Have you ever wondered what happens when a security incident occurs? How do they figure out what exactly happened, what data (if any) was compromised, and what the follow-up actions are? An incident response analyst’s job is to address all of these issues.
What are cybersecurity incidents?
A cybersecurity incident is a general term that includes security breaches, insider threats, policy violations, external attacks, or a combination of these. They can be either inadvertent or intentional. Either way, proper security incident management needs to be in place. Cybersecurity management is the process of identifying, managing, recording, and analyzing security threats or incidents in real-time.
What is the role of an incident response analyst?
An Incident Response Analyst’s job is to actively monitor systems and networks for intrusions. They identify security flaws and vulnerabilities, perform security audits, risk analyses, network forensics, and penetration tests. They also perform malware analysis and reverse engineering.
- First Evaluation: Evaluation of scope and impact of an incident in the business and the need to be escalated. This is used to determine the next actions to be taken.
- Response Plan: Annotates the steps taken to reach incident milestones to frame a technical timeline, make sure it is accounted for when service has been restored.
- Notifications Management: Notify as needed to technical support, management, and critical incident management. Conference with technical teams to gather and begin working towards a resolution.
- Coordinate with response: Oversee activities of technical and business teams in response to and for the resolution of client-impacting issues and related incidents and problem management action plans within appropriate timescales.
- Understand the need for Analysis: Assess and determine if formal root cause analysis is needed. Collaborate with the technical team to determine the cause of an incident and create an incident report within the timeframe.
- Coordinate with Network Defenders: Provides technical feedback, including changes to IT infrastructure and root cause analysis documentation in line with contractual obligations.
- Understand Business Challenges: Ensures all activities are appropriately planned, authorized, and executed while following standard processes and procedures. Ensures that third-party processes align with their contractual requirements and obligations to clients.
- Client Management: Coordinates vendor/supplier management support by administering regular governance meetings following supplier contracts and internal processes.
- Optimizing Incident Response Process: Executes continual service improvement processes by analyzing key data points internally and creating recommendation options to enhance existing process and service in line with enterprise policy.
Another important role of an incident response analyst is crafting the incident response plan. The incident response plan is a crucial part of any security program. It helps establish and test strategies put in place in the event of a cyber incident to ensure minimal impact. The demand for incident response analysts has been steadily increasing due to the potential vulnerability that cloud services introduce to a system. Because of the world’s increased device usage and storage needs, cloud services are a huge part of how our data is managed. This, unfortunately, increases the threat surface, which invites more computer security incidents, making effective incident response plans mandatory for most organizations.
Drafting an effective incident response plan
When implementing good incident management, you need to be sure to cover all of your bases in terms of prevention, detection, eradication, and recovery. Following the NIST SP 800-61 is a good foundation and the main document that needs to be created is the incident response plan. An incident response plan, or IRP, is a document that outlines what an organization must do in the event of a computer security incident. An IRP also contains a RACI Chart dictating who is responsible for what, who is accountable, who is consulted, and who is informed. Generally, the Computer Emergency Response Team (CERT) is the group that executes the IRP.
But what exactly does the IRP entail? There is a general ruleset that every organization should follow, and then there’s a more in-depth process.
The OODA Loop
The OODA Loop, when broken down, means to Observe, Orient, Decide, and Act. This was created by USAF Colonel John Boyd and can be used by an incident responder to handle live computer security incident handling. The following video gives a brief description:
4 Phases of the Incident Response Life Cycle
According to NIST, the incident response lifecycle, or in other words, the incident response process, comprises four phases: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity.
What is an Incident Response Methodology?
Every organization has a different incident response methodology. A lot of this depends on the past incidents an organization faced. In simple terms, an incident response methodology is a collection of different procedures that helps security professionals identify, analyze, investigate, and respond to possible cyberattacks. The primary objective of this methodology is to reduce incident recovery time and keep its impact under control.
6 Steps in the incident response methodology
The following 6 steps are crucial for a thorough incident response methodology. They cover everything that an incident response analyst should do from preparation and detection to recovery and lessons learned:
This phase is the workhorse of an incident response plan, and in the end, the most crucial phase to protect the business. This is the phase in which the plan is written and tested.
This is the process where the incident response analyst determines whether the organization has been breached.
Contain the breach so it doesn’t spread and cause further damage to the business. If possible, disconnect affected devices from the Internet. Have short-term and long-term containment strategies ready. It’s also good to have a redundant system back-up to help restore business operations. That way, any compromised data isn’t lost forever.
Once contained, the incident response analyst must find and eliminate the root cause of the breach. This means all malware should be securely removed, systems should again be hardened and patched, and updates should be applied.
This is the process of restoring and returning affected systems and devices into the business environment. During this time, it’s important to get all systems and business operations up and running without the fear of another breach.
6. Lessons Learned
Once the investigation is complete, hold an after-action meeting with all Incident Response Team members and discuss what was learned from the data breach by analyzing and documenting everything about the breach. Finally, determine what worked well in the response plan and where there were some holes. Lessons learned from both mock and real events help strengthen systems against future attacks.
How to Become a Certified Incident Handler
“Organizations are looking for professional incident handlers and response personnel who can prepare security policies and plans to tackle incidents with efficacy in time-constrained scenarios in order to reduce the impact of incidents.” -Jay Bavisi, President of EC-Council Group.
Becoming an EC-Council Certified Incident Handler (ECIH) will accomplish just that. The ECIH will teach you the most current techniques in handling attacks; whether it’s as small as a single computer or across an entire network, you will be prepared to stop the attack and prevent future ones. Not only that, but candidates with proper incident response training are more equipped to understand the importance of a timely response and business continuity.