6 techniques for better incident response
The ITIL definition of an incident is “an unplanned interruption to or a reduction in quality of an IT Service or unavailability of the service”. An incident could be caused by an asset that is not functioning properly or a network failure, or a human error. Here are some examples of incidents—issues with the printer, Wi-Fi connectivity, application locks, email service, laptop, file sharing with unauthorized recipients, authentication errors, security breaches, cyberattacks, and more. Incident response or IR is the systematic approach that assists IT & Security teams, to plan better for such incidents.
If conducted smoothly, the incident response process ensures that there is minimal to no downtime. The end goal is to ensure that the impact/damage on business is minimized and that normal operations are restored within SLA. Security-related incidents can be particularly harmful as they can cause the destruction of data, violations of confidentiality, reduced productivity, and ultimately, massive losses in finances and reputation.
An organized incident response process can go a long way in saving costs and minimizing/eliminating the impact on business teams. No organization can hold the fort against all kinds of incidents and breaches of security, especially in today’s hybrid/remote workplace environment. So, incident response can be instrumental in making sure that operations are restored back to normal quickly.
Now that you are convinced about the importance of an incident response process, here are some best practices/tips that can help you create one. However, bear in mind that every organization’s requirements are different from one another. These are just some general suggestions for making incident response a hassle-free and seamless process.
1. Prepare beforehand: Having a strategy and plan of action is one of the most essential parts of the incident response process. This preparation includes procuring the hardware and software required for the incident response process as well as assigning a team whose roles and responsibilities are clear. Additionally, invest in proper training, table top simulation, drills, and communication as the incident response team and the rest of the organization should always be that they’re best prepared.
2. Report issues on time to minimize impact: Encourage your end-users, whether employees or customers, to report an issue as soon as it is suspected. This ensures rapid response and minimal impact. To make reporting and handling easy ensure you have a 24*7 security incident reporting SPOC available and/or a dedicated incident reporting DL eg- security@company.com or incident@company.com , and having multiple communication channels in place helps too. The incident response plan should consider having a multichannel support system, which includes self-service portals, email inboxes, chats, phone calls, and collaborative tools like Microsoft Teams, Slack, and more. This contributes to providing an omnichannel experience to the user. Note: During the detection phase, the incident response team should also be aware of the threats to customer data, and the possible presence of viruses and malware in emails. The IR team should also appropriately differentiate between a threat and a false alarm. Additionally, all details should be thoroughly documented to help prevent similar incidents from recurring.
3. Prioritize incidents based on severity: The incident response process also involves conducting an impact analysis and prioritizing the speed of resolving incidents based on their potential impact on the business. Another aspect of this process is that the more confidential the subject and the data, the quicker they need to be resolved. Incidents that require maximum urgency involve the organization’s cybersecurity, particularly in cases of malware. Drawing from a recent example, a botnet called Chaos is targeting and infecting Windows and Linux devices to use them for crypto mining and to launch DDoS attacks. This malware is also capable of infecting all kinds of devices, small or big or home or office devices. Additionally, it was found that this malware can use stolen SSH keys to hijack more devices. Attackers are also capable of establishing a reverse shell, which can enable them to reconnect anytime for further exploitation. Incident response will be particularly useful in resolving these security-related incidents by routing them to the right team and minimizing the impact on business and/or sensitive data.
4. Choose the right service desk/ITSM tool: Having an IT service management tool with in-built incident management features can help manage incidents in your IT ecosystem. With a handy self-service portal, it can make raising a ticket very convenient, especially with modern tools that are designed to be user-friendly. Another key feature that can help the incident response process is the knowledge base. The knowledge base is a rich repository of information that documents the history of incidents so organizations don’t have to reinvent the wheel. Incidents and issues can be resolved even before they are escalated. Explore Freshservice’s incident management features to get clarity on how to improve incident response and incident management processes. You can even claim a free 21-day trial to start your organization’s journey to effective incident response.
5. Conduct feedback and review meetings: During the review phase, it is crucial to have an RCA (Root cause analysis) report documenting the timeline of events, impacted environment, steps taken to mitigate the incident, lessons learned, and stakeholders involved. This will help while conducting post-incident analysis meetings/sessions with the incident response team, the senior management, and all the other stakeholders involved to improve the effectiveness of the current incident response process and develop new strategies. During these sessions, ensure that the root causes of major incidents are thoroughly analyzed, and how such incidents can be prevented. You should also discuss the effectiveness of the team, and strategies to improve the incident response process.
6. Notifications & reports: Another important aspect of incident response and management is maintaining incident reports and ensuring continuous communication with the affected/appropriate parties. These parties could include stakeholders, customers, reporting authorities, etc.
A good incident report includes –
-
- Number of incidents reports, their severity,
- MTTA(mean time to acknowledge), MTTD((mean time to detect), MTTR(Mean time to respond, repair, resolve, recover)
- Problem management metrics and learnings are documented to identify areas that need to be further strengthened and avoid recurring events/incidents.