How to Build an Effective Incident Response Strategy to Combat Cyberattacks

A security incident is all but inevitable for nearly every organization. By “incident,” we mean a cyberattack that successfully accesses enterprise resources or otherwise puts an organization's finances, operations, or reputation at risk. A significant breach can drive a company out of business. To fight back, every organization needs a cohesive incident response (IR) strategy, backed by a well-trained team to implement it. IR is an organization's planned approach to detecting and managing cyberattacks. The goal is to minimize risk and to limit the damage, recovery time, and cost of any security incident.

Finding and fixing vulnerabilities will reduce the odds of a successful attack on your systems or data. But when an attack succeeds, that's where your incident response strategy comes into play.

Always Start with an IR Plan

The Incident Response Plan should provide a detailed, authoritative map guiding the organization from initial incident detection through assessment and triage to containment and resolution. It's essential that your organization drafts, vets, and tests (by enactment) its IR plan before a crisis strikes. The following are the steps to get started:

1. Establish policy. A good policy outlines the high-level priorities for incident response and guides incident responders in making sound decisions when things go wrong.

2. Build your IR team. A plan is only as strong as the people carrying it out. Who handles which tasks? Get those people trained.

3. Create playbooks. An IR policy provides a high-level view, but playbooks dive into the details by standardizing the steps the IR team takes in specific scenarios. Having playbooks to reference leads to greater consistency and efficiency in real-world incident response.

4. Create a communication plan. Work out in advance how executives, communication specialists, legal counsel, and HR will communicate with one another and the organization.

5. Hold tabletop exercises. Vet the IR plan and talk through the specifics of an attack and how the team will respond. Study what happened and take the time to outline any additional controls needed by brainstorming ways to improve processes. Add brief, audience-specific tabletops—Executive/Board (strategy and communications), Technical/IT (detection and containment), and Company-wide (cross-functional coordination)—to rehearse roles and decisions. For example, start with a realistic scenario: an employee announces twins, prompting a convincing benefits/phishing email that steals credentials and diverts payroll, driving practice in escalation, communications, and recovery.

Your IR plan should also include a plan overview; a list of roles and responsibilities; a list of incidents requiring action; the current state of network infrastructure and security controls; detection, investigation, and containment procedures; eradication procedures; recovery procedures; a breach notification process; a list of post-incident follow-up tasks; a contact list; an IR plan testing process; and finally a process for revising all the above as needed.

A formal, comprehensive reassessment and annual revisions are recommended.

Six Phases of Incident Response

Because IR plans require significant effort, leverage established security frameworks from NIST, the SANS Institute, ISO, ISSA, and ISACA for high-level guidance and direction. Each of these organizations' frameworks differs slightly in approach, but they all describe six phases of IR:

1. Preparation: Build your IR team and create policies, processes, and playbooks.

2. Detection & identification: Employ IT monitoring to detect, evaluate, validate, and triage security incidents.

3. Containment: Take steps to stop an incident from worsening and regain control of your IT resources.

4. Eradication: Focus on eliminating threat activity, including malware and malicious user accounts.

5. Recovery: Focus on restoring normal operations and mitigating vulnerabilities.

6. Lessons learned: Review the incident to establish what happened, when it happened, and how it happened. Flag security controls, policies and procedures that function sub-optimally, and identify how to improve them.

Assemble Your Team and Tools

The technical team is the core of the IR team, comprising IT and security personnel with technical expertise across the company's systems. It might include an IR coordinator, security analysts, threat researchers, and forensics analysts. An IR team might also draw on departments such as communications/PR, legal, HR, business continuity and disaster recovery, and physical security and facilities.

Your team should include external players like cybersecurity or IR consultants, external legal representation, cloud service providers, and vendors to supply expertise and controls such as endpoint detection and response (EDR), anti-malware, backup and recovery, cloud access security brokers, data classification tools, data loss prevention (DLP), firewalls, intrusion prevention and detection systems, security information and event management (SIEM), security orchestration, automation, and response tools (SOAR).

Defense-in-Depth

Most organizations need defense-in-depth, but keep it lean. Get the most from what you already have and add tools only to close a clear gap. Favor a small, integrated stack with clear owners and simple playbooks, and retire anything redundant. Use automation for repeatable tasks to reduce noise; not work; if capacity is tight, consider a managed partner while you maintain oversight.

Seek Outside Expertise

For organizations facing serious threats or operating multiple locations, outsourcing may be the key to cybersecurity. Information security providers can take on many aspects of IR work, from managing regulatory compliance to conducting threat hunting and penetration testing to managing crisis situations.

Incident response is a cornerstone of any enterprise cybersecurity program. Being able to respond quickly to unavoidable security incidents will minimize damage, reduce recovery time, restore business operations, and avoid high mitigation costs.