes what triggers the activation of a response plan, the incident types and their severity levels. It includes requirements for a minimum of an annual simulation as well as post incident review to find lessons learnt and a collection of metrics for gauging response effectiveness.

Read more about our Cyber Security Incident Response Plans HERE.

The goals of incident response

The goals of incident response are to:

  • Confirm an incident occurred
  • Provide a defined incident notification process
  • Accumulate and document accurate information
  • Establish controls for proper retrieval and handling of evidence
  • Contain the incident and stop any unwanted activity quickly and efficiently
  • Minimize disruption to network operations
  • Provide accurate reports and useful recommendations to management
  • Use learning from experience to feedback into processes.

Who are the people involved in the incident response teams?

The head of cyber security provides overall coordination including the go-ahead for the escalation of an incident.

Possibly an outsourced Security Operations Centre (SOC) serves as a central group for detection, analysis, tracking, response to and reporting of cyber threats and incidents. The SOC responds to incidents by providing hands-on technical IR and will recommend steps for technical staff to remediate and mitigate such that it reduces the likelihood of future incidents.

In addition, the SOC facilitates collaboration and information sharing with other group entities that may be experiencing the same or similar incidents, to help resolve the problem more quickly than if done separately. The SOC collects information on the types of vulnerabilities that are being exploited and the frequency of attacks and shares preventative information to help other group entities protect themselves from similar attacks.

First Responders - IT staff, such as network managers, system administrators, and other technical personnel, will be called upon, as needed, to provide support and tactical response to the SOC. All digital forensic analysis must be performed by, or under the direction of, the SOC.

Business must have predefined teams at the ready which include, at minimum, Executive Management, Franchise security managers, Group security management, Fraud, Risk, Legal and the Public Information Officer. In some cases, Human Resources and Labour Relations may become involved.

External Entities - In consultation with the SOC, external entities may conduct hands-on IR activities, such as investigative response activities, or may provide guidance. For example, a security solutions vendor may provide assistance on security appliance settings. External entities include vendors, service providers, or law enforcement including, but not limited to Internet Service Providers, Security Solutions Vendors and Data Holder Vendors.

Incident response Process Flow

There are a number of stages to the IR flow, the obvious core objective is to stop the incident as quickly as possible, however in a very structured and managed manner, including collecting all evidence possible.

Preparation for incident response.

Proper planning and preparation for an incident before it occurs ensures a more effective and efficient IR process. Activities associated with this step, include establishing IR teams; updating IR tools, policies/procedures, and forms/checklists; and ensuring IR communication procedures and IR stakeholder contact lists are accurate and up-to-date.

Ensuring a central point of contact to coordinate identification and reporting up to the Head of Cyber Security, all employees are required to report suspected cyber security incidents or weaknesses to management and the designated security representative.

Establish standard operating procedures (SOPs) for IR to reflect industry standards and best practice, routinely vet and validate the tools and techniques used for IR. In order to operate efficiently and effectively, the IR process must be regularly tested.

Mock incidents or table top exercises using realistic scenarios provide walkthrough of the IR process and, to the extent possible, must include all IR stakeholders. Lessons learnt from these exercises can then be integrated into the IR process.

Incident Identification

Identification begins with an event, an anomaly that has been reported or noticed in a system or network. Detection can be accomplished by technical analytics (operations staff, anti-virus software) or non-technical means (user security awareness and reporting) or both.

Not every network or system event will be a security incident. A first responder must be assigned to determine if there is an incident, categorize the incident and escalate as necessary.

Effective IR happens when incidents are classified and where necessary, escalated quickly to the relevant people.

Classifying an incident and setting severity level allows the correct measures to be put into place and is critical in resolving the incident. There are cases where an incident can have more than one category and this may change as the investigation progresses.

Severity levels are based on the impact the incident will or could have on the business and they too can change as the scenario unfolds.

Where necessary the incident may need to be escalated to a higher level of response in order to contain the damage and isolate any effects.

Scoping an incident means identifying the potential targets, defining possible causes and areas of attack. Is it an internal or external threat, is it a targeted attack versus an opportunistic attack?

As additional events develope during the IR process and as additional stakeholders become involved, an incident could require re-scoping.

Proper incident tracking and reporting is critical, both during and after the incident. After the event there could be a full investigation of the incident and all actions taken by the stakeholders, gathering the intelligence is therefore critical.

The minimum information that should be collected is:

  • Date / time of incident start and when discovered
  • Type of Incident
  • Reporting source of incident
  • Summary of the incident
  • Current status of the incident
  • All actions taken concerning the incident
  • Contact information for all involved parties
  • Evidence gathered during incident investigation
  • Relevant comments from IR team members
  • Proposed next steps to be taken
Containment focuses on containing the threat to minimize damage. All affected systems within the enterprise should be identified in preparation phases so that containment (and eradication and recovery) is effective and complete.

Incident containment is preventing the incident from spreading. This can be accomplished by isolating infected systems, blocking suspicious network activity, and disabling services among other actions. Containment varies depending on the severity and risk to operations.

Incident Resolution

There are two stages to incident resolution, the first is containment and the second is recovery.

Eradication means removing all the elements of the threat from networks and servers. The methods of eradication are dependent upon the type of incident, the number of systems involved, operating systems and software applications installed.

Once the root cause of the incident has been eradicated the recovery phase can begin. The goals of recovery are to close off any vulnerabilities that have been discovered, and perform recovery actions to restore operations to normal.

Systems may then need to be hardened and monitoring increased. Systems can be recovered by rebuilding systems from trusted images, clean backups and replacing compromised files with clean versions.

Backups used must be clean and not infected, ideally from a different, non-infected source or location.

Once systems are recovered, the incident must be validated as resolved by the response team lead.

Post Incident Management

After an incident is the perfect and critical time to gather people and focus minds and determine how to improve weaknesses identified during the incident.

In the post incident time it is necessary to perform the following:
  • Documentation of all steps taken to respond to an attack.
  • Any files or artifacts must be collated for evidence.
  • An investigation into the root cause of the incident.
  • A list of improvement s (with budgets) that could prevent this recurring.
  • Any training requirements for staff.
It is at this point that many organisations who have been lackadaisical about cyber security are awoken and most likely to begin taking the steps they should have taken in order to ensure adequate cyber-health.

Ongoing things that can improve cyber security are:
  • Ensuring bi-annual reviews of incident response procedures.
  • Setting up ongoing vulnerability scans.
  • Having a professional team perform penetration tests.
  • Providing staff with cyber-security training both at user and technical level.
  • Reviewing all procedures and policies.

The time is now to start proper cybersecurity procedures in your organisation. As the cliché goes, it’s not if you are going to have a cyber attack, it’s when.


Read more about our Cyber Security Incident Response Plans HERE.

Blog comments