At Bridewell, our accredited incident response specialists are available 24/7 to rapidly detect, contain and prevent cyber threats targeting your organisation.
What is Incident Response?
Incident response is the process that organisations follow to efficiently protect against cyber security threats.
This process is managed by an incident response team – either in-house or external – who identify, investigate and contain potential attacks, as well as working to minimise the risk of recurrence.
Why is Incident Response Important?
Research suggests 95% of UK Critical National Infrastructure (CNI) organisations experienced a data breach in the past year – with the average cost of a breach in the UK costing £3.4 million.
Without a formal incident response plan, the impact of an attack could have severe implications for your company.
An efficient incident response, with early detection and immediate action, is key to preventing attacks and limiting financial loss.
Effective incident response maintains the overall wellbeing of an organisation by:
- Protecting sensitive data
- Avoiding costly damage to cyber security infrastructures
- Minimising disruption to daily business operations
- Safeguarding your reputation amongst clients and shareholders
Common Types of Incidents
While incidents often fall under the umbrella term ‘cyber attacks’, there are numerous types of these attacks, each with varying aims and implications.
Each incident therefore requires a different response plan:
| Ransomware | Phishing and social engineering | DDoS attacks |
|---|---|---|
Bad actors commonly use a type of malware known as ransomware to encrypt files and block access to your company’s computer systems or data. In exchange for restoring access, attackers demand a ransom payment. Ransomware is one of the most common and financially damaging types of cyber attack. | Malicious actors use phishing and social engineering as manipulation tactics to trick individuals into handing over sensitive information. Social engineering refers to a broader spectrum of deceptive tactics, while phishing specifically involves using communication channels, such as fake or deceiving texts and emails, to steal data. | Distributed Denial of Service (DDoS) attacks occur when cyber criminals flood an organisation’s network with excessive traffic. This overwhelms and disrupts systems, causing them to slow down or crash, and makes services unavailable to legitimate users. |
| Supply chain attacks | Insider threats | Privilege escalation attacks |
Supply chain attacks occur when bad actors exploit vulnerabilities within the systems of an organisation’s providers or suppliers, rather than attacking the organisation directly. This weakens the target company’s supply chain and network, allowing attackers to infiltrate their systems, often undetected. This type of incident can have a widespread impact, affecting numerous companies at once. | Insider threats refer to incidents that originate internally, involving individuals with approved access to a company’s systems, networks, and data. > An insider threat incident can be accidental, due to human error or with malicious intent to harm the company. | Privilege escalation attacks occur when a hacker gains initial access to an organisation’s system and leverages this position to gradually increase their level of access, eventually obtaining system-wide control. This allows the attackers to steal data or install malware. |
What are The Five Stages of Incident Response?
The five stages of incident response, also known as the incident response cycle, are the chronological steps an organisation will typically follow to guarantee an incident is wholly investigated and prevented, mitigated or eliminated:
- Preparation
The primary stage of incident response occurs before any incident takes place.
It focuses on building a strong foundation by creating policies, procedures and defined roles that outline how the company will respond to potential threats.
This also includes ensuring adequate security tools are in place and conducting regular testing.
- Detection and Analysis
This stage is crucial for spotting any suspicious activity or potential attacks in their early stages, before they can impact the organisation.
This phase determines the cause, impact, authenticity and type of incident, informing the next steps.
- Containment
Once an incident has been detected and analysed, the next step is to contain the spread of the impact of the threat.
This can involve isolating affected systems and networks to prevent further damage to the organisation.
- Eradication
Once the threat has been contained, the focus shifts to eliminating the root cause of the incident and any associated impacts, such as malware or vulnerabilities in the organisation’s systems.
- Recovery
The final phase involves restoring all systems and data affected to their original state and reversing any damage caused by the attack
What is an Incident Response Plan?
An incident response plan (IRP) is an official documented strategy that guides an organisation through every stage of incident response, from detection to prevention and recovery.
It provides structure and clarity for the process, detailing effective action before, during and after a potential threat.
These crucial documents ensure a quick and effective response when a suspected incident arises. The plan should be regularly reviewed and updated alongside any organisational changes.
How to Create an Incident Response Plan
A strong IRP will present a clear overview of its purpose, strategy, and key activities - outlining how the company will efficiently respond to, and prevent, security incidents.
Key features of a credible IRP will include:
- A list of key policies, roles and responsibilities
- A list of incidents and the actions they require
- The state of the company’s cybersecurity and system infrastructure
- The stages of incident response
- Post-incident reviews
- Plan testing and revisions
Incident Response vs DFIR
Incident response and DFIR are related but distinct terms. While incident response centres on taking immediate action against cyber threats, Digital Forensics and Incident Response (DFIR) is a comprehensive approach that encompasses incident response alongside digital analysis.
Digital forensics prioritises delving deeper into the analysis of cyber threats, providing insight into the cause and scope of different variations of incidents.
DFIR is a specific and targeted tool within the broader incident response strategy, which focuses on analysing, tracing and attributing attacks. It is often used to provide a more accurate picture of an attack and supporting legal or compliance cases with evidence.
Bridewell’s Incident Response Team
At Bridewell, our incident response service is available 24/7.
Our specialists act quickly to safeguard your organisation’s cybersecurity, reputation and financial stability, with an average incident response time of under one hour.
Working alongside your internal security team, we oversee the whole process from pre-incident preparation to post-incident reviews, identifying, containing and eliminating potential attacks within your infrastructure.
If you’re looking for emergency incident assistance or longer-term security protection, speak to our experienced team to find out more about our other managed security services.
Frequently Asked Questions
What is the role of an incident responder?
An incident responder is a cyber security professional who is the initial and primary point of contact throughout the response to a threat or attack.
The incident responder is tasked with the responsibility of protecting the company’s data through consistently monitoring systems and networks for suspicious activity and taking action to identify potential threats.
What are some core incident response metrics?
Incident response plans should be constantly reviewed and updated to remain as efficient as possible. The best way to do this is to use metrics to evaluate what is working and what isn’t. Some of these key metrics include:
- Mean time to detect (MTTD)
- Mean time to acknowledge (MTTA)
- Mean time to respond (MTTR)
- Time between detection and containment
- Trends of incidents over time
- How accurately the incident response plan is followed
- Associated costs per incident
What is the future of incident response?
The incident response landscape is rapidly evolving. Emerging technologies like AI are automating time-consuming tasks such as threat detection and response actions, freeing time for professionals to focus on more complex tasks and strategies.
At the same time, cyber criminals are also strengthening their methods and tactics of bypassing security infrastructures and exploiting vulnerabilities.
These developments mean constant reviews and updates of incident response plans are essential in today’s cyber security environment.
Cyber Security
Managed Security
