Incident Response 101: Managing IT Security Threats in Six Steps

Incident Response 101: Managing IT Security Threats in Six Steps

December 8

These are challenging times for businesses. Never has the enterprise been more vulnerable than it is today. It’s up to IT to not only detect security incidents, but respond in a way that minimizes damage as much as possible. I learned in the most excruciating fashion that some IT teams are better equipped for incident response than others.

A little over a month ago I had a customer contact me to let me know my store site was down. Turns out my business email, which is connected to the same account, was also out of commission. In a panic, I contacted my web hosting provider to see what the problem was this time. They informed me that my account was suspended due to  an abuse complaint originating from an IP range associated with the site in question. It made more sense when I was contacted by security firm Phishlabs. They said my site had been targeted by criminals in an elaborate phishing operation. Why me?!

I freaked of course, but was at ease a few hours later. See, my web host told me they had performed a malware scan and removed the suspicious files from my account. Music to my ears, but this nightmare was only just getting started.  Long story short, my account was suspended a total of seven times over the next week for identical complaints. That’s an average of one (long) disruption a day – though I was locked out twice in a single day on a few occasions.

It took roughly a week before the threat was finally mitigated. During that time my entire web and email management system was a fragmented mess fraught with untimely downtime. This was after numerous malware scans on their end and me taking all the basic precautionary measures on my end.

That brush with insanity got me thinking: what can IT service providers do to improve their ability to detect and respond to security incidents? I went on a quest for answers and came back with some pretty interesting tidbits. It’s all outlined in six easy to follow steps.

steps photo

1. Anticipate Security Threats

Preparedness is about making sure IT has all the resources necessary to detect and respond to security incidents. Being ready means you have a team that is specially assembled to handle any security issues that arise. They have the tools to manage incidents internally, but know who to call when the problem requires third-party assistance. Moreover, PR, legal, and customer service agents should be prepared to get messages out to the public for the sake of reputation management.

The payoff: Being prepared means your IT team knows exactly who needs to respond to what, and who to contact when security incidents occur. Preparedness is essential to your ability to respond as quickly as possible.

2. Identify the Threat

The next step is the identification stage. In order to truly get to the crux of the matter, your incident response team must review and document the situation using a predefined identification system. This system should be detailed enough for personnel to classify threats by low, medium, and high levels of severity. From here, leaders in management need to be notified so they can determine what actions must be taken to contain the threat.

The payoff: You can waste valuable time and money responding to false positives and recovering from false negatives. A comprehensive identification system will help to achieve that essential balance by ensuring that the  appropriate parties are notified when genuine security threats are detected.

3. Contain the Threat

Containment is where you strive to minimize the damage caused by the security incident in question. Whether it’s phishing, malware or a combination of the the two, your response team should be ready to work from a list of processes that detail how they will contain said threat. Those processes may help decide whether authorities need to be contacted, or if certain systems and applications (e.g. client websites) should be shut down. Not having access to my web services was beyond inconvenient. However, I understand that it was critical to the investigation process.

The payoff: A well-designed containment strategy will lead to better decision making amid incident response efforts. Instead of acting on emotions, you’re reacting with effective processes that prevent the threat from further inflicting damage.

4. Eliminate the Threat

According to my web host, the security threat that paralysed my daily operations was quickly contained and eliminated – they were wrong! Your incident response plan should contain a general set of guidelines designed to determine what triggered the problem and exactly what steps need to be taken to mitigate the situation. The eradication process needs to be swift and effective. My case was a painful example of how fumbling in this stage can lead to extended downtime and grumpy customers.

destroy photo

 The payoff: You can’t afford to let security threats run wild about your network. Full eradication is the only way to reduce your exposure and get on the road to recovery.

5. Rebound the Incident

The stakes are raised another notch in the recovery phase. Now it’s time to get your systems fired up, applications back online, and customers back into their accounts. Like the steps to precede it, this one should consist of a basic set of guidelines that define what actions will be taken to return to full speed. Security issues add new wrinkles to disaster recovery because you often have to restore systems and applications based on data breach laws. There may be compliance regulations to appease, so make sure your incident response team is ready to rebound accordingly.

The payoff: If you’ve ever been on the wrong end of a disaster you probably know how hectic the recovery process can be. The efforts you make here can get your infrastructure back to normal without costly mistakes that threaten to keep you down even longer.

6. Reflect and Learn From the Incident

IT staffers and customers usually feel the same following a security breach. Both sides hope this is the last you’ll see of such madness for the foreseeable future. Nothing is guaranteed, but you can’t prevent history from repeating itself if you don’t learn from what burned you in the past. Security breaches should be viewed as lessons that can educate users on how to respond to and manage incidents in the future. Get the team together to discuss what happened and make sure your updated security documentation is written with text on mitigating that specific issue.

The payoff: This final step is all about the human element, really. Gathering the team provides an opportunity to get valuable employee feedback that can be used to tweak processes and execution. With any luck, your incident response efforts will go off even smoother next time around.

I’ve seen some pretty scary numbers on IT security threats. One source claimed that success rates for cyber attacks had increased by 144 percent within a four-year window. You might not be able to stop every strike, but with a sound incident response strategy, you can neutralize and significantly minimize the impact suffered in any attack.