What is Incident Response?

September 9, 2020  |  Mark Stone

This blog was written by a third party author.

As new types of security incidents are discovered, it is absolutely critical for an organization to respond quickly and effectively when an attack occurs. When both personal and business data are at risk of being compromised, the ability to detect and respond to advanced threats before they impact your business is of the utmost importance.

As the threat landscape broadens, having to defend yourself is no longer an “if” but a “when.” Data breaches and cyberattacks can wreak havoc on your organization, affecting a wide range of business assets — including customer trust, company time and resources, intellectual property, and brand reputation.

According to Ponemon’s Cost of a Data Breach Report, organizations boasting robust security Incident Response (IR) capabilities have reduced breach-related costs by an average of about $2 million USD. The savings here differentiate organizations with a dedicated Incident Response team that tests their plans and those with no IR team or testing. As the average cost of a data breach hovers around $3.86 million, or $150 per lost record, the “time is money” proverb is validated.

Incident Response defined

An Incident Response Plan (IRP) is a set of procedures used to respond to and manage a cyberattack, with the goal of reducing costs and damages by recovering swiftly. A critical component of Incident Response is the investigation process, which allows companies to learn from the attack and be more prepared for potential attacks. Because numerous companies experience breaches at some point in time, one of the best ways to protect your organization is a well-developed and repeatable Incident Response plan.

The goal of incident management is to identify and respond to any unanticipated, disruptive event and limit its impact on your business. These events can be technical — network attacks such as denial of service (DoS), malware or system intrusion, for example — or they may result from an accident, a mistake, or perhaps a system or process failure.

Today, a robust Incident Response Plan is more important than ever. The difference between a mere inconvenience and a total catastrophe for your organization may come down to your ability to detect and assess the event, identify its source and causes, and have solutions readily available.

Incident response best practices

Tyler Cohen Wood, former Senior Intelligence Officer with the Defense Intelligence Agency, explains that some of the most successful IR practices include response steps for various realistic scenarios. “An IR program should outline steps to take in the case of ransomware attacks, integrity attacks (manipulation of sensitive data), and exfiltration of sensitive data,” she advised. “Another best practice is performing periodic simulated cyberattack exercises to test your IR program and ensure that everyone involved understands exactly what to do and who oversees the response.”

Wood, who has helped the White House, DoD, federal law enforcement, and the intel community thwart national cyber threats, also recommends that best practices consist of knowing exactly where, what, and how your most sensitive data is stored. This information, she said, should be included in the IR process.

Equally important for any sized organization is to recognize and plan for cyberattacks that seek to alter or manipulate data rather than steal it outright. “This type of breach can be more difficult to ascertain,” she explained. “For this reason, it's critical to have data manipulation attacks on your radar and incorporated into your threat detection as well as your Incident Response plan.”

Managed SOC Service

24/7 security monitoring and threat detection plus incident response guidance.

Learn more

Building an Incident Response Plan

An Incident Response Plan serves as a blueprint for the measures to be followed when responding to a security incident.

A security incident is defined as a successful penetration, an attempt to breach a security policy, a system compromise or unauthorized access of information.

According to the National Institute of Standards and Technology, the four crucial elements for a robust IRP should include:

  • Preparation
  • Detection and analysis
  • Containment and eradication
  • Post-incident recovery approach

“It is vital to understand that no matter the scenario, all cyberattacks require Incident Response,” said Wood. “NIST’s approach is a successful way to look at IR. The best situation is to have enough preventive measures in place, such as threat detection and intelligence integration tools — along with mandatory cybersecurity awareness training — to stop a breach from happening.”

Incident response teams

In order to be effective, an IRP should extend beyond the security team.

The IR team should include stakeholders from both business and IT that have the decision-making authority in support of the business. Your team should include IT, management, legal, HR and communications (PR) disciplines, and security committee liaisons. All departments affected by an incident should be kept up to date and all parties should have a well-defined plan from which to follow during and after an incident. The more proactive organizations are even including business partners and third-party organizations in their security drills for more optimal results.

A successful IRP cannot rely on mere guesses or be left to chance. Attackers will often do whatever they can to locate a company’s “crown jewels.”

How Incident Response pairs with threat detection

The “response” in Incident Response begins as soon as an analyst detects a potential threat in a company’s environment. If the quality of that threat intelligence isn’t as useful for the Incident Response team, IR operations may suffer. When analysts aren’t spending time verifying that defenses are up to date, chasing false positives, researching a specific threat, or looking for clues, they are freed to proceed through the Incident Response lifecycle much more quickly.

Incident Response is ultimately reliant on threat detection. And the best threat detection is dependent on visibility into where your sensitive data and most valuable assets reside. The faster you identify your security blind spots, the more effective you’ll be in responding to a potential threat or incident. With this complete visibility and intelligence, you gain focus to prioritize your cybersecurity drills and know precisely when your IRP must be put into action so potential damages can be minimized.

And finally, Wood suggests that organizations understand that it does not necessarily mean the end of your business if a cyberattack is suffered. “How you respond to the incident will usually dictate what the outcome will be,” she said. “In my experience, it's always best to be open and transparent about the attack.”

Share this with others


Featured resources



2024 Futures Report

Get price Free trial