What is the incident response?

The main incident response goal is to determine the root cause of the incident, restore the incident timeline and kill chain using the MITRE ATT&CK ® matrix, and provide an affected organization with a proper incident response plan.

Incident response process

The incident response team first of all needs to perform the following tasks:

  • establish the initial attack vector;
  • determine the “patient null” or the entry point to the organization’s IT infrastructure;
  • understand how attackers moved through the network;
  • learn what tools, tactics, and methods threat actors used;
  • explore how adversaries gained a foothold in the network of the attacked organization.

Based on the discovered digital footprints, the incident response team also identifies the attackers’ tools that may be activated in the future and collects indicators of compromise (IoC) to include them in a detailed incident response report. The latter contains recommendations on eliminating the incident and preventing similar attacks.

As part of an incident response process, digital forensics research may also be carried. This procedure allows the incident response team to establish a deeper analysis or recovery of the lost data.

Incident response stages

Incident response is a complex process that requires a multi-step plan, thorough approach, and well-coordinated teamwork to achieve success. Though the incident response plan may vary from one organization to another, generally, it includes the same main stages.

1. The incident severity determination

At this stage, the preliminary assessment is conducted to determine the complexity of the incident and the cost of work. Incident severity depends on the type of attack, the number of compromised nodes, and the victim’s IT infrastructure distribution.

2. Digital evidence collection

The second stage includes collecting the information related to the incident: data from event or connection logs, memory dumps, information security and SIEM (Security Information and Event Management) systems, etc. Apart from it, sector-by-sector forensic images of data carriers may be created.

Collection of digital evidence can be carried out in two ways:

  • Locally. The incident response team arrives at the crime scene with forensic suitcases and collects the necessary information about the incident on the spot. In this case, prompt action is not always possible since the affected organization and the incident response provider may be located in different cities or regions.
  • Remotely. The affected organization commits to provide the necessary information and data uploadings from various systems by request of the incident response team. Also, the incident response provider advises on the tools and methods of collecting the requested data. For remote incident response, specialists may use EDR (Endpoint Detection and Response) to collect data from end stations.

3. Collected data analysis and reconciliation with IoC databases

The indicators of compromise found on the first two stages should be compared with data from IoC databases. This step helps to determine the incident details and identify new indicators of compromise for subsequent blocking on security tools.

4. Malware analysis

At this stage, the brief analysis of detected malware related to the incident is performed. The analysis enables cybersecurity specialists to establish malware functionality, determine additional indicators of compromise, which are necessary to conduct further search for hosts infected with this software, and detect management servers’ addresses, as well as methods of gaining a foothold in the infrastructure.

5. Indicators of compromise and indicators of attack detection

As a result of performed analysis, the incident response team will detect additional indicators of compromise and indicators of attack (IoA), which will be sent for further research by scanning the IT infrastructure network. The scanning may result in the repetition of the early stages of the incident response aimed at obtaining new indicators of compromise.

6. Reconstruction of attackers’ actions

If forensic analysis reveals a sufficient number of digital artifacts to determine the tactics, techniques, and procedures of attackers, as well as tools and malicious software they use, the incident response team attributes the identified actions to specific cybercriminal groups.

7. Incident response report

As a result of work, the incident response team provides the attacked organization with a report containing exhaustive information on the incident timelines and a list of recommendations for the incident elimination, as well similar cybersecurity incidents prevention and infrastructure restoration.

Reasons to address an incident response service provider

If an organization doesn’t have a dedicated in-house team of experienced incident response professionals, addressing a third-party vendor is the only tactic to handle the incident properly.

When employees without expertise in incident response try to stop the attack, they make huge mistakes. For instance, by reinstalling operating systems at end stations, employees erase valuable artifacts and important information. Often, it either leads to complete loss of this data or the need to spend additional time on data recovery while for incident response every second counts.

Does Group-IB provide incident response services?

Group-IB is one the leading incident response providers with fastest services and recognition from international rating agencies, such as Gartner, Forrester, and Aite Novarica. Our incident response team consists of 80+ experts with knowledge of latest cybercriminal tactics and years of experience in stopping incidents of various complexity. Learn more about Group-IB Incident Response services.