Globally, cyber-attacks are on the rise. The recent pandemic has accelerated a shift towards digitalization, remote work, and cloud-based services. While this is advantageous on many fronts, it has also left unprepared businesses susceptible to malicious and increasingly sophisticated attacks - which poses a problem. .In the event of an attack, it is critical to have an incident response plan and team in place to help.
What is an incident response?
Incident response is the process of responding to a security incident - such as a data breach caused by cyber-attacks.
The goal of an incident response is to contain the breach, minimise damage and rapidly restore normal operations. A cybersecurity incident response typically follows a set of steps known as the incident response cycle.
This cycle begins with the identification of an incident, followed by containment, eradication and recovery. In order to be effective, an incident response must be planned and rehearsed in advance so that all stakeholders know how to react in the event of a breach. It is a complex and critical process, but by following the proper steps, organisations can minimise the impact of a security breach and get back to business as quickly as possible.
What kind of incidents are we defending against?
Any form of unauthorised access to sensitive company or client data should be considered an incident. While some of these incidents can be caused by employees unknowingly, many are malicious cyber-attacks that aim to extract some form of reward - either monetary or to simply send a message. Some of the most frequent incidents include:
- Brute Force Attacks: Brute force attacks are a type of cyber-attack in which an attacker attempts to gain unauthorized access to a system or an account by systematically trying all possible combinations of passwords or encryption keys. The attacker uses automated software or scripts to rapidly guess passwords until the correct one is found. Brute force attacks rely on the assumption that weak or easily guessable passwords are being used.
- Ransomware: Many cyber criminals trying to earn money turn to ransomware. Ransomware attacks have become increasingly popular alongside the use of cryptocurrencies. They provide a virtually untraceable way for hackers to request payment and make away with their new fortune. Fortunately, the threat of ransomware attacks can be almost completely reduced with a suite of cybersecurity tools. For ransomware attacks to work, the hacker needs to gain access to your systems or files before holding them hostage through decryption or other means. It is only then they can request a sum of money.
- Phishing and social engineering: Social engineering remains one of the most common forms of a successful cyber-attack because of one inherent weakness: your employees. Cyber attackers will pose as a legitimate person and attempt to gain the trust of the victim. They prey on newer, or less experienced staff who may be unaware of scam tactics and will trick the individual into clicking on a malicious link or downloading malware through emails or other communication channels.
- Privilege Escalation Attack: The attacker gains unauthorized access to a system or an account with limited privileges and then exploits vulnerabilities or uses various techniques to elevate their privileges to gain higher-level access. This can involve exploiting software vulnerabilities, misconfigurations, or weaknesses in access control mechanisms. Once the attacker gains higher privileges, they can access sensitive data, install malicious software, modify system configurations, or perform other malicious activities.
- DDoS: Distributed Denial of Service (DDoS) attacks are when hackers flood the target network with huge quantities of traffic. They will use a huge pool of previously infected computers to generate this fake traffic. Since the servers are neither designed or able to anticipate such a surge in traffic, they crash or are unable to operate at usable speeds for legitimate users.
- Supply chain attacks: As third-party service providers become more popular, so have supply chain attacks. This is a type of cyber-attack whereby the hacker will infiltrate the vendor itself. By secretly deploying malware into the code of the application, it spreads to all computers and users that download and use it. These attacks take advantage of the permissions granted to applications that users consider trustworthy.
- Insider threats: Not all incidents are perpetrated by outsiders and the bigger your business, the higher chance of you encountering an insider threat. Some individuals may be acting maliciously, some negligently, and others completely carelessly. However, at the core of an insider threat is the misuse of access for personal or financial benefits.
- MitM attacks: Man in the Middle (MitM) attacks are a cybersecurity incident wherein the hacker inserts themselves between the user and the service. This is sometimes done through website spoofing, taking advantage of insecure networks, and more. Once in this position, the hacker may intercept, modify, or “listen in” between the two parties.
- Advanced Persistent Threat (APT): An Advanced Persistent Threat (APT) is a sophisticated and targeted cyber-attack that is typically carried out by skilled and well-resourced adversaries, such as nation-states or organized criminal groups. APTs are characterized by their persistence, stealth, and long-term objectives. Unlike opportunistic attacks, APTs focus on specific targets and aim to gain prolonged access to the target's systems or networks without being detected. The attackers employ various tactics, such as social engineering, zero-day exploits, and advanced malware, to bypass defenses and maintain a persistent presence for espionage, data theft, or sabotage purposes.
What are incident response plans?
An incident response plan is a document put together to dictate the actions or procedures to take in the event of an attack. The plan should include everything from:
- Personnel roles and responsibilities
- Communication instructions and procedures
- Criteria for identifying, containing, and eliminating different types of cyber incidents
- Steps to restore operations back to normal
- Communication plan to inform company leaders, employees, customers, and law enforcement
- Analysing the incident and weaknesses to prepare for the future
Incident response teams
In the event of a cyber-attack, it can be difficult to react promptly and correctly without the correct experience. A cyber incident response team is a dedicated team of IT specialists who enact incident response plans and help mitigate disasters. They will help in identifying and controlling the crisis as it happens. Crucially, they will also help analyse the incident to help prevent future attacks of a similar fashion.
Incident response framework
Organizations can benefit greatly from looking at existing incident response frameworks so they have a better idea of how to build their own plans in a well-structured manner. These frameworks provide a systematic and coordinated way to handle incidents, minimize their impact, and facilitate effective recovery. Although the following frameworks have slightly different approaches, they suggest similar steps to implement when responding to security incidents.
- NIST Incident Response Framework: Developed by the National Institute of Standards and Technology (NIST), this framework outlines a four-step process: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity. It emphasizes proactive planning and continuous improvement.
- SANS Incident Response Process: Created by the SANS Institute, this framework consists of six phases: preparation, identification, containment, eradication, recovery, and lessons learned. It focuses on thorough incident detection, analysis, and response, as well as knowledge sharing for future incident prevention.
- ISO 27035: This international standard provides guidelines for incident response management, including preparation, detection and reporting, assessment and decision-making, response, and lessons learned. It emphasizes the importance of a well-defined incident response plan and continuous improvement based on lessons learned.
- CERT/CC Incident Response Process: Developed by the CERT Coordination Center, this framework follows a cyclical process that includes preparation, detection and analysis, containment, eradication and recovery, and post-incident activity. It emphasizes the importance of information sharing and collaboration with external entities.
As your organization learns more about preparing its cyber incident response protocol, the following key steps should be considered as part of your framework so you can respond swiftly and effectively to any potential risks.
What are the incident response steps?
As your organisation learns more about preparing its cyber incident response protocol, many steps need to be considered. These incident response steps are outlined below:
The time before an incident is crucial. You never know how long you have until you find your organisation under attack, so it is important to be proactive and forward-thinking. The first step in preparing for cybersecurity incidents is to review what existing security policies and measures are currently in place.
You may then conduct an internal risk assessment to determine whether these policies are sufficient or not. Almost all businesses will have some kind of vulnerability and it is important to identify these areas well before any hacker does. Next, an IRP will need to understand high-priority assets within the business. This will vary depending on the nature of your company, but is usually customer data and essential systems required for operation.
The next step in preparation for the incident is to upgrade, replace, or add new security measures. Taking the above information into account, this should strengthen your cybersecurity defences significantly. For example, a business lacking in backups may decide to look into cloud-based storage to prevent data from being lost in an incident.
Lastly, an incident response plan should detail the roles and responsibilities of key personnel in anticipation of an incident. Together with a clear communication plan, this will make the handling of the incident organised, orderly, and efficient.
Your organisation’s cybersecurity system should be constantly on the lookout for potential threats. When one is detected, your team should identify the following:
- The nature of the attack
- Where does it originate from?
- What are the goals of the attack?
- When did the event begin?
- What parts of your organisation have been affected?
- Which parts of your business have been compromised?
Some of this information may not be immediately relevant but can prove crucial later in understanding the motives or source of the attack. This can help in later defence preparations. Your communication plan should also be enacted at this point. This will help inform all relevant individuals and kickstart the containment process.
Once an incident starts, the goal of an incident response plan is to stop it and prevent further damage - this is called containment. It is vital to enact a proper containment phase instead of skipping straight to eradicating the breach. Containing the attack gives your team time to gather information in order to understand how the breach happened, and how to prevent it from happening again.
Note that there are both short-term and long-term containment policies. The former relates to the act of shutting off infected parts of your infrastructure to prevent further damage while the latter is concerned with resuming operations with the breach still safely quarantined.
Once the malware has been contained, an incident response team will carry out the steps to eradicate it. This will include sifting through all affected devices, applications, and networks for any trace of the breach. In some cases, this may require replacements, hard resets or simply updates and patches.
Once the malware and network anomalies have been completely cleaned from your system, operations can start to resume as normal. The recovery stage of an incident response plan is concerned with guiding this process from start to finish.
If your organisation has backups, they can be used to restore operations to the last known backup before the breach started. Your incident response team should still be monitoring this entire process to ensure no remaining strains of malware have persisted.
#6: Post-incident Analysis
The last step of an incident response plan is the most important one. A cybersecurity breach is an unfortunate and tricky situation to deal with but it also provides plenty to learn and adapt from. An incident response team will look into the details of the attack gathered during the containment phase. The information helps to identify weaknesses that were not picked up during preparation and offer advice on how to make the organization's overall cybersecurity system more robust.
At this stage, an incident response plan forms a highly beneficial feedback loop.
What Security Platforms and Tools are useful for incident response?
Businesses may choose to use a variety of solutions together to form their cyber security incident response. These include solutions which allow quicker detection of threats, better containment, automated analysis, and swifter recovery of any affected systems. Here are some of the most commonly used technologies:
- Network detection and response (NDR): NDR platform like Sangfor’s Cyber Command platform are purposely created to detect and react to threats 24/7. By monitoring internal network traffic, NDR technologies can uncover security breaches and analyze threats in real time.
- Endpoint detection and response (EDR): Traditionally, the biggest weakness of an organization's cybersecurity system is the user, and by extension, their devices. Also known as endpoints, these devices need to be monitored by EDR solutions. Endpoint detection and response softwares are installed in your employee’s endpoints – such as laptops or desktops. They continuously analyze all endpoints connected to the network and scan for threats. If any are found, incident response plans can be enacted.
- Threat Intelligence Platforms: Threat intelligence platforms gather, analyze, and share information about emerging threats, vulnerabilities, and indicators of compromise. Threat intelligence platforms such as Sangfor’s Neural-X provide valuable context and insights to incident response teams, helping them make informed decisions and prioritize their response efforts.
- Extended Detection and Response (XDR): Cybersecurity systems are complicated with tools that are designed for niche purposes, and no one-size-fits-all solution. XDR technology, like Sangfor’s Extended Detection Defense and Response (XDDR), helps to bridge the gap between different technologies. First and third-party tools can be leveraged in tandem to create a secure system.
- Application containment: While thousands of new malware strains are discovered each day, a small percentage manage to get through. Some of this malware can take control of applications and cause severe disruptions from within. Application containment technologies help quarantine affected applications until they are fully dealt with.
- Next-generation firewalls: Firewalls are a common solution even used on consumer devices. Next-generation firewalls like Sangfor Next Generation Firewall (NGAF) take this idea further by filtering network and application traffic for threats - eliminating 99% of which are at the perimeter. Sangfor’s Next Generation Firewall (NGAF) correlates with Cyber Command to automatically deal with network threats through a technology known as SOAR (Security Orchestration, Automation, and Response). SOAR helps automate and streamline a range of tools from a single interface.
Why do organizations need a response to cybersecurity incidents?
Out of all the small businesses hit with a cybersecurity breach, 60% close within 6 months. Bigger businesses may have the capital to withstand an attack but their reputation and growth may never be the same again. Preparation is the one common factor for those who successfully mitigated a cyber-attack. Cybersecurity solutions are effectively used by those businesses that understand the risks at hand. Here are some quickfire reasons why businesses need incident response to cover themselves from cybersecurity incidents:
- It allow you to react quickly to cyber-attacks
- It act as insurance to financially secure your business
- A secure business is one with a good reputation
- Incident response plans are required for compliance in many businesses and industries
Outsourcing incident response services
Instead of a dedicated in-house team, incident response services can be outsourced to a specialized vendor. There are a couple of advantages to doing this:
- Outsourced security teams are far more cost-efficient. This makes them enticing for smaller brands who want the benefits of a bigger, skilled team without incurring higher costs.
- You work with a specialized team with lots of experience in the field.
Plenty of businesses that try to handle everything in-house without sufficient resources end up with a sub-par response to cyber incidents.
Sangfor Incident Response
The Sangfor Incident Response team offers a range of key investigation approaches to address security incidents. This includes identifying the initial attack vector, providing insights into the attack and its impact, conducting malware analysis to understand the behavior and nature of the malicious files, determining the chain of attacks executed by the hacker, and identifying other potential cyber risks and control gaps.
Our team aims to deliver realistic remediation plans, industry best practices, and follow-up activities to mitigate future risks and provide peace of mind to organizations facing security incidents. The service minimizes the need for physical visits, considering the current pandemic situation, and offers cost-effective deployment options.
The Sangfor Incident Response Team has over 5000 hours of cumulative experience in handling malware, data breaches, and more. Our team helps take the stress out of a cyber-attack and will go the extra mile for recovery. During an incident, our team will help enact each and every step of the plan and generate an analytical forensic report to discuss the root cause of the breach and recommend security improvements. Watch the introduction video to learn more.
Examples of incident response plans & useful links
- Example from Michigan Government: https://www.michigan.gov/-/media/Project/Websites/msp/cjic/pdfs6/Example_Incident_Response_Policy.pdf
- Example from NCSC UK: https://www.ncsc.gov.uk/collection/incident-management/cyber-incident-response-processes
Sangfor Incident Response Success Stories
A Vietnamese manufacturing customer who called upon Sangfor Cyber Guardian security services to attend to a security incident and subsequently enhance its security operations.
Sangfor HQ experts defined the ransomware as belonging to the Ryuk family and had mapped the ransomware path of destruction through the network. The Sangfor Hong Kong FAE helped the customer install Endpoint Secure to remove the virus entirely.
Frequently Asked Questions
While incident response and disaster recovery are related, they serve different purposes and address different aspects of handling and mitigating incidents and disruptions.
Incident response is a structured approach to managing and responding to cybersecurity incidents. It focuses on promptly detecting, containing, and mitigating the impact of security incidents to minimize damage, restore services, and prevent future incidents.
Disaster recovery (DR) on the other hand focuses on restoring critical business operations and IT infrastructure after a major disruption or disaster. This can include events such as natural disasters, system failures, power outages, or large-scale cyber-attacks.
By dedicating resources solely to disaster recovery, organizations may overlook the importance of incident response. Without a robust incident response capability, organizations may face prolonged disruptions, increased financial loss, reputational damage, and regulatory consequences. Incident response allows for a swift recovery by containing incidents before they escalate into full-blown disasters.
Furthermore, incident response helps identify vulnerabilities and weaknesses in the organization's systems and processes, enabling proactive measures to prevent future incidents and strengthen overall resilience. It complements disaster recovery efforts by addressing the root causes and mitigating risks before they lead to severe disruptions.
Organizations can enhance their incident response capabilities, minimize the impact of security incidents, and improve their overall cybersecurity posture by adopting some of the following best practices.
- Preparation and Planning: Develop a well-defined incident response plan that outlines roles, responsibilities, and procedures for handling incidents. Regularly update and test the plan to ensure its effectiveness.
- Incident Identification and Classification: Implement robust monitoring systems and security controls to detect and classify security incidents promptly. Establish clear criteria for incident severity to prioritize response efforts.
- Rapid Response: Enable a rapid response capability by establishing a dedicated incident response team. This team should be trained and equipped to quickly assess and contain incidents, minimizing the damage and potential spread.
- Containment and Eradication: Isolate affected systems or networks to prevent further compromise. Identify the root cause, remove malicious activity, and restore affected assets to a secure state.
- Forensic Investigation: Conduct a thorough investigation to determine the scope of the incident, gather evidence, and identify the attacker's tactics, techniques, and motives. Preserve evidence for potential legal or regulatory requirements.
Organizations must be aware of the following common mistakes and take proactive steps to avoid them. This allows for enhancing their incident response capabilities and minimizing the impact of security incidents.
- Inadequate Incident Detection: Insufficient monitoring and detection capabilities can result in delayed or missed detection of security incidents, allowing attackers to dwell longer within the network.
- Slow Response and Containment: Delayed or ineffective response and containment measures can allow the incident to spread, causing further damage and increasing the recovery time.
- Ineffective Communication: Poor communication and coordination among stakeholders, both internal and external, can hinder the sharing of critical information and delay decision-making during incident response.
- Neglecting Forensic Investigation: Failing to conduct thorough forensic investigations can result in an incomplete understanding of the incident, missed indicators of compromise, and an inability to prevent future incidents.
- Lack of Post-Incident Analysis: Neglecting to conduct a comprehensive post-incident analysis prevents organizations from identifying and addressing root causes and vulnerabilities that allowed the incident to occur.