Make the right incident-response decision using Active Response software

Incident response involves managing and recovering from a cyberattack using a structured plan. According to "Incident Management 101 Preparation and Initial Response (aka Identification)", SANS Institute. (Published Jan, 2005, Accessed Oct 2024), by Robin Dickerson—a six-step plan includes preparation, identification, containment, eradication, recovery, and lessons learned. Preparation involves creating policies and training a response team. Identification is detecting the breach, while containment prevents further damage. Eradication neutralizes the threat, and recovery restores systems. The lessons learned step involves reviewing and improving procedures.

Alternatively, incident response can follow the OODA Loop: Observe (monitoring for unusual behavior), Orient (investigating and gaining context), Decide (choosing a strategy), and Act (remediation and recovery). Key tools include intrusion detection systems, vulnerability scanners, and security awareness training.An effective incident response strategy minimizes damage and improves future responses.

An effective incident response plan is crucial for handling and recovering from cyberattacks. One essential part is enabling active responses to abnormal activities and attacks. Following the SANS Institute’s six-step process or the OODA Loop, active responses are critical during containment, eradication, and action stages.

As part of your effective incident response management and plan, you may need to:

• Disable an agent’s access to the network
• Block specific IP addresses
• Restart machines or Windows services
• Delete user accounts and user groups from agents
• Disconnect USB devices from agents
• Enable and disable domain and local user accounts
• Escalate potential issues
• Kill processes by ID or name
• Log off users
• Reset user account passwords
• Send email messages to specific recipients
• And more

Consider investing in software with Security Information Management (SIM), Security Event Management (SEM), or Security Information and Event Management (SIEM) capabilities. An incident response tool will not only collect valuable information from your devices’ event logs but can also perform actions like those listed above to automatically block cybersecurity threats.

Cyberattacks are increasing in scale and frequency, making it more difficult for organizations to defend themselves and their data. Creating procedures and training your organization’s members to react to attacks are essential, but the work doesn’t end there. You’ll also have to locate and neutralize threats before returning everything to working order and reviewing your team’s choices.

Simple changes can wreak havoc on your systems and lead to severe problems, making fast incident response a top priority for any organization. However, manually monitoring and responding to various changes, such as escalated user privileges, can be tedious and time-consuming.

Powerful incident response tools like SolarWinds^® Security Event Manager (SEM) simplify the monitoring process and enable you to respond quickly to incidents. SEM is built to give you a better idea of what’s happening on your network and can automatically take action to help protect your system when certain predefined events occur.Using such tools as part of your incident response strategy can optimize your organization’s ability to detect, combat, and recover from an attack quickly and effectively.

Cyber incident response software simplifies data collection, standardization, and cataloging across your network. This falls under the Observe section of the OODA Loop or the identification stage of the SANS Institute’s six-step plan, enhancing visibility and accelerating intrusion detection to stop threats.In addition to collecting and analyzing data, acting on the information is essential. Most security incident response tools offer real-time log analysis and can automatically notify you if any events pass predefined thresholds. Security incident response tools can automatically perform several actions in response to abnormalities, and can automatically block IP addresses, restart servers, log users off, and disable an agent’s  network access. If you need a way to protect all your sites from an attack that doesn’t involve configuring multiple block IP actions for each site, incident response software can also do this.

The general steps of incident response management are as follows:

1. Detect the Incident: Use monitoring and alerting tools to identify incidents, integrating various sources for a cohesive response.
2. Set Up Communication Channels: Establish dedicated channels for team communication, such as Slack or video conferencing.
3. Assess Impact and Severity: Evaluate the incident's impact and assign a severity level to guide response actions and communications.
4. Communicate with Customers: Quickly and accurately inform stakeholders and customers to build trust.
5. Escalate to Responders: Page additional responders and provide full context for coordinated resolution.
6. Delegate Roles: Assign specific roles based on an incident response playbook.

Resolve the Incident: Once the impact is mitigated, end the emergency response and proceed with cleanup and post-mortem analysis.

SolarWinds^® Security Event Manager (SEM) offers robust incident response capabilities, including real-time data collection, display, alerting, and active responses. SEM helps meet security and compliance requirements with out-of-the-box connectors and compliance reporting templates.

SEM allows the configuration of active responses to combat attacks and suspicious activities. For instance, it can notify you of unauthorized access attempts, block IP addresses, disable networking, and shut down machines. You can customize notifications to prioritize critical alerts.

To configure responses, use the SEM Console to select or create rules, define conditions, and set response actions. SEM streamlines incident response automation, enhancing network protection.

Steps to configure SEM:

1. Rules Setup: Select Rules in the SEM Console. Edit or create a new rule, then add conditions and actions.
2. Custom Actions: Define and add action triggers, set response conditions, and save the rule.
3. Testing: Use test mode for new rules to ensure they work as expected.

Other SolarWinds tools to help secure IT environments:

• SolarWinds Patch Manager
• SolarWinds Access Right Manager
• SolarWinds Identity Monitor
• SolarWinds Server Configuration Monitor
• SolarWinds Observability Self-Hosted & Security Observability

Related features:

• Network Security Monitoring Software
• Cyber Threat Analysis Tool
• APT Security Software (Advanced Persistent Threat Defense)
• USB Security Software
• Advanced Endpoint DLP