With cyberattack frequency hitting new highs, the continued evolution of threat actor tactics, techniques and procedures (TTPs), and the rapid digitization of organizations across industries, it’s become common to say that it’s not a matter of if, but when your client will experience a cyber incident.
Cybersecurity is evolving as well, and the latest iterations include a focus on incident response, which helps organizations prepare for — and properly, swiftly act — when an incident occurs.
Focused on isolation, minimization, cost reduction and business restoration, incident response is a major tool in a cyber defenders’ toolkit, and an essential part of any robust cybersecurity architecture. According to IBM’s Cost of a Data Breach Report 2023, organizations save $1.49 million by having high levels of IR planning and testing, compared to organizations with low levels. MSPs are in a place where they understand IR’s value, with a recent Arctic Wolf survey showing that 91% of MSPs offer, or plan to offer, IR services.
This is massive, as clients rely on MSPs to reduce risk and IR is an essential part of any comprehensive cybersecurity strategy. But just because MSPs offer IR, it doesn’t mean their clients are taking them up on it.
For that reason, and more, it’s important for MSPs — and their clients — to understand what IR is, how it functions, and the role it can play in any organization’s broader security strategy.
What is Incident Response?
Cybersecurity incident response is the processes and tools used to identify, contain and remediate a cyber incident within an organization’s environment.
IR includes three main components:
- Securing an environment by eliminating the threat actor’s access
- Analyzing the cause and extent of the threat actor’s activities while inside the network
- Resorting the network and wider organization to pre-incident condition
IR is commonly needed in instances of a significant data breach, a business email compromise (BEC) attack, a ransomware encryption event, an active threat actor in the environment, compromised domain controller and active malware where the root cause can’t be found.
The goal of IR is to both prevent any incidents from occurring or becoming data breaches and minimize the impact an incident has on an organization. There are multiple components that make up IR, including IR planning, digital forensics, ransom or threat actor negotiation, remediation and restoration and preventative tooling and solutions such as managed detection and response.
Proactive vs. Reactive IR
It’s important to look at both sides of IR, the part that occurs before an attack, or proactive IR, and what occurs after the attack has been identified, or reactive IR.
- Proactive IR works to prevent and minimize incidents and harden the security environment before an incident occurs. Proactive IR can involve tools, processes like vulnerability management, and tactics like IR planning or obtaining cyber insurance.
- Reactive IR works to remediate an incident and restore operations after an incident has occurred. Reactive IR can include network and endpoint isolation measures, threat actor containment and removal, digital forensics, and the updating of IR plans and security measures post-incident.
These two components of IR often work in a cycle, with one informing the other to continually improve and fine-tune an organization’s security posture in response to current and future threats.
What Is Incident Response Planning?
Often, when referring to incident response, one is referring to incident response planning, which is a component of proactive IR and guides an organization’s incident response actions during a cyberattack.
Incident response planning includes:
- The roles and responsibilities of the internal security team
- The tools and technologies that both exist or are planned to be installed
- Risk transfer measures in place such as an IR retainer or cyber insurance
- Business continuity plans in the case of operational downtime
- Methodology that lays out what steps will be taken if a cyber attack occurs
- Communications plans
- Documentation instructions
IR planning can also include practical elements such as tabletop exercises and penetration testing. It’s important to note that, from a service standpoint, that IR planning is not the same offering as IR, so organizations should be cognizant of their specific needs when looking at a third-party provider.
As an organization’s trusted security advisor, MSPs can play a critical role when it comes to IR planning, helping their clients make sure they’re in the best possible position if an incident occurs. Time is of the essence when a cyberattack is unfolding. So, an IR provider will most likely work directly with the client, not their MSP. This means clients need a comprehensive IR plan ready to go.
The Role of Incident Response Retainers in Cybersecurity
Another IR adjacent solution on the marketplace is the IR retainer. This external service provides an organization with pre-paid hours and guaranteed services in case of an incident. IR retainers contain a number of advantages, primarily being able to pre-pay for, and have access to, otherwise unattainable cybersecurity expertise. However, every retainer offering is different, and factors like cost, services, SLAs, and assistance can vary depending on the provider.
For MSPs, having your clients utilize a retainer may be a good choice to both assist with their IR planning and ensure that these organizations — who often lack internal resources and budget — are prepared if an incident occurs.
Why Organizations Need Incident Response
As an MSP, you know that your client relies on you to fill in their cybersecurity gaps — from helping them implement access controls and utilizing monitoring and detection solutions to assisting them with cloud and IoT security. And while these proactive measures are critical to keeping these smaller organizations — who often are short on resources, expertise, and budget — safe, threat actors haven’t slowed down their attempts to access organizations, steal funds, and exfiltrate data.
For example, BEC attacks rose by 29% YoY from 2021 to 2022. According to IBM, 51% of organizations plan to only increase their security measures after an incident, choosing to cross their fingers and hope nothing happens instead of actively preparing for the worst.
These signs point to the value of IR, which can help your clients both prevent and mitigate the damages of an incident, while helping them respond better, recover faster, and prevent future attacks. When you, as an MSP, guide the IR decision and process for your client, you’re leading them toward better security outcomes.