Incident and Breach Response
What is Incident Response?
Incident response (IR) is a structured methodology for handling security incidents, breaches, and cyber threats. A well-defined incident response plan allows you to effectively identify, minimize the damage, and reduce the cost of a cyber attack, while finding and fixing the cause to prevent future attacks.
During a cybersecurity incident, security teams will face many unknowns and a frenzy of activity. In such a hectic environment, they may fail to follow proper incident response procedures to effectively limit the damage. This is important because a security incident can be a high-pressure situation, and your IR team must immediately focus on the critical tasks at hand. Clear thinking and swiftly taking pre-planned incident response steps during a security incident can prevent many unnecessary business impacts and reputational damage.
Wire Speed Systems can help your team perform a complete, rapid and effective response to a cyber security incident by having a comprehensive incident response (IR) plan in place. In addition, we also assit in completing an incident response plan checklist and developing and deploying an IR policy which will help your organisation before you have fully developed your IR plan.
The steps we take after a cybersecurity event occurs
The first priority is to prepare in advance by putting a concrete IR plan in place. We assist organisations to establish and battle-test a plan before a significant attack or data breach occurs. We address the following response phases as defined by NIST
Preparation
Planning in advance how to handle and prevent security incidents
Containment, Eradication, and Recovery
Developing a containment strategy, identifying and mitigating the hosts and systems under attack, and having a plan for recovery
Detection and Analysis
Everything from monitoring potential attack vectors, to looking for signs of an incident, to prioritization
Post-Incident Activity
Reviewing lessons learned and having a plan for evidence retention
Figure 1 – The NIST recommended phases for responding to a cybersecurity incident
Building on the outlined NIST phases, here are specific incident response steps to take once a critical security event has been detected:
1. Assemble your team
It’s critical to have the right people with the right skills, along with associated tribal knowledge. Appoint a team leader who will have overall responsibility for responding to the incident. This person should have a direct line of communication with management so that important decisions—such as taking key systems offline if necessary—can be made quickly.
In smaller organizations, or where a threat isn’t severe, your SOC team or managed security consultants may be sufficient to handle an incident. But for the more serious incidents, you should include other relevant areas of the company such as corporate communications and human resources.
If you have built a Security Incident Response Team (CSIRT), now is the time to activate your team in collaboration with Wire Speed Systems Tiger team bringing in the entire range of pre-designated technical and non-technical specialists.
If a breach could result in litigation, or requires public notification and remediation, you should notify your legal department immediately.
2. Detect and ascertain the source
Our CIRT(Tiger-Team) with your team will first work to identify the cause of the breach, and then ensure that it’s contained. Our teams will become aware that an incident is occurring or has occurred from a very wide variety of indicators, by making use of our Next-generation security solutions as well as your other existing solutions :