A security incident is an event that indicates that an organisation has suffered a cybersecurity breach, such as in the form of unauthorised access or disclosure of data. There are several ways an organisation may act in response to an incident, for example, by following an incident response plan or policy, which forms the incident response process.
Assuming an organisation has the capability to assess the risk of the affected data or infrastructure, as well as the means to detect and report that an incident has occurred, through security operations centres or security monitoring, the incident response may occur in the following steps:
- Identification: the first-line security team, IT support, or MSSP may discover that there had been a security incident through their systems. They will verify that the issue is not a false positive and may conduct a preliminary investigation to ascertain what assets are affected and how severely.
- Issue isolation: the issue may then be escalated depending on its severity. At this point, security incident response teams will immediately seek to minimise the damage to other parts of the network. They contain the issue by either taking the systems offline for further forensics, patching systems in the case of a vulnerability, or adding additional controls.
- Root cause analysis: after containing the issue and the exposed systems no longer face an immediate threat, security incident response teams may conduct a root cause analysis of the incident. Security incidents may occur for a variety of reasons, from compromised endpoints to sophisticated malware. After identifying the root cause of the issue, they take short- and long-term steps to prevent a recurrence.
- Remediation: security teams deploy remedial measures on the affected system based on the root cause. They also identify all other potentially affected systems and secure them until the incident has been fully addressed and the attack vector has been mitigated.
- Recovery: the incident response team takes any offline systems online again and recovers data lost from backups.
- Resilience: security teams conduct a retrospective on the incident to refine the response process for the future. They build resilience into the system against such a security incident, such as improved monitoring and identification of potential threats. The incident response is documented.
Depending on its location, an organisation may be obligated to report the incident and their response to the relevant regulatory body. For example, organisations must report data breaches to the Information Commissioner’s Office (ICO) in the United Kingdom. Failure to do this may result in penalties.
What is an Incident Response Plan?
A document, process or policy that specifies the actions an organisation must follow in the event of a security incident is called an incident response plan.
Before drafting an incident response plan, an organisation should identify assets and assess the corresponding security risk in the event of a breach. It should also equip itself with the personnel and infrastructure necessary to provide adequate incident response. Some organisations may use an outsourced security operations centre (SOC) or a managed security service provider (MSSP), such as Sygnia, while others may manage their response in-house.
No matter an organisation's industry, the incident response plan must account for the steps identified above. In addition, the following steps may help when drafting a plan:
- Assess security risk of critical components: the assets that store personal or financial information or infrastructure that handles business-critical data are usually the highest-risk components. Identify these and assess their networks and access.
- Establish back-ups and failover controls: make copies of critical data in the event of data loss and apply controls to infrastructure that is likely to be susceptible to threats so that a replacement is provisioned quickly in case of an event.
- Map responsible stakeholders, responders and remediators: Identify the teams in the organisation that need to get involved in the end-to-end incident response process.
- Prep for disaster recovery and continuity planning: create a strategy for recovering from the network or access outages, continuing business despite inaccessible locations, or database downtime.
- Identify the tools and technologies needed by incident response teams to mitigate data loss or infrastructure downtime.
- Communicate with internal and external stakeholders and update and train teams to apply remedial controls and ensure resilience against future incidents.