Introduction: Insider's Guide to Incident Response
This incident response (IR) guide contains insider secrets. Pass it on
The fight to protect your company’s data isn’t for the faint of heart. As an embattled IT warrior, with more systems, apps, and users to support than ever before, keeping everything up and running is a battle in itself. When it comes to preventing the worst-case scenario from happening, you need all the help you can get, despite your super-hero status.
That’s why we’ve developed this guide. We’ve collected and curated decades of infosec war stories and hacker intelligence--from across the galaxy--so that you’re better armed in the fight against cybercrime. You’ll have an insider’s perspective on how to build an incident response plan and team, and what tools and training you can use to arm those team members.
Navigate Your Journey:
What is Incident Response?
We’re not Wikipedia or Webster’s, so if you’re looking for a dictionary definition, this isn’t the right place. But if a five year old asked us, we might just say, IR is sort of like a fire drill for the IT guy. When the worst-case scenario becomes reality, it’s essential to have the right plan in place, the right people on the job, and the right tools and training to remain vigilant. And that’s what reading this guide can do for you.
6 Key Phases
According to SANS, there are six key phases of an Incident Response Plan:
Preparing users and IT to handle potential incidents in case they happen (and let’s face it, we know they will)
Finding and eliminating the root cause (removing affected systems from production)
Figuring out what we mean by a “security incident” (which events can we ignore vs. which we must act on right now?)
Permitting affected systems back into the production environment (and watching them closely)
Isolating affected systems to prevent further damage (automated quarantines are our favorite)
Writing everything down and reviewing and analyzing with all team members so you can improve future efforts
Do I Need an Incident Response Plan?
The problem with plans is that they are designed to sit on the shelf until the day when the proverbial oxygen masks drop from the ceiling. Otherwise, they just gather dust except for the occasional auditor visits or executive reviews.
In this guide, we take the active approach because we know that the investment of time and resources spent enhancing incident response will have immediate and ongoing benefits to IT operations. After all, security is a subset of reliability – and everyone wants their systems to be more reliable.
We will walk you through building a basic IR plan and security monitoring process, covering skills to acquire and helpful resources along the way.
What Exactly is an Insider’s Guide to Incident Response?
Being an insider means that you can see both sides of it. You’ve been there, you’ve done that. Just because you’re an insider doesn’t mean you’re a threat. On the contrary, you’re an insider who understands threat. And that's the best kind.
We’ve collected the best security stories and guidance from an army of insiders, and basically, that’s what the insider’s guide gives you.
Words of Wisdom from Insiders
"There are many levels of success in defensive work… the common wisdom is that the attacker only has to be right once, but the defender has to be right every time, but that’s not always true. Attacks are not all-or-nothing affairs - they happen over time, with multiple stages before final success. To remain undetected against an attentive defender, it is the attacker who must make every move correctly; if an astute defender detects them even once, they have the possibility to locate and stop the whole attack. You aren't going to immediately detect everything that happens during an attack - but as long as you detect (and correctly identify) enough of an attack to stop it in its tracks, that’s success."
"Execution is key - the range of ways to attack a target can seem limitless - expecting to be an expert on all of them is pointlessly unrealistic. The most important part of incident response is to handle every situation in a way that limits damage, and reduces recovery time and costs. At the end of the day, that’s how you’ll be measured on a job well done… not that you’ve covered every angle of every potential vulnerability."
Attackers are Lazy
"Attackers have technical and economic imperatives to use the minimum amount of effort and resources to breach their targets - the more you remove the low-hanging fruit on your network, the more you raise the actual level of work an attacker has to expend to successfully infiltrate it."