What is incident response?
Incident response encompasses the people, processes, and technologies that an organization uses to mitigate damage in the event of a cybersecurity incident. An incident refers to any negative security event that affects an organization's devices, servers, or systems, and can include everything from an employee clicking on a link in a phishing email to a full-fledged distributed denial-of-service (DDoS) attack.
To facilitate effective incident response, it’s essential that every organization have an incident response plan in place with repeatable procedures and a carefully defined approach in handling a security event from discovery to recovery. For managed service providers (MSPs), efficient incident response is only possible if the organization has taken the time to fully examine and document their IT assets, security architecture, and service dependencies.
Because even the best laid plans can go askew, an organization’s incident response capabilities should be flexible enough to account for the unexpected within each phase. Inspired by the National Institute of Standards and Technology (NIST), here are six areas of we recommend your organization consider across the incident response lifecycle:
Preparation
This involves establishing security policies and installing the right capabilities so that you can identify the start of an incident and begin to recover ASAP. Part of preparation also includes training your staff in the tools, investigative techniques, and business processes required for their role and responsibilities.
Identification
In this stage the focus is on pinpointing the actual incident and determining whether your systems and data have been breached. A security information and event management (SIEM) solution or endpoint detection and response (EDR) solution are useful technologies for identifying and analyzing indicators of irregular activity within your environment.
Containment
You must act quickly to contain confirmed threats, including steps to minimize identified damage or exploitation in order to limit any possible spread to other networks and hosts within your environment and to those of your customers. Collecting and preserving evidence, blocking firewall ports, logging access, isolating, and patching systems may play a large part of your containment phase.
Eradication
After the containment phase, you will often have to take further efforts to completely remove the underlying components of the incident and to address any vulnerabilities exposed during the incident. Similar to containment, eradication involves a sufficient period of monitoring to ensure the security and integrity of your systems and to verify that the root cause of the incident has been fully stopped and removed.
Recovery
In this phase, your business must focus on restoring and returning any compromised hosts, applications, or networks back to normal operations. As part of your incident response plan, your organization should have a business continuity and disaster recovery (BCDR) plan in place to detail the actions needed to rebuild infected systems, replace compromised files, reset passwords, patch systems, and secure network perimeters.
Takeaways
A crucial (but often overlooked) part of incident response is to document, communicate and build upon lessons learned. This phase provides an opportunity for your key stakeholders and staff to collaborate and discuss the overall experience in order to better respond to any future incidents that may occur. The threat landscape is constantly evolving, so you should also look for ways to regularly use cybersecurity research to inform your incident response capabilities.
The MSP role in incident response
As MSPs continue to play a bigger role in providing cybersecurity protection for companies, it’s important to learn how you can help improve your clients’ security through offerings and services related to incident response.
24/7 threat monitoring and response
Because cyber attacks can occur at any time, your business and its clients need rapid, continuous threat detection and response capabilities. Enter: the security operations center (SOC). A SOC is a 24/7 team of experts who proactively hunt for, triage, and respond to cyber threats in real time.
The unfortunate reality is that most organizations don’t have the resources required to build out a full internal SOC, which costs an average of $2.86 million annually to staff in house. To overcome cost as a barrier to entry, MSPs can work with a SOC provider to serve as an extension of your in-house security team — even if you are the only member. What’s more, this gives you the ability to offer your clients SOC-as-a-Service solutions that can seamlessly scale as needed
Threat intelligence
As mentioned above, it can be incredibly beneficial to use the latest cybersecurity research to inform and enhance your incident response capabilities. Creating or working with a threat research team (aka threat intelligence team) can help MSPs to stay on top of emerging security threats and provide best-in-class guidance to their customers. There are many options available here depending upon your industry. Consider researching an information sharing and analysis community (ISAC) or organization (ISAO) for specific industry threat intelligence.
Because the goal of cyber threat intelligence is to benefit the information security community at large, many leading threat research teams provide their findings to the public via free, regularly updated data feeds.