Incident Response (IR)

Don’t be caught off guard, plan for a breach before it occurs

Human-Firewall-webinar-2

What is incident response?

Incident response, or cyber security incident response, refers to the plan and processes in place by an IT team or an organisation. It is used to detect and respond to cyber threats and/or breaches should they occur.

A cyber attack or breach can have disastrous consequences for organisations, ranging from reputational damage to business downtime. Therefore, if this does arise, a well-thought-out incident response plan minimises the impact and facilitates the organisation’s speedy recovery.

In the current cyber climate, cyber attacks are occurring more frequently, with harsher implications. As a result, having an incident response plan is becoming increasingly vital for businesses’ survival.

Incident Response Planning

Preparation

Your cyber security incident response plan needs to be well-thought-out to ensure you are properly adept in dealing with a potential breach. This step includes an escalation plan, and basic guidelines on legal or regulatory requirements.

Management

Incident management incorporates detecting, logging, and correlating findings across a network. These are then analysed and compared to accurately inform security teams as to whether they need to escalate further action. Often, this is done via a Security Operations Centre (SOC) team using Security Information and Event Management (SIEM) tools. Logging information across your network is good practice, this extends across (but not limited to) emails, traffic, and remote logins.

Containment

If a breach is detected, it is important that the affected systems are isolated. This is to ensure that the attack doesn’t spread, and remediation efforts can start. Triaging cyber security incidents helps make certain that the most critical issues are addressed first, and therefore optimises the team’s response skills. This step needs to be tailored on a case-by-case basis. Sometimes, it may be more beneficial to monitor and analyse further before you act. This helps create the most relevant response to each scenario.

Response

At this the stage, the threat is fully removed from a network. Post attack, infrastructure and networks must be restored to previous capabilities. Therefore, task such as resetting domains admins, removing malicious files, and continued monitoring of the network must take place. This is necessary to guarantee operations can resume as normal.

Review

This step is vital for the entire cycle, allowing teams to evaluate the events and identify steps for improvement should it happen again. Teams should reflect on whether they believe their response was successful and which elements perhaps could have been dealt with more effectively.

Standard RetainerEnhanced Retainer
In-depth technical onboarding session
Ability to convert to proactive services
Year on year security improvement
Detection and Containment
Threat actor Engagement
Forensic investigation
Restoration and remediation
Crisis management support

We have partnered with a specialist Cyber Incident Response team who are available 24/7/365 to minimise the impact of cyber incidents. With a global reach and an award-winning team, our partner provides expert support that transforms a potential crisis into a manageable event.

Why invest in a retainer?

A retainer is a forward-looking investment to improve your cyber resilience while also guaranteeing support in the event of a cyber incident. Most importantly, our retainer customers benefit from reduced likelihood of incidents, greatly reduced impact if they occur, and a dramatic reduction in costs associated with debilitating cyber incidents such as ransomware.

When you partner with an incident response team, they will recommend exercises and mock cyber attacks so you can make those crucial decisions before an attack happens. When key decisions have been made in advance, they are much easier to implement in a crisis. A rapid, expert-led response gets your business back online faster, minimising downtime and financial loss. It will also drastically reduce the stress experienced by your team.

“It’s much better when we collaborate with our customers to embed MDR responsibilities into their incident response plan, rather than the alternative of getting into an incident and not having a plan or even knowing if MDR will cover those things.”

– Mat Gangwer, Vice President of Managed Threat Response, Sophos

Related resources

Why You Need Incident Response

The Red Helix cyber lab seen over the shoulder of a user
Find out more

Compliance

The convergence between cyber security and compliance has furthered need for an incident response plan. Nearly all organisations will hold personal data for employees and for their customers. This means they must adhere to the privacy laws set out by GDPR and DPA regulations. There may also be specific regulatory requirements for the sector e.g., DORA for the financial sector, and potentially, specific customer reporting requirements based on any contractual agreements.

The National Institute of Standards and Technology (NIST) provides comprehensive guidelines for incident response. This Cybersecurity Framework aims to help organisations navigate cyber incidents and ensure they remain compliant with industry standards.

General Data Protection Regulation (GDPR) stipulates strict guidelines on data protection and requires organisations to report breaches within 72 hours. This must be integrated into an incident response plan.

Incident reporting plays a central role in remaining transparent about threats an organisation could potentially be facing. This is necessary to ensure the protection of your entire supply chain.