With cyberattack frequency hitting new highs, the continued evolution of threat actor tactics, techniques and procedures (TTPs), and the rapid digitization of organizations across industries, it’s become common to say that it’s not a matter of if, but when your client will experience a cyber incident.Cybersecurity is evolving as well, and the latest iterations include a focus on incident response, which helps organizations prepare for — and properly, swiftly act — when an incident occurs.Focused on isolation, minimization, cost reduction and business restoration, incident response is a major tool in a cyber defenders’ toolkit, and an essential part of any robust cybersecurity architecture. According to IBM’s Cost of a Data Breach Report 2023, organizations save $1.49 million by having high levels of IR planning and testing, compared to organizations with low levels. MSPs are in a place where they understand IR’s value, with a recent Arctic Wolf survey showing that 91% of MSPs offer, or plan to offer, IR services.This is massive, as clients rely on MSPs to reduce risk and IR is an essential part of any comprehensive cybersecurity strategy. But just because MSPs offer IR, it doesn’t mean their clients are taking them up on it.For that reason, and more, it’s important for MSPs — and their clients — to understand what IR is, how it functions, and the role it can play in any organization’s broader security strategy.IR is commonly needed in instances of a significant data breach, a business email compromise (BEC) attack, a ransomware encryption event, an active threat actor in the environment, compromised domain controller and active malware where the root cause can’t be found.The goal of IR is to both prevent any incidents from occurring or becoming data breaches and minimize the impact an incident has on an organization. There are multiple components that make up IR, including IR planning, digital forensics, ransom or threat actor negotiation, remediation and restoration and preventative tooling and solutions such as managed detection and response. These two components of IR often work in a cycle, with one informing the other to continually improve and fine-tune an organization’s security posture in response to current and future threats.IR planning can also include practical elements such as tabletop exercises and penetration testing. It’s important to note that, from a service standpoint, that IR planning is not the same offering as IR, so organizations should be cognizant of their specific needs when looking at a third-party provider.As an organization’s trusted security advisor, MSPs can play a critical role when it comes to IR planning, helping their clients make sure they’re in the best possible position if an incident occurs. Time is of the essence when a cyberattack is unfolding. So, an IR provider will most likely work directly with the client, not their MSP. This means clients need a comprehensive IR plan ready to go.
What is Incident Response?
Cybersecurity incident response is the processes and tools used to identify, contain and remediate a cyber incident within an organization’s environment.IR includes three main components:- Securing an environment by eliminating the threat actor’s access
- Analyzing the cause and extent of the threat actor’s activities while inside the network
- Resorting the network and wider organization to pre-incident condition
Proactive vs. Reactive IR
It’s important to look at both sides of IR, the part that occurs before an attack, or proactive IR, and what occurs after the attack has been identified, or reactive IR.- Proactive IR works to prevent and minimize incidents and harden the security environment before an incident occurs. Proactive IR can involve tools, processes like vulnerability management, and tactics like IR planning or obtaining cyber insurance.
- Reactive IR works to remediate an incident and restore operations after an incident has occurred. Reactive IR can include network and endpoint isolation measures, threat actor containment and removal, digital forensics, and the updating of IR plans and security measures post-incident.
What Is Incident Response Planning?
Often, when referring to incident response, one is referring to incident response planning, which is a component of proactive IR and guides an organization’s incident response actions during a cyberattack.Incident response planning includes:- The roles and responsibilities of the internal security team
- The tools and technologies that both exist or are planned to be installed
- Risk transfer measures in place such as an IR retainer or cyber insurance
- Business continuity plans in the case of operational downtime
- Methodology that lays out what steps will be taken if a cyber attack occurs
- Communications plans
- Documentation instructions
