What Is Incident Response?
Incident response (IR) is a set of processes and tools used to identify, contain, and remediate cyber attacks, and to restore the organization to pre-incident operations. It is the process of:
- Securing an environment by eliminating the threat actor’s access
- Analyzing the cause and extent of the threat actor’s activities while inside the network
- Restoring the network to its pre-incident condition (including ransom negotiation and payment, if required)
Each part of the process is performed concurrently and relies on and informs each of the other processes. There are multiple specialty skills within the field of incident response.
For example, some responders focus on forensics analysis while others specialize in data recovery and system restoration. It’s vital that all team members work in unison, collaborating and communicating exceptionally well throughout the process to bring the business back online quickly with minimal costs.
What Is Full-Service Incident Response?
Incident response offerings vary by solution providers. That’s why it’s critical to know what constitutes full-service incident response—what Gartner® refers to as Digital Forensics and Incident Response (DFIR).
For a major cyber incident like ransomware or BEC, a full-service incident response provider is needed to restore pre-incident business operations.
The advanced skills and capabilities of these full-service IR providers go beyond containment and threat eradication to include other crucial capabilities like data and system recovery as well as forensic analysis. Include an IR firm with these additional capabilities and processes when building your incident response plan.
5 Critical Capabilities for Incident Response Teams
1. Forensic Analysis
The ability to identify the root point of compromise and the extent of the threat actor’s activities while inside the network. Forensic analysis also determines which files were accessed and (equally important), which ones were not. This allows executive and legal teams to make informed decisions about the need for communications and possible breach disclosures.
2. Data and System Recovery
Recovering data from backups is not always trivial. Negotiating with threat actors is always a challenge and, while paying a ransom is not recommended, every situation is different and paying a ransom is ultimately a business decision.
Negotiating and making payments to threat actors is much more likely to result in a positive outcome (from both a legal compliance and payment resolution perspective) when done by an experienced IR firm. Proper application of decryption keys is also a skill developed over time and needs to be performed carefully.
3. Staff Development
Retaining talent is a challenge for many IR firms lacking strong leadership and a talent development focus. Recruiting, training, and retaining incident responders requires a champion that can be a coach and an advocate for the team. The leading incident response providers develop a strong, stable team with plenty of depth to handle even the most complicated scenarios.
During a crisis, clear communication between the IR vendor, internal IR team, and potential service providers used by the organization is vital. Building trust and coordinating activities between technical teams cannot be left to chance. A dedicated Incident Commander at the IR Firm is the best way to keep everyone in the loop and on task.
A good Incident Commander can communicate in the SOC as well as the boardroom and make sure everyone is aware of the progress and challenges encountered during the response process.
What Are The Best Options for Incident Response?
Only the largest organizations have the ability to staff their own in-house incident response teams and even they need to use outside, independent firms in some cases.
Most businesses rely on external IR vendors to support them when catastrophes strike, and they have several options available to ensure the right resources are engaged. The common paths to incident response expertise are as follows.
Most Managed Detection and Response providers offer 24×7 monitoring, detection, and response capabilities that are aligned with high-frequency, low-severity events—that is, higher frequency and lower severity to those incidents that require full-service incident response.
The top MDR vendors also offer full-service incident response with an escalation path from MDR to IR, usually through an IR retainer.
Incident Response Retainers
Vendors that offer IR services typically also offer IR retainers. There are two types of retainers, prepaid and those with no upfront costs.
No-Cost IR Retainer
The no-cost IR retainer, also known as a zero-dollar retainer, is an excellent way to reduce the impact of cyber attacks by establishing a path to assistance, the terms of engagement, and a predetermined hourly rate ahead of needing to engage IR specialists. No-cost retainers may also provide preferred access to the IR team just like prepaid retainers.
Cyber insurance carriers will usually approve the use of reputable IR vendors that aren’t included on their pre-approved list. It’s recommended that organizations obtain written confirmation of this from their insurance carrier once a retainer is established and before experiencing an incident. This will eliminate delays when IR services are needed.
IR costs are usually covered (less policy deductibles) by cyber insurance, but you’ll want to review your specific policy and/or endorsements to determine how much coverage you may have.
Prepaid IR Retainer
Organizations that choose prepaid retainers are often looking for preferred access to IR teams or want to negotiate a lower hourly rate on a large block of hours.
There may or may not be savings when compared to no-cost retainers, however, if the vendor includes a “use them or lose them” clause in the retainer, the hours purchased with a prepaid will expire. These vendors may offer to exchange other services when prepaid hours go unused, however these services can usually be acquired from other vendors and be scheduled to occur in your timeframe, rather than by the retainer expiration date.
Before purchasing a prepaid IR retainer, verify with your insurance carrier that the prepaid hours are covered by your cyber insurance policy. Spoiler alert: they probably are not.
Cyber insurance carriers have pre-approved panels (i.e., lists) of vendors that provide services to those they insure. These services include incident response, corporate communications, and privacy attorneys—among others. When an organization experiences a cyber attack and they carry cyber insurance coverage, the carrier will recommend an IR vendor to them from the panel.
Cyber insurance may cover IR services provided by vendors not on their panel. That’s why it’s highly recommended that an organization notify their insurance broker and their carrier of their desire to use a specific IR firm during an incident response engagement BEFORE that organization has an incident.
Some carriers can be more restrictive, and if you incur costs for an incident response that are not approved by the carrier ahead of time, they may deny coverage of those costs. That said, many IR firms with strong relationships within the insurance industry are able fit right into a carrier’s claims processing delivery model.
Does every cyber insurance policy cover the costs of incident response for the IR vendors on their panel? The answer is yes, with some caveats:
- The incident in question must be a covered cause of loss (as in, it must be a security incident, not an employee who dropped their phone in a toilet)
- The policy will cover the costs up to the limit of insurance that is designated on the policy or endorsement for IR services
- The policy will cover the costs of indemnifying the insured (as in, returning them to the state they were in prior to the loss)
Many organizations have multiple paths to IR experts through a combination of the above sources. Organizations with cyber insurance may find a trusted IR provider with whom they want to utilize should they experience a cyber attack.
Companies that adopt Managed Detection and Response from a vendor that also provides IR services may want to establish a one-stop solution for the Detection and Response capabilities. And some organizations may have all three options available to them.
It’s vital to determine who will be your first call when you need help—you don’t want to call a meeting at 4:00 in the morning to consider your response plan. Figure that out ahead of time, put the IR vendor phone number in your speed dial, and make sure everyone knows what to do if your organization experiences a cyber attack.