Is it Incident Response or Incident Management?

What is the difference and why should we care?

Incident Response (IR) is widely documented as the technical activities and actions taken in response to some negative Cyber activity.

Incident Management on the other hand is the less hands-on, but no less important, work above the IR team in coordinating the wider activities.

What is an Incident

The UK National Cyber Security Centre (NCSC) defines a cyber security incident as:

  • A breach of a system’s security policy in order to affect its integrity or availability
  • The unauthorised access or attempted access to a system

Cyber incidents can take many forms, such as denial of service, malware, ransomware or phishing attacks.

What is Incident Response

The technical activities which take place during and immediately after an incident are the cyber incident response. These include:

  • Initial Triage of the system
  • System log analysis
  • Acquiring and analysing system hard drives looking for Indicators of Compromise (IoCs).
  • Acquiring and analysing system memory (RAM).
  • Network capture and analysis or examination of network flows.
  • Analysis of authentication logs/systems and controls (Domain Controllers, Cloud Consoles and other authentication mechanisms.
  • Reviewing the data in consultation with Cyber Threat Intelligence (CTI) from Open Sources (OSINT)

What is Incident Management

Incident Management is the coordination of the other responses by the business; sometimes generalised as the non-technical responses. As an example the following are just some of the main IM tasks and are something that most managers are equipped to handle:

  • Working with Legal regarding notifying:
    • Data regulators (for PII, PHI, PCI, Gov data controllers etc).
    • Law Enforcement.
    • IR Support teams to augment the main IR team (or to act as IR Team if none exist).
    • IR Companies with bitcoins for sale for urgent Ransomware payments.
  • Planning Enterprise hardening of Corp networks.
    • Coordinating about mass password resets.
    • Coordinating the hardening and patching existing tech.
    • Monitoring capacity of Admin staff as they surge to support Incident.
  • Working with Corp Comms for public messages for:
    • Press enquiries.
    • Partner enquiries.
    • Customer enquiries.
    • Investor Enquiries.
  • Working with Customer Support:
    • getting scripts and messaging ready for staff.
    • ensuring they have enough capacity via calls/chat/email etc.

Leave a Reply

%d bloggers like this: