All You Need to Know About Incident Response

08.04.2018 Read
All You Need to Know About Incident Response - Logsign

Security incidents are increasing with each passing day. Some of the recent incidents have impacted globally and resulted in catastrophic damages to organizations. The interlinked and complex information technology infrastructure, on which the whole world relies, provides ample space and opportunities for incidents to escalate into disaster. An effective and planned response to incidents can become the reason for company’s existence after an incident occurs. Incident response is a measured and planned response to any incident that can pose threat to organization. Incident response can limit the impact of mishaps and protect the company from going out of business. Measuring the advantages of incident response in the absence of incident, is a difficult task. Only during an incident the results of carefully planned incident response bears fruit. The absence of ROI figures drops the priority of incident response on the decision maker’s desk. The lack of seriousness given to incident response is only evident when an incident occurs and a chaotic response results in more compromises. Current technological era has brought ease to business world but on another hand it opens the door of security attacks. Businesses are investing on the ways to ensure safety of their boat from sinking in volatile sea of threats. Attackers are continuously coming up with new strategies and techniques to fulfil their evil designs. Current situation leads to change in mindsets and attitude of businesses towards such incidents. Adoption of proactive approach can be useful to fight against such incidents. Incidents can’t be completely eradicated; however, they can be mitigated by focusing on responding capability. Thus, organizations are giving priority to build a strong capability of incident response. Collection and analyzing of accurate data on incidents can play a significant role. Based upon incident data, proper response plan can guard against any damage to business valuable assets. Incident response plan is a pre planned strategy for organizational employees in case of any event or attack. Such plans should minimize the risks of damage to valuable assets. Before working on a plan, the following aspects should be included.

  • Organizations have unique culture, values and working environment which differentiate them from others. Align strategies mentioned in response plan with organizational operations.
  • Incorporate all attacks that could be dangerous for a business and devise strategy against each. Play devil’s advocate and think from criminal’s mind the ways that can be opted for an attack.
  • Focus on the valuable assets of business and jot down all questions pertaining to it for instance how plan can secure organizational assets? What types of risks are associated with each asset? Which asset is critical for organization?

Above aspects are considered as baseline of incident response plan which further ensure effectiveness of strategies during event. After laying foundation, following are the phases of incident response.


Critical phase of incident response plan is preparation. No strategy can be fruitful without well equipped and well trained workforce. Every organization should prepare for worst through testing and training (T&T) of security policies again and again. Role and responsibility of every team should be explicitly defined in order to avoid haphazardness during an attack.


Determination of violation of security policy is the first step in identification. It includes observing an unusual activity by team members. Once incident is confirmed, incident team should gather data by analyzing and reviewing security tools in order to discover origin of incident. Affected area and level of impact should also be analyzed in this phase.


After identification, limit the level of extent of incident from damaging other valuable assets. Delete the source of incident which may contaminate other business assets and operations. Determine short and long term containment strategies. Figure out alternate system to restore business operation for minimal damage.


Elimination of origin of attack from system or network completely is eradication phase. Improve security tools and strengthen defence system to eliminate future risks and vulnerabilities. Two important steps in this phase are _ Cleanup and update the system. _Notifying to all concerned stakeholders.


Returning back to normal business operation is recovery phase. Testing and monitoring of functional system again and again. Determine the timeline for monitoring affected area. Discover tools required for identification of similar attacks.

Lessons Learned:

Determination of lessons learned from the incident. Figure out strengths and weaknesses of response plan. Update the response plan based upon loopholes in previous plan which further strengthen the system against future attacks. Determine what types of trainings are required. In order to fight against attackers, organization should build a strong defence team. The team should analyze, monitor any security violation and take preventive actions afterwards. The key members of team includes

  • Manager: Responsible for delegation of task during occurrence of incident
  • Analyst: Responsible for figuring out affected area and analyzing technical security issues.
  • Researchers: Responsible for providing all information regarding threat and build a database based upon previous and current incidents.
  • Cross functional Team: Each employee play a significant role during incident. Support from all departments is critical which can be fruitful for an effective results and response.

Incident response tools act as safety guards against attackers. Well equipped organization can only survive in this volatile world full of nonstop threats. Tools help in analysis, detection and monitoring of incidents. It helps in reducing downtime of operations in case of incident. Organizations are investing huge amounts on powerful tools which protect them from disaster and help in investing and responding to unusual activity. Paradigm is shifting towards automation. Automated tools work 24/7 for early detection of threat and creating an alert at right time. Thus, it further enhances security of working systems. It is important for businesses to conduct periodic evaluation to find out any loophole in response plan. Evaluate incident response plan to further enhance identification and responding to threats. Determine gap analysis and map out incident mitigation techniques. Figure out areas of improvement to avoid any mistake at the time of threat. Survival of business depends on planned and tested incident response. It should not be limited to IT department only rather must be owned by senior management. Involvement of C-level executives enhances the effectiveness of incident response and foster cohesiveness during an incident.