Privacy glossary

Incident response

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

What is an incident response?

An incident response is a series of actions taken by an organization when experiencing an event like a security breach or cyber attack. The actions taken to respond to the incident include preparation, detection, containment, eradication, and recovery. An incident can be any undesirable network or system activity that compromises computer and network security.

Incident response and network security are closely linked. With network security, an organization’s goal is to prevent incidents. When an attack succeeds despite network security efforts, an organization needs an effective incident response to halt the attack, mitigate damage, and improve the network security plan for the future. The best practice for the most effective incident response is to have a formal incident response plan—a set of procedures that outlines all aspects of the response from detection to recovery.

What events require an incident response?

An attack that requires an incident response can take many forms, including (but not limited to) a data breach, ransomware attack, distributed denial of service attack (also known as DDoS), malware installed via a phishing trap, or a business email compromise (a form of social engineering where someone poses as an employee in an email). Incidents can originate externally or within the organization’s system. An incident requiring a response may not be an actual attack, but may be an “imminent threat” of a new attack scheme or a newly discovered vulnerability in software.

What is an incident response plan?

While it’s possible to address an incident without a formal plan, having a formal incident response plan can result in quicker actions and a more effective outcome. Predetermined teams assigned to specific tasks can respond more efficiently, an important advantage when an organization is actively under attack.

An incident response plan is highly specific to the individual organization, reflecting their network and data, their staffing, and their security priorities and perceived vulnerabilities. In addition to detailing what should be done to contain and remove the threat, an incident response plan should address personnel and their responsibilities, the correct channels for communication, and what tools and permissions the response team personnel will need.

The steps of an incident response

An incident response generally follows these five steps as laid out in the incident response plan, if one exists. The details within each step will vary greatly depending on the organization and the type of threat.

  • Detection and analysis: This step overlaps with network security procedures, specifically the part of the network security plan that monitors activity on the network. When network security monitoring detects a possible incident, assigned personnel can use tools identified in the incident response plan to analyze and determine the extent of the incident.
  • Containment: When an incident is detected and the extent of its effect is assessed, the next step is to minimize damage by containing the incident. Keeping the attack from spreading further through the organization’s network, or outward to associated networks, can involve physically isolating affected devices (such as servers or computers) or network segments. The containment step may also involve backing up the affected system (for later analysis or evidence in possible prosecution) and backing up threatened data.
  • Eradication: Once the threat is contained, actions focus on the thorough removal of the threat, whether it’s erasing malware, or removing the bad actor from the system. Successful containment allows the response team time for a careful review of systems to make sure all threats have been addressed.
  • Recovery, and repair of damage: With the threat eradicated, it’s safe to restore systems and data to full functionality. In the recovery phase, isolated devices and systems are returned to the network, patches are made to software flaws, and data is restored from backup files.
  • Lessons learned: A post-event review of the incident can lead to adjusting both the incident response plan and the network security plan.

Both during and after an incident, the response team may need to report the event to other parties, including other people within the organization, regulating bodies, law enforcement, and customers. They may also share what happened with interested third parties such as software vendors and ISPs, or even the media. The incident response plan should detail who gets informed and when, and who’s responsible for communication.

What does incident response mean to me?

One of the biggest threats to your personal information stored on someone else’s system is a data breach. An effective incident response can mean the difference between keeping your data secure or it ending up in the hands of bad actors. As users, we can’t influence an organization’s incident response plan—we have to rely on their cybersecurity practices. But we can protect our data on our own personal networks and devices. Using a browser with strong privacy and security protections, such as the Brave browser, can help limit the risk of your data getting into the wrong hands:

  • The Brave browser includes Safe Browsing, which can help prevent data breaches by protecting against malicious websites.
  • Brave’s built-in ad blocker—Brave Shields—can block malicious and deceptive advertising, partly through the use of filter lists. It’s also more secure than browser extensions, which can themselves introduce new security risks.
  • Brave automatically upgrades connections to the more secure HTTPS. Make sure your browser isn’t alerting you to a security warning, or check that the URL begins with https:// (not “http://”). These signs indicate that your data is encrypted during transfer. This isn’t a guarantee your data is stored encrypted, but it might improve the odds.

Sometimes we can choose to do business with companies with a good record of securing data (or that don’t collect data in the first place, like Brave), and avoid businesses with histories of data breaches. You can also limit the number of places your data is stored, thus reducing the potential for your data to be involved in a breach. Using strong, unique passwords, and multifactor authentication when available, can help protect your data in the event of a breach.

If you receive a notice that your data may have been breached, or see in the news that a breach occurred at a company you do business with, take immediate steps to protect your accounts and data:

  • Change your password on that site immediately, as well as on any other sites where you use the same password. And set strong, unique passwords and PINs going forward.
  • Check the date of the breach, and review the activity of affected accounts on or after that date. Look for unusual activity like a change of address, phone number, or billing details.
  • Note that not all breaches are found quickly—there may be a lag between when your accounts were compromised and when you were notified. So you should periodically repeat this review of account activity, and keep an eye out for future unusual activity by closely checking monthly statements.
  • Keep the data-breach notification letter or email, in case you need proof in the future that your data was compromised.
  • File fraud alerts with major credit bureaus to protect against someone using stolen data to get a loan or credit card in your name.

Ready for a better Internet?

Brave’s easy-to-use browser blocks ads by default, making the Web faster, safer, and less cluttered for people all over the world.