Incident response in the field of information security is a set of measures to detect and stop a cyberattack or a data leak from an organization’s infrastructure, and to clear up any consequences.
The primary goal of incident response is to minimize damage from an incident and to enable the organization to return to normal operations as soon as possible and at the lowest cost. Incident response may be the responsibility of either an internal team of specialists or an external SOC.
Incident response steps
The incident response process comprises six main steps:
- Preparation refers to the development of an incident response plan, which includes the actions employees should take in the event of an information security incident, a list of necessary resources, a list of tools used, and the rights and responsibilities of the response team. The preparation stage also includes training the personnel responsible for incident response. This stage is not tied to a specific incident.
- Identification. The actual incident response begins with the detection of a cyberattack or data leak. At this stage, an alert is received about the incident, and experts assess the threat and collect data about it. The identification process usually comes down to studying logs.
- Containment. The response team takes actions to stop the threat from spreading. These may include isolating affected devices, isolating affected network segments, temporarily disconnecting from the Internet, and so on. One additional goal of this phase is to prevent the destruction of evidence concerning the attack, which will be needed during the investigation.
- Elimination refers to neutralizing the threat, deleting malicious files, changing passwords for affected accounts, recovering lost data, and taking other related actions.
- Return to work means bringing systems affected by the incident back into operation, connecting devices to the network, and testing and monitoring to be sure they are operating correctly.
- Improvement refers to updating the incident response plan based on the lessons learned from the cyberattack.
Incident response activities can be partially or fully automated. Tools such as SIEM, UEBA, EDR, and SOAR can help.
The difference between incident response and incident management
The concepts of incident response and incident management (or incident handling) are very similar but not identical.
Incident response generally includes all technical actions aimed at eliminating a threat and resuming work. Incident management is a broader concept that includes communication about an incident inside and outside the company, as well as coordination and planning, among other things. Incident response is often thought of as one part of incident management.