Incident response (IR) is the coordinated and methodical approach to prepare for, identify, contain, and recover from a security event. The goal is to quickly respond and mitigate the impact of a suspected cybersecurity breach. Incident response experts prioritize activities quickly and determine the root cause with the goal of understanding the adversary’s actions to help reduce impact, remediate, and stop potential security breaches.
The Phases of Incident Response
Incident response is a key component to every organization. Whether it is ransomware, a data breach or a common phishing threat, attacks are becoming more disruptive and damaging. According to the National Institute of Standards and Technology (NIST), the first phase of incident response is establishing and training an incident response team and acquiring the necessary tools and resources. A comprehensive incident response solution may involve analysis of logs, endpoint data and network traffic and consist of the following phases.
- Preparation – Preparation is fundamental to the success of an incident response program. Having the appropriate communications, facilities, hardware and software is a must to ensure the proper response.
- Detection and Analysis – Common attack vectors may require different strategies for detection and analysis. Signs of an incident and the extent can be determined by reviewing logs, endpoint data and network traffic.
- Containment, Eradication, and Recovery – Containment strategies need to be defined for different incidents. For example, ransomware needs to be contained quickly before the environment is encrypted, while an insider threat may require a specific containment plan to lock out different potential access vectors. In all cases, the evidence must be preserved appropriately, and organizations must be able to quickly eradicate and recover to minimize impact and continue to operate business as usual.
- Post Incident Activity – One of the most important parts of incident response is to learn from the incident. After a major incident, security measures must be improved to prevent repeat occurrences.
Expert Incident Response Services & Assistance
Awake incident response services are backed up with a comprehensive solution based on the Gartner triad of log, endpoint and network analysis and backed with proprietary threat intelligence and purpose-built technologies to detect and remediate the most complex incidents. Our certified professionals know how to:
- Assess the situation and identify the scope
- Gain visibility and restrict breach activity
- Preserve evidence and reduce overall risk
- Contain, secure, and remediate
- Provide expert testimony and support for legal activities
In addition, Awake incident response solutions are experienced at working in complex organizational environments, including incidents on IoT and unmanaged devices across the enterprise. Awake’s responders collectively have decades of experience responding to some of the world’s most consequential breaches.
If you liked what you just read, subscribe to hear about our threat research and security analysis.
Dig Deeper with These Resources
Awake Security 2 Minute Explainer Video
What if security could think? What if it could sense danger, calculate risk, and react quickly based…
The Internet’s New Arms Dealers: Malicious Domain Registrars
This report dives into the results of a multi-month investigation that uncovered a massive global surveillance campaign…