Cyber attacks are all too common these days. They are getting faster, more frequent and more sophisticated. Companies should be prepared when these inevitable attacks occur. One of the critical security controls to mitigate and lower this risk is to have an effective incident response and management program.

The goal of the incident response and management program is to successfully detect, understand, manage, investigate, and recover from the breach in the shortest amount of time possible. Not having an effective program:

• may damage company reputation, lose money, customers, and competitive advantage, or incur hefty fines
• may take several weeks or months to detect the breach
• maybe too late for the company to develop procedures, data collection, legal protocols, and communications strategy when a breach occurs
• may lead to panic mode leading to more damage, infecting more systems and losing more data.

An effective incident management plan should:

• determine and document the scope of the breach (such as systems and data impacted, department impacted, magnitude of impact, and severity)
• collect forensic evidence from log data, security tools, disk images, security video, etc.
• perform root cause analysis (RCA)
• return to secure state by remediation or mitigation
• gather threat intelligence to improve defense, deploy security solutions, and detect malicious behaviors

There are several processes for an effective incident response: Preparation Process -> Detection Process -> Analysis Process -> Notification Process -> Remediation or Mitigation Process

What to do in the preparation process:

1. Understand your environment and the threats to it
2. Define roles and responsibilities and contact information
3. Gather third-party contact information to be used to report a security incident, such as Law Enforcement, relevant government departments, vendors, etc.
4. Plan how to respond and identify key partners, data sources and technologies
5. Practice just like a Disaster Recovery (DR) test
6. Continually review and refine the plan as the environment changes

What to do during detection process:

1. Assess threats by gaining visibility to any active threats
2. Define reporting outlet and encourage end user reporting
3. Use technology to detect attack
4. Contain damages by stopping the attack and recovering the affected endpoints

What to do during analysis process:

1. Determine the impact and scope of the breach
2. Protect and preserve the forensic evidence for investigation and root cause analysis
3. Perform any remediation

What to do during notification process:

1. Communicate diligently to upper management, internal stakeholders, or end users
2. If the breach has to be communicated externally (e.g. to customers, law enforcement, etc.), involve the legal team and use your defined communication strategy.

What to do during remediation or mitigation process:

1. Implement temporary measures
2. Coordinate with stakeholders
3. Document changes
4. Secure defenses

An effective incident response program is a well documented plan (consisting of people, processes, and technologies) that is up to date and highly tailored to the need of the company.