What initial steps should be taken when a potential incident is identified?

The Incident Response Team of an organization is responsible for addressing incidents across the business. The IR team’s main goal is to investigate security incidents and ensure that the proper response is initiated. It should include specialized sub-teams, each with specific roles. These include:

  • Security Operations Center (SOC): The first line of defense to triage security alerts
  • Incident Manager: To determine incident response and a plan of action with various stakeholders
  • Computer Incident Response Team: To provide expert technical inputs
  • Threat Intelligence Team: To constantly assess the cyber threat landscape and strengthen the organization’s security profile

In addition to the above-mentioned roles, the team can also contain members of the legal, human resources, and public relations departments.

IR Teams are also referred to as Computer Security Incident Response Team (CSIRT), Cyber Incident Response Team (CIRT), or Computer Emergency Response Team (CERT).

Building Your Incident Response Team

Your incident response efforts depend on how well your CSIRT is built. All the required roles and responsibilities must be filled in order to avoid higher damage and longer attacks. CSIRT models are of three different types:

Central - The team is made up of a centralized body that oversees IR for the entire company. For example, each subsidiary or branch of a big organization could have their own separate IR teams that report back to a single, central entity.

Distributed - There are multiple teams that work together to coordinate efforts as needed. Each team is usually in charge of a certain aspect of the IT infrastructure, a physical location, or a department.

Coordinated – Central teams are frequently in charge of system monitoring and can alert and assist distributed teams when necessary.

However, it can be difficult to figure out which model is appropriate for your company. The NIST guidelines for IR model selection include the following criteria:

The two most well-respected IR frameworks were developed by NIST and SANS to give IT teams a foundation to build their incident response plans on. Below are steps of each framework:

NIST Incident Response Steps

  • Step #1: Preparation
  • Step #2: Detection and Analysis
  • Step #3: Containment, Eradication and Recovery
  • Step #4: Post-Incident Activity

SANS Incident Response Steps

  • Step #1: Preparation
  • Step #2: Identification
  • Step #3: Containment
  • Step #4: Eradication
  • Step #5: Recovery
  • Step #6: Lessons Learned

When we compare the NIST and SANS frameworks side-by-side, you’ll see the components are almost identical, but differ slighting in their wording and grouping. The biggest difference lies with Step 3, where NIST believes that containment, eradication, and recovery overlap – meaning you shouldn’t wait to contain all threats before beginning to eradicate them.

Which Framework is Better?

Some debate which framework is better, but it really comes down to a matter of preference and your organization’s resources. Both come with a comprehensive checklist for your team to follow and get started. This article expands upon the four steps of the NIST Framework, and breaks down what each means for your incident response plan.

Step #1: Preparation

No organization can spin up an effective incident response on a moment’s notice. A plan must be in place to both prevent and respond to events.

Define the CSIRT (Computer Security Incident Response Team)

To act quickly and completely while an incident is unfolding, everyone on the CSIRT needs to know their responsibilities and the decisions that are theirs to make.

The CSIRT should include a cross section of business and technical experts with the authority to take action in support of the business. Members should include representatives from management, technical, legal, and communications disciplines, as well as security committee liaisons. All departments affected by an incident should be in the loop and everyone should have a decision matrix to guide their actions during and after the incident.

The plan should also define who is in charge and who has the authority to make certain critical decisions. Those aren’t things to figure out–let alone argue over–in the heat of the moment.

Develop and update a plan

Ensure plans and other supporting documents exist and are updated periodically to remain current. All relevant personnel should have access to the parts of the plan that pertain to their responsibilities and should be alerted when the plan is revised. There should be a feedback loop that is enacted after every significant incident in order to improve the plan continuously.

Acquire and Maintain the Proper Infrastructure and Tools

Have the capabilities to detect and investigate incidents, as well as to collect and preserve evidence. To determine if an attacker is in your environment, it’s critical that you have endpoint security technology that provides total visibility into your endpoints and collects incident data.

Without the right tools, and processes to guide their use, you’ll be ill-equipped to investigate how attackers are accessing your environment, how to mitigate an attacker’s existing access, or how to prevent future access.

Always Improve Skills and Support Training

Ensure the IR team has the appropriate skills and training. This includes exercising the IR plan from time to time. It also includes staffing the IR team, with either in-house staff or through a third-party provider, to accommodate the time away from the job necessary in order to maintain certifications and leverage other educational opportunities.

Possess Up-to-Date Threat Intelligence Capabilities

Threat intelligence capabilities help an organization understand the kinds of threats it should be prepared to respond to. Threat intelligence should integrate seamlessly into endpoint protection and use automated incident investigations to speed breach response. Automation enables a more comprehensive analysis of threats in just minutes, not hours, so an organization can outpace advanced persistent threats (APTs) with smarter responses.

Expert Tip

Don’t chase ghosts in your IT estate. Learn how visibility into all assets is a critical success factor in effectively responding to a cybersecurity incident. Read Blog

Step #2. Detection & Analysis

The second phase of IR is to determine whether an incident occurred, its severity, and its type. NIST outlines five steps within this overall phase:

  • Pinpoint signs of an incident (precursors and indicators): Precursors and indicators are specific signals that an incident is either about to occur, or has already occurred.
  • Analyze the discovered signs: Once identified, the IR team has to determine if a precursor or indicator is part of an attack or if it is a false positive.
  • Incident documentation: If the signal proves valid, the IR team must begin documenting all facts in relation to the incident and continue logging all actions taken throughout the process.
  • Incident prioritization: NIST designates this step as the most critical decision point in the IR process. The IR team can’t simply prioritize incidents on a first come, first serve basis. Instead, they must score incidents on the impact it will have on the business functionality, the confidentiality of affected information, and the recoverability of the incident.
  • Incident notification: After an incident has been analyzed and prioritized, the IR team should notify the appropriate departments/individuals. A thorough IR plan should already include the specific reporting requirements.

Step #3. Containment, Eradication, & Recovery

The purpose of the containment phase is to halt the effects of an incident before it can cause further damage. Once an incident is contained, the IR team can take the time necessary to tailor its next steps. These should include taking any measures necessary to address the root cause of the incident and restore systems to normal operation.

Develop containment, eradication, and recovery strategies based on criteria such as:

  • the criticality of the affected assets
  • the type and severity of the incident
  • the need to preserve evidence
  • the importance of any affected systems to critical business processes
  • the resources required to implement the strategy

At all times, these processes should be documented and evidence should be collected. There are two reasons for this: one, to learn from the attack and increase the security team’s expertise, and two, to prepare for potential litigation.

What initial steps should be taken when a potential incident is identified?

Front Lines Report

Every year our services team battles a host of new adversaries. Download the Cyber Front Lines report for analysis and pragmatic steps recommended by our services experts.

Download Now

Step #4. Post-Incident Activity

Every incident should be an opportunity to learn and improve, but many organizations give short shrift to this step. Adversaries are always evolving, and IR teams need to keep up with the latest techniques, tactics, and procedures.

A lessons learned meeting involving all relevant parties should be mandatory after a major incident and desirable after less severe incidents with the goal of improving security as a whole and incident handling in particular. In the case of major attacks, involve people from across the organization as necessary and make a particular effort to invite people whose cooperation will be needed during future incidents.

During the meeting, review:

  • what happened and when
  • how well the IR team performed
  • whether documented procedures were followed
  • whether those procedures were adequate
  • what information was missing when it was needed
  • what actions slowed recovery
  • what could be done differently
  • what can be done to prevent future incidents
  • what precursors or indicators can be looked for in the future

The results of these meetings can become an important training tool for new hires. They can also be used to update policies and procedures and create institutional knowledge that can be useful during future incidents.

CrowdStrike Incident Response

The volume of indicators of potential compromise (IOCs) can be extremely high. Some organizations may even receive millions per day. Separating the signal from the noise is a massive task. CrowdStrike is here to make things easier for your organization. The CrowdStrike Incident Response team takes an intelligence-led approach that blends Incident Response and remediation experience with cutting-edge technology  to identify attackers quickly, and eject them from your environment.  CrowdStrike works collaboratively with organizations to handle the most critical cybersecurity incidents.

What initial steps should be taken when a potential incident is identified quizlet?

gather information..
validate the incident..
determine the operational impact..
determine reporting requirements..

What are the steps in identifying incidents?

The NIST incident response lifecycle.
Phase 1: Preparation. ... .
Phase 2: Detection and Analysis. ... .
Phase 3: Containment, Eradication, and Recovery. ... .
Phase 4: Post-Event Activity..

What are the 5 steps to incident response?

SANS Incident Response Steps.
Step #1: Preparation..
Step #2: Identification..
Step #3: Containment..
Step #4: Eradication..
Step #5: Recovery..
Step #6: Lessons Learned..

What is the first step if you are in an incident?

If someone is injured in an incident, first check that you and the person who is injured are not in any danger. If you are, make the situation safe. When it's safe to do so, assess the person who is injured and, if necessary, dial 999 for an ambulance.