gradient

The evolution of incident response: building a successful strategy

With AI capabilities compounding cyber attack sophistication, any organization not making it a priority to effectively prepare for potential data breaches could be placing their business at considerable risk.

Incident response refers to the scope of actions and procedures to be taken during an incident. Essentially this is a set of measures taken to deal with security breaches of various types. A robust incident response strategy can not only make a significant difference in preventing data loss, it can also enable firms to respond rapidly in the event of an incident; communicate to the relevant stakeholders; minimize damage to the company reputation; ensure regulations are met, and reduce the costs of a data breach. Sadly, many organizations (tending to be SMEs rather than larger corporations), do not have a well-prepared, up-to-date incident response strategy in place.

Also referred to as IT incidents and security incidents, such events are to be handled in a way to reduce recovery time and costs. To mitigate risks and be prepared for as wide a range of events as possible, it is therefore vital that organizations create a detailed and comprehensive incident response plan.

Incident response vs disaster recovery

An incident response plan should be incorporated into a disaster recovery plan. These are two components of a comprehensively developed data protection strategy. A common mistake organizations typically make is to create these two plans independently. The right practice is to develop, deploy, and test them as a complex set of measures to protect data security and integrity.

At the same time, even though the objectives of incident response and disaster recovery plans are related, they are not the same. The key difference between incident response and disaster recovery plans lies in the type of events they address. The former defines an incident response team’s roles and responsibilities to ensure smooth running of incident response processes. In turn, a disaster recovery plan focuses on bringing your production environment back to an operational state after an incident occurs and successfully recovering from any caused damage.

An incident response specialist should ensure a uniform approach and make certain that none of the outlined steps are skipped. Another important task is to determine where the problem comes from in order to prevent similar incidents in the future. Finally, it is important to regularly update the incident response plan to make sure it addresses both the ever-evolving cyber threats and current needs of your infrastructure.

If an incident response plan is successfully integrated within the disaster recovery plan, organizations will be able to respond to any disaster in a much faster and more efficient manner.

Building an incident response strategy

Security vulnerabilities, human errors, and technological malfunctions are all possible to avoid, which is why employee training should be a key part of the strategy. In addition, the needs of the environment should be analyzed and it should be ensured that your plans meet them.

Organizations should consider preparing a plan tailored for the possible failure of a VM, network, cloud, data center, and so on. As an example, an effective data protection solution could save quite a lot of time and costs. It should also be considered that there is a risk of a disaster affecting the organization’s physical server, office, the entire building, or even a region. Even though some of these scenarios may seem unlikely, it is better to be prepared for as wide a range of unexpected events as possible.

In this way, the purpose of both incident response and disaster recovery plans is to minimize the impact of an unexpected event, recover from it, and return to the normal production level as fast as possible. Also, both of them contain an element of learning: it is important to identify the roots of a problem and, in such a way, decide how to prevent similar incidents in future. The principal difference is their primary objectives. The purpose of an incident response plan is to protect sensitive data during a security breach, while a disaster recovery plan serves to ensure continuity of business processes after a service disruption. While it is key to remember that incident response and disaster recovery are not two separate disciplines, a good practice is to document two plans separately. Even though it may seem that having one document that covers all possible scenarios is a better idea, consolidated plans might lack depth and contain contradictions. This will simplify the process of document creation, as well as enable IT teams to find an appropriate action scope faster, both during testing and in a real-life situation.

Types of security threats

One of the key principles of incident response and disaster recovery is to carefully develop plans to cover as many recovery scenarios as possible. Naturally, the key point is to do this before a disaster strikes and such a plan is urgently required. To begin with, an attentive look at the types of security incidents is needed. Some of the most common threats are:

DDoS attack

The aim of a distributed denial-of-service (DDoS) attack is to disrupt services and traffic of a target server, network, or website. To carry out an attack, one needs a network of computers infected with malware, or a botnet. The attacker controls bots remotely and sends them the necessary instructions. During a DDoS attack, machines in a botnet start sending simultaneous requests to the target. The flood of malicious traffic can potentially slow down or completely crash the target system. If successful, a DDoS attack renders the service unavailable to users and often results in significant financial damage, as well as the loss or theft of sensitive data.

Malware and ransomware

Malware is a broad term that refers to viruses, worms, spyware, and other types of malicious programs. In some cases, it can act in a relatively inoffensive way (change screen background or delete files), but sometimes it remains hidden and steals sensitive information. Ransomware is a subset of malware, and the key difference is that the system’s user receives a notification with a demand to pay a ransom. As an example, the victim may find their disks or files encrypted, while the attacker normally promises to restore the machine to its previous state after they receive the payment.

Cybersecurity professionals insist that companies should never pay in such cases. On our part, we emphasize that an adequate backup solution is an effective weapon against ransomware. After all, the main reason why a victim might pay a ransom is because they don’t have an alternative.

Phishing

This is a form of cyber fraud with its purpose being to access personally identifiable information (PII). As a rule, attackers use social engineering techniques. The victim might receive an email or text, or come across a social media post containing a link to a page where the visitors are asked to submit their personal details. The key idea is to make the victim believe that they are dealing with a reputable entity like a bank, government agency, or legitimate organization. Incident response in the event of a phishing attack should include both preparation and post-incident phases. It is also important to educate your colleagues so that they can recognize the signs of a phishing attempt and avoid putting the network at risk.

Insider threat

Security threats of this type come from people related to the workflow of an organization, such as its employees, former employees, third parties, contractors, business associates, and so on. In most cases, their main motivation factor is personal gain. However, sometimes malicious insiders want to harm an organization and disrupt its services out of revenge.

A common scenario is when data is stolen on behalf of external parties, such as competitors or business partners. Careless workers who mishandle data or install unauthorized apps pose a threat as well. In other words, all the possible attack vectors must be carefully analyzed to design comprehensive incident response and disaster recovery plans. Once again, training employees and implementing a set of security procedures are two important steps which can help protect the corporate network.

Incident response key takeaways

When it comes to building an incident response strategy, the key thing to remember is that the approach is definitely not one size fits all. Incident response development can be a phased and measured, continuous process. And even for smaller organizations on a tight budget, creating an effective plan is achievable, as long as priority is given to protecting the data that is critical to the business. A firm understanding of regulatory liabilities, escalation processes, and adherence to the reporting requirements, is of course vital. The strategy should ensure the inclusion of rules covering the specific incident scenarios detailed above. The incident scenarios and their applicable responses should be practiced regularly to ensure the IT team is up-to-speed and fully prepared to take the necessary action, and that the procedure will be effective in tackling existing threats.

We’ve featured the best business VPN.

This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro