Incident Response

14 August 2022 | by Xavier Bellekens

incident response

What is Incident Response?

The goal of incident response is to contain the damage from a security breach and minimize the impact on your business operations. This goal is achieved through a combination of technical and non-technical controls.

Let’s explore this a bit more in depth in this article.

What is incident response in cybersecurity?

Incident response is the process of identifying, containing, eradicating, and recovering from a cybersecurity incident.

The goal of incident response is to minimize the damage caused by an incident and to help the organization return to normal operations as quickly as possible.

Depending on the nature of the incident, incident response may involve one or more of the following activities: identifying the scope of the incident; analyzing system and network logs; conducting interviews with affected users; collecting forensics data; containing the incident; eradicating the cause of the incident; and recovering data and systems.

Incident response plans should be tailored to the needs of the organization and should be regularly tested and updated.

What are Incident Response Steps?

There are typically five steps in the incident response process:


Planning and preparation are critical to incident response. Organizations should have an incident response plan that spells out who is responsible for each step of the process and what needs to be done. The plan should be regularly tested and updated. This can also be done through an incident response playbook.

Detection and Analysis:

This step involves identifying the scope of the incident and analyzing system and network logs to determine what happened. The detection of the incident should be done as early as possible. This is where technologies such as cyber deception can play a key role. The analysis of the incident can take many forms, and may also involve conducting interviews with affected users.

Incident Containment and Eradication:

The goal of this step is to contain the damage from the incident, eradicate the cause of the incident, and recover data and systems. This may involve disconnecting compromised systems from the network

Post-incident recovery:

This includes documenting the incident and conducting a postmortem analysis to determine what could be done to prevent similar incidents in the future.

Why is incident response planning important?

When an incident occurs, it is important to have a plan in place for how to respond. An incident response plan helps to ensure that everyone knows what to do and who is responsible for each task. This can help to minimize the impact of an incident and prevent it from escalating.

Without a plan, there is a greater risk of confusion and chaos, which can lead to more serious consequences. A well-crafted IR plan should take into account the specific needs of the organization and the types of incidents that are most likely to occur.

An incident response plan must be created to fit with an organization’s priorities and amount of acceptable risk. As an incident is not just a technical concern, it affects the entire organization.

This plan should be designed to minimize the disruption and data loss that can occur during and after an incident. The Incident Response Plan should be tailored to the specific needs of the organization, taking into account both the short-term operational requirements and the long-term strategic goals. The Incident Response Plan should be regularly reviewed and updated as necessary, in order to ensure that it remains effective.

In order for the incident response plan to be effective, it is essential that the leaders of the organization understand both the short-term operational requirements and the long-term strategic goals. Only by understanding these goals will they be able to develop an incident response strategy that meets the needs of the organization. The leaders of the organization must also be familiar with the capabilities and limitations of their incident response team, in order to make the best use of their skills. Only by having a clear understanding of the goals and objectives of the organization can the leaders develop an effective plan.

For better handling of upcoming incidents and a more robust security posture overall, the knowledge gathered during the incident response process can also be fed back into the risk assessment process as well as the incident response process itself and on previous incidents. When asked about an incident by shareholders, customers, the media, judges, and auditors, a company with an incident response plan may point to its records and demonstrate that it responded to the attack in a responsible and thorough manner.

Organizations often Lack a Plan

Despite the obvious requirement for incident response plans, a startlingly high percentage of firms either don’t have one or have a poorly constructed one.

This is a serious problem, because without a well-designed incident response plan, an organization is much more likely to suffer serious damage in the event of a security breach or other major incident.

Furthermore, an inadequate incident response plan can actually make the situation worse by causing confusion and delay. This is why it’s so important for organizations to take the time to develop a comprehensive, well-tested incident response plan. By doing so, they can ensure that they are prepared to deal with any potential crisis in an efficient and effective manner.

In a Ponemon survey, respondents stated that they lacked a formal incident response plan, and that their strategy was either informal or nonexistent. Only 32% of those with IR strategies consider their initiatives to be “mature.”

Incident Response Plan Templates

It’s critical to remember that an IR plan continues to be valuable even after a cybersecurity incident has been resolved.

The information gathered can it can be used as evidence in court, as documentation for auditors, and as a source of historical information to help assess risks and enhance incident response procedures.

Here are a few sample incident response plan templates, so you can get a better concept of what one might look like.

  1. Michigan IR provides a sample incident IR plan with all incident response processes as a PDF. It provides all the key information an incident response team should use.
  2. TechTarget / Paul Kirvan provides an effective incident response word document that can be used a sample by incident response services. The plan contains guidelines and planning scenarios, suggested actions and activities to carryout before, during and after a breach. Escalation and communication processes IR, as well as a checklists IR documentation.
  3. Berkeley Security Incident Response Plan Template provides key information on how to handle security incidents and how incident response teams can handle new and future incidents.
  4. California Department of Technology’s Incident Response Plan example. Provides a Word document with key information on how to handle human resources, incident response preparation, handle your incident response effort and your cyber incident response team.

Incident Response Frameworks

Incident response frameworks help organizations create standardized response plans. These frameworks are typically developed by large organizations with a lot of security expertise and experience. There are two well-known frameworks, developed by NIST and SANS.

SANS Incident Response Framework

The SANS organization is dedicated to offering information security training and certifications. They offer live instructor-led courses as well as online courses and immersion boot camps. They also offer a variety of resources such as books, white papers, and webcasts. In addition, the SANS organization hosts a number of conferences each year. SANS published an incident response plan that is laid out as follows:

The six phases of the SANS Incident Response framework are each listed below:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

These steps are described in the Incident Handler’s Handbook.

The phases are simply described in the SANS framework. Additionally, SANS provides two templates with practical system commands for the preparation and identification phases, as well as an IR checklist for each phase. These templates are offered for UNIX and Windows systems.

NIST Incident Response Framework

NIST is the National Institute of Standards and Technology, a non-regulatory agency of the United States Department of Commerce. NIST’s mission is to promote innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance security and improve our quality of life.

The incident response framework provided by NIST contains 4 phases and are as follows:

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-Incident Activity

NIST thinks containment, eradication, and recovery are all overlapping phases. For instance, you shouldn’t wait to fix problems until all dangers have been identified before containing threats within your systems. Instead, even if other threats still exist, you should contain and eliminate threats as quickly as you can.

Who should be involved in incident response planning?

Often the first responses will be your incident response team and all information gathered will often be shared with the blue team. Then the information will be shared with infrastructure managers and the managers of services implicated in the attack. Finally, the information will reach the CEO, CFO and the Board of Directors. At a later stage, the communication team may also be involved to discuss the incident publicly.

What is an incident response team?

There are three types of incident response teams, CSIRT, CERT and CIRT.

CSIRT (computer security incident response team) is a team of experts that respond to computer security incidents. These teams usually consist of security professionals from one organizations who work together to investigate and resolve cyber incidents.

CERT (computer emergency response team) is another term that is sometimes used interchangeably with CSIRT. However, CERT is a trademark of Carnegie Mellon University and usually consist of security professionals from one or various organizations who work together to investigate a type of problem. CERT also often focus on threat intelligence as opposed to incident response. However, some teams have been known to assist in incident response.

CIRT (cyber incident response team) is also a similar term, but it specifically refers to teams that deal with responding to cyber incidents. CIRT’s are often part of larger organizations like CERTs, but they can also be standalone units. The main difference between these terms is that CSIRT’s focus specifically on computer security incidents, while CERTs and CIRTs may deal with other types of emergencies as well as threat intelligence.

The role of a computer security incident response team

CSIRT’s key duties are to provide support during and after a security incident, coordinate the response to incidents, collect and analyze data related to incidents, and develop plans and procedures for dealing with incidents.

CSIRT’s also work to prevent future incidents by identifying and addressing vulnerabilities. CSIRTs are typically composed of security professionals with experience in incident response, forensics, and malware analysis.

computer security incident response team often work with law enforcement, ISPs, and other organizations to resolve incidents. CSIRTs may also be responsible for coordinating the response to large-scale incidents or orchestrating international responses to global incidents.

Building a CSIRT

The better your CSIRT is built, the more effective your incident response efforts will be. If you are not able to fill all the necessary roles and responsibilities, then you may have gaps in your response. That can lead to more damage and longer attacks. To avoid this, it is important to use the NIST guidelines to help build your security team and security analysts.

The NIST framework, defined 3 models of CSIRT

  1. Distributed
  2. Coordinated
  3. Central

It is important to identify the type of CSIRT team you want to build based on the size of your organisation and the capabilities you want your team to have.

Defining your team model

It can be difficult to know which model is best for your organization. To help you decide, you can refer to the NIST guidelines, which provide some considerations to help, such as:

  1. The availability of your team
  2. The need of the organization
  3. The size of the team and the staffing of the team
  4. The roles in the team
  5. The level of expertise needed
  6. The types of incidents the team will face
  7. The budget allocated to the team

Incident Response Services

Managed services called incident response (IR) services can be used in place of or in addition to internal teams.

These services often have a set range of services, a monthly fee, and work on retainer. These services have the advantage of frequently providing a better degree of expertise than is accessible internally, and of being able to provide 24/7 monitoring and reaction.

They can help you with

  1. Preparation – Develop an IR plan based on your needs
  2. Detection and Analysis – The services are available to track security issues, pinpoint incidents, and categorize threats.
  3. Containment, Eradication, and Recovery – can carry out the preliminary reaction actions or even show up on the scene to support internal responders.
  4. Post-Incident Activity – assist teams in conducting root-cause analysis and offer assessments of the efficacy of the corresponding response measures. These services can also help your public relations departments to handle any post-incident communication.

How can Cyber Deception Help Incident Response Efforts

Technically, a deception program can assist tracking all IT assets as well as how partners and Security Operation Center (SOCs), Managed Service Providers (MSP) and Managed Security Service Providers (MSSP) handle particular threats. Additionally, it lowers the risk overall, and aid in threat modeling and incident response.

Preparation Phase:

Deception is a powerful tool that can be used to great effect in IT and digital risk management. By definition, deception involves deliberately providing false or misleading information in order to gain an advantage. In the context of incident management, deception can be used to mislead attackers, deter them from targeting your system, or even help you to understand their methods and motivations. Additionally, deception can play a role in information sharing, preventative defense, compliance, and insider and supplier management programs. By understanding how deception can be used to beneficial effect in each of these areas, you can develop a more effective and comprehensive incident response management strategy.

Detection and Analysis :

Deception is a time-tested strategy for detecting and responding to threats. By deception, we mean the use of false or misleading information to cause an adversary to reveal his plans or capabilities prematurely, or to otherwise misdirect his actions. Deception can take many forms, from simple visual illusions to elaborate ruses involving multiple services and false documents. Deception is an active security solution that can be deployed across your infrastructure. Regardless of the specific approach, the goal is always the same: to cause the adversary to expend time, energy, and resources. During that time, incident response activities can take place, threat intelligence services can collect data, security operations can continue monitoring the incident and stop further damage.

Lupovis can help detect threats early and help with the containment and response to a particular threat by providing contextual threat intelligence in real-time. Furthermore, eliminates false positives, as decoys only yield true positive alerts to ongoing cyberattacks, cybersecurity incidents and security breaches. Deception is also very effective against advanced threats and insider threats alike.

Containment and Eradication:

Deception is a powerful tool in the fight against threats. As Lupovis gathers contextual threat intelligence in real-time on adversaries as well as information on the techniques, tactics, and procedures used by adversaries and on affected systems that information can be used in near-real time by security teams to eradicate the threat.

To see how cyber deception can help you with your incident response, simply reach out to us.

14 August 2022 | by Xavier Bellekens

Speak to an Expert

Whether you have a specific security issue or are looking for more information on our Deception as a Service platform, simply request a call back with one of our security experts, at a time that suits you.