Incident response explained: 6 steps to handle a cyber incident

Incident response plans kick into gear when organizations detect potential cyber threats. Streamlined incident response strategies monitor the attack surface and network traffic, neutralizing data leaks or ransomware attacks before they become critical.

NordStellar's cybersecurity solutions can help you build resilience and flexibility. Our solutions track data into the darkest corners of the web and scan every endpoint. With our help, you can track every credential and block every vulnerability.

However, incident response has many components. This article will explore how incident response works, writing incident response plans, and equipping teams with the necessary tools.

What is incident response?

Incident response is a structured method for responding to cybersecurity incidents. In cybersecurity, incident response plans identify, contain, and neutralize threats while enabling swift system recovery.

Companies need streamlined and effective incident response policies to minimize damage from cyber threats. A robust incident response plan prevents escalation, ensuring minor threats do not compromise business continuity.

Incident response complements incident management. Incident management is a broader approach to organizing responses involving stakeholder coordination, communication protocols, and long-term security improvements.

Incident response is a tactical approach. It deals with practical steps to handle threats and minimize damage. The two concepts intersect, but play different roles in the cybersecurity landscape.

What are security incidents?

In the cybersecurity context, security incidents are malicious events that breach network defenses. Companies need a working definition of security incidents that trigger incident response procedures.

Security incidents take several forms. Some types steal confidential data or compromise data integrity. Others harm critical network infrastructure, making systems and data unavailable. Common varieties include:

• Ransomware. Attackers infect network assets with malicious software, often via phishing attacks. Malware could steal data and monitor network activity or hold systems ransom until the company makes crypto payments.
• Denial-of-Service attacks. Attackers direct swarms of bots against network infrastructure. Bot swarms overload networks with surplus traffic, often resulting in network outages and website downtime.
• Credential compromises. Companies discover that employee or customer credentials are available for sale on the Dark Web. Alternatively, security teams uncover evidence of users breaking security via weak passwords or sharing credentials across accounts.
• Zero-day exploits. Attackers identify flaws in application code and exploit these flaws to gain access to target networks. Security incidents arise when companies discover exploits affecting critical systems. Incidents persist until the exploit has been fixed.
• Insider threats. Malicious actions by authorized users (employees, trusted vendors, or security partners) invoke incident responses. Insiders may damage network assets, steal data, or execute fraud via company systems.

Why does incident response matter in cybersecurity?

Incident response matters because robust response plans help mitigate the threats above. Delays in responding to a cyber incident raise the risk of financial and reputational losses, while regulators penalize businesses that respond slowly and put customer data at risk.

This is not an abstract point. Real-world examples demonstrate why rapid, comprehensive incident response plans are essential.

Equifax

The 2017 Equifax data breach is a great example. The credit rating company identified a data breach affecting 148 million customers but delayed disclosure by six weeks. The company was also slow to fix the problem: unpatched Apache Struts elements in web applications. Even worse, Equifax initially failed to identify the scope of the breach, taking six more weeks to notify UK customers.

Consequences: An immediate 30 percent drop in Equifax's stock market value, compliance actions by the FTC and EU GDPR regulator, and over $1.4 billion in fines.

Uber

In 2016, Uber suffered a significant data breach, losing over 57 million customer records to ransomware attackers. The company paid the ransom but did not report the incident for over a year. Even though the company paid, hackers exposed the details of over 600,000 Uber drivers.

Consequences: Uber's slow incident response led to severe regulatory penalties of $148 million. The company agreed to strict FTC oversight until regulators detected improvements.

Solarwinds

The 2020 SolarWinds attack became one of the largest supply chain attacks in history. Russian hackers breached the firm's Orion customer management system, using it to distribute malicious updates. In total, 18,000 customers received the patches, which enabled IT system hijacks and secondary malware infections.

Consequences: Regulators found that SolarWinds failed to follow SOC 2-compliant IT policies and delayed disclosure of the exploit attack. Moreover, several cybersecurity companies failed to report the incident, leading to separate prosecutions.

Zoom

During the COVID pandemic, video messaging company Zoom experienced a wave of "zoombombing" incidents where attackers disrupted or monitored confidential meetings.

In this case, Zoom responded proactively and transparently. Security teams implemented end-to-end encryption and updated security settings during a 90-day improvement plan.

Consequences: Zoombombing incidents faded away throughout 2020. By 2023, media reports suggested the problem had been fixed, and Zoom suffered relatively few negative consequences.

These case studies show that prompt incident response avoids damaging consequences in the future. Incident response plans allow companies to inform customers and regulators transparently and to take prompt action where it's needed.

Steps of an incident response plan

We know incident response plans matter, but this is half the story. More importantly, how can you implement effective incident responses that cover critical areas and minimize damage?

Security experts generally follow six incident response steps from preparation to institutional learning. This model works for most organizations and contexts, and it provides a robust basis for IR policies. Let's see how it works.

1. Preparation

Incident response processes start long before incidents occur. Companies must lay the foundations to deal with threats and continually improve responses.

Developing a consistent incident response plan is crucial. This plan must explain roles and responsibilities. It should set out processes to identify, contain, and mitigate threats. Plans also explain communication policies, detail who must be informed, and provide timeframes for disclosure.

Preparation also involves assembling a competent incident response team, and training team members in their roles. Workshops and testing exercises ensure the team is functional and the IR plan works as designed.

The preparation phase also sources tools to assist cyber incident response teams (such as threat intelligence platforms or Intrusion Detection and Response (IDR) solutions). Security teams may also organize network audits to improve security, patch applications, and refresh staff training.

2. Detection and analysis

The detection and analysis stage of the incident response process detects active threats and assesses their risk levels. Security teams determine whether the security incident meets the threshold for a full-scale response.

At this stage, security teams rely on real-time Intrusion Detection Systems (IDS) and Endpoint Detection and Response (EDR) tools, which may be part of Security Information and Event Management (SIEM) packages, to coordinate the detection process.

When detecting threats, experts look at activity logs to identify suspicious behavior and traffic data to detect DDoS attacks. They apply incident validation protocols to check that the incident is genuine (and not a false positive). Security teams then start the documentation and containment process.

Detection and disclosure should complement each other. Many data exposure incidents require disclosure to customers and regulators. Timescales vary for GDPR, CCPA, and HIPAA. However, when required, prompt and transparent disclosure is advisable.

3. Containment

Containment processes determine the nature of threats to prevent escalation and limit damage. This phase of the incident response plan is critical. It provides breathing room to neutralize attacks without putting data at risk.

Incident response teams immediately isolate affected assets from the wider network. This could involve disconnecting devices, disabling applications, or preventing access for affected user accounts.

Teams must quarantine affected components without damaging evidence. Ideally, quarantine should protect network availability and allow rapid system recovery following remediation. The overall aim is to create a stable environment to neutralize cyber threats.

4. Eradication

Incident response teams must completely remove threats from the network infrastructure. This phase is critical, as incomplete eradication leaves systems open to reinfection or undetected data exfiltration.

Eradication has two components. Firstly, security teams must remove malware, backdoors, or Trojans from quarantined assets. This involves hunting for automated scripts, malicious macros, and fake processes. Every potential threat demands attention.

The incident response team must also deny access to threat actors. Experts must apply security updates, close backdoors, and secure affected user accounts. They may need to reconfigure firewalls or network security tools.

Before the threat is officially neutralized, teams test for reinfection and verify that the threat has been removed. Quarantine ends when there is no evidence of an ongoing threat and reinfection is impossible.

5. Recovery

The next phase in the incident response playbook is restoring system availability. Security teams must restore network apps and web assets to normal with minimal downtime.

Data integrity is critical. Restored data should be secure and unchanged from its pre-incident format. Response teams should be able to rely on clean, recent backups to restore data.

Security teams should test restored systems before allowing complete restoration. This ensures that new patches work effectively and that threat eradication has been successful.

Following restoration, incident teams continue to monitor system performance for evidence of ongoing malicious activity. Teams should also expect secondary infections following initial attacks. Cybercriminals often target compromised organizations, expecting easy access.

The recovery phase concludes when incident response teams are satisfied that the threat is over. Security professionals communicate with relevant stakeholders such as company executives and customers, informing them that the network is secure. They may need to report mitigation actions to regulatory bodies, law enforcement bodies, and cyber insurers (if applicable).

6. Lessons learned

Post-incident actions close the loop, ensuring that organizations make long-term security improvements.

Response teams should review each incident, identifying what worked well and areas to improve. For example, teams may be able to cut the time between detection and response. The review should identify the root cause of the incident and make recommendations about preventing similar incidents in the future.

Remember: Lessons learned reports inform incident response teams about previous successes and failures. The report must serve future response teams and give them a head-start when tackling emerging threats.

Building an effective incident response team

The incident response process above regularly references the need for a skilled and comprehensive security incident response team. However, what skills do you need, and how should you build a team to handle high-pressure crises?

• Set clear roles and responsibilities. Key roles include incident manager, communications officer, a threat intelligence lead, and a lead forensic analyst, with junior analyst roles underneath. SIRT teams also include the system owner (generally the IT department), compliance specialists, and an HR representative. Determine critical duties and skills for each role and select team members based on those criteria.
• Upskill team members. Few companies possess outstanding incident response skills. Training and certification are essential. GIAC certifications provide a robust grounding in incident response. The Enterprise Incident Response (GEIR) qualification is probably most relevant, although the Certified Incident Handler qualification is also valuable. Red team roles benefit from Offensive Security Certified Professional (OSCP) qualifications. CompTIA CySA+ to CASP+ certification also provides a strong basis in vulnerability management and incident response. They should be ideal for intermediate and advanced blue team members.
• Run incident workshops. Practice makes incident response teams more confident and efficient. Stage frequent threat workshops that simulate real-time attacks and consider diverse attack vectors. Identify improvement areas emerging from training exercises.
• Take post-incident processes seriously. Incident response teams often second personnel, but the team should have a permanent presence. Make incident reports available to members, stage meet-ups, and schedule online events. Don't let teams recede into the background when not directly needed.
• Give team members the tools they need. Skills and practice only go so far. Incident response officers also need technical tools to perform their roles efficiently. Assign resources to detect and neutralize threats (see below for potential options).

Incident response tools and technologies

Incident response teams should exploit the latest technologies when detecting and mitigating threats. Modern incident response tools empower analysts, going well beyond malware or anti-virus scanning. Here are some tools to extend your response toolkit and counter every threat:

Attack surface management

Attack Surface Management (ASM) technologies manage all access points to your corporate network.

For example, NordStellar's ASM solution automatically discovers internet-connected assets via DNS enumeration, web crawling, and OSINT methods. Tools then scan each asset to identify vulnerabilities and recommend solutions.

ASM covers areas that traditional endpoint detection tools miss, like web subdomains and shadow IT assets. That's ideal for companies that depend on complex cloud and hybrid networks.

User and entity behavior analytics (UEBA)

UEBA logs baseline user behavior and detects anomalies. This helps detect attacks before they become critical, as unusual behavior is one of the first symptoms of network infiltration and credential theft attacks.

UEBA also helps guard against insider attacks (for example, employees changing their behavior to access too much data or make unauthorized transfers). It's also a valuable complement to signature-based detection tools.

Intrusion detection and response (IDR)

Intrusion Detection and Response tools detect cyber threats in real-time. IDR solutions scan endpoints and network traffic, using global databases of threat signatures. If they detect the signature of known malware, IDR tools raise alerts and kick-start the incident response process.

Endpoint detection and response (EDR)

EDR resembles IDR in that it involves real-time threat scanning and uses signature-based detection. EDR tools focus on network endpoints (for example, workstations, laptops, mobile devices, and web servers). Tools detect threats at the network edge, reducing the scope for threat escalation and simplifying containment procedures.

Extended detection and response (XDR)

XDR tools combine endpoint detection, traffic scanning, and cloud threat detection. These advanced threat detection tools function well in hybrid cloud environments that standard solutions serve poorly. They are even more effective when combined with ASM tools.

Security orchestration automation and response (SOAR)

Orchestration Automation and Response tools gather threat data from detection systems and streamline the triage and containment incident response steps. SOAR solutions ensure standardized responses to security incidents and automate security responses to reduce incident response times.

Security information and event management (SIEM)

SIEM tools help incident response teams collaborate effectively and understand the threats they face. SIEM solutions take large volumes of real-time threat data and present it in intelligible formats. They synthesize log data, providing invaluable context about alerts. This information helps avoid false positives and take action when genuine threats materialize.

Threat intelligence platforms

Threat intelligence platforms like NordStellar monitor Dark Web marketplaces and other data sources. They inform companies if criminals are trading employee or user data online, which often allows security teams to outpace attackers and secure compromised accounts.

Incident response teams can also leverage threat intelligence databases to analyze threat vectors. For example, threat databases track known application exploits. This information also helps patch vulnerabilities and identify vulnerabilities.

Creating an incident response plan

As mentioned earlier, incident response relies on a streamlined plan. This point is crucial, so it's worth exploring the indispensable elements of an effective incident response plan.

Generally speaking, incident response plans cover the six steps discussed above. The critical steps are:

• Preparation
• Identification
• Containment
• Eradication
• System recovery
• Lessons learned

Incident Managers should be able to use the plan as a roadmap during the response process.

Create sections based on each step. Write short sections for each phase, focusing on essential milestones. Once the team completes these core tasks, they can move on to the next phase.

For instance, the preparation section should define the response team, assign duties, and establish the tools to detect and remove threats. The identification phase should explain how to identify a threat, while the containment section outlines how to quarantine threats effectively.

The incident response plan should also visualize the incident response process as a feedback cycle. Lessons learned from each incident should cycle back to preparation, encouraging continuous improvement.

Common incident response challenges and mistakes

One of the best ways to improve incident response outcomes is to consider where teams go wrong. Incident response processes in the wild encounter several common challenges that others can learn from.

1. Communication breakdowns

Incident response requires collaboration between analysts, executives, compliance experts, and security teams. Keeping everyone in the loop is tough. SIEM and SOAR solutions help to coordinate team members, but strong leadership remains essential.

2. Ensuring visibility

Incident response teams must monitor every endpoint and user, but achieving visibility is difficult. Use the latest attack surface management tools and EDR scanning to cover every security gap.

3. Not updating your incident response plan

Teams should update their incident response plan after every incident. Remember that plans are living documents. They "learn" as teams gain more experience and become more effective over time. If not, they become stale and ineffective.

4. Lags between detection and response

Companies struggle to detect threats, giving attackers time to embed their operations and extract data. Gaps between detection and response make life even easier for attackers. Ideally, you should detect quickly, and respond immediately.

5. Failure to upgrade incident response tools

Threats evolve, and so do detection tools. However, some companies become locked into vendor arrangements or fail to invest regularly. Incident response teams eventually struggle with outdated tools that lack behavioral analysis and cloud-native support needed to neutralize next-generation attacks.

6. Forgetting compliance

Notifying regulators is a critical component of incident responses, but it is an area where companies often drop the ball. GDPR, HIPAA, and PCI-DSS include strict reporting requirements and penalties for non-compliance. However, reporting timeframes vary between jurisdictions. Companies can easily miss deadlines if they fail to integrate compliance into incident response workflows.

How to improve your organization’s cyber resilience

Organizations need effective incident response strategies. Responding to incidents quickly and efficiently guards against data breaches and downtime, building resilience in a turbulent online world.

NordStellar can help you respond when cyber attacks hit. Data breach monitoring solutions inform companies about leaked credentials, allowing for proactive defensive measures. Meanwhile, NordStellar's Attack Surface Management solutions provide comprehensive visibility and lock down every vulnerability.