Embedded, Unlimited. Rapid7 Incident Response.

Incident Response FAQ

• What is Incident Response?

  When a security team detects a threat, its essential organizations are ready for what comes next. That requires having a tightly coordinated incident response plan (IRP) and sequence of actions and events assigned to specific stakeholders on a dedicated incident response team. Some businesses may have their own in-house team, some may outsource their incident response services, while others might take a hybrid approach where they outsource technical analysis but manage the rest of the IRP in-house. Either way, this team should train and plan for these incident response events well before any trouble rears its head.

• What is an Incident Response plan?

  An incident response plan delineates steps to be taken, and by whom, when a breach or security crisis occurs in an organization. A robust response plan should empower teams to leap into action and mitigate damage as quickly as possible. Emergency responders go through regular training simulations and process checks, so when a situation arises they know how to act almost by muscle memory. Information security teams would be wise to follow their example: When an emergency occurs, you don’t want to waste time figuring out incident response processes and procedures while precious minutes are ticking away. Having a plan in place becomes paramount.

• What does an incident response plan allow for?

  1. Incident Notification
  2. Incident Investigation and Analysis
  3. Remediation
  4. Post-Incident Activities

• What’s in a robust incident response plan?

  There’s a great deal of groundwork that can be done ahead of time to reduce complexity and risk during an emergency. An incident response plan should include:

  • Buy-in from key organizational stakeholders: When a crisis hits, your team needs to know they have the support from key stakeholders to act quickly. Make sure C-level executives and other stakeholders fully buy in to the response plan, give it their support, and empower the incident response team to act quickly and confidently during a crisis.
    
    
  • Clearly defined roles, responsibilities, and processes: The last thing your team needs in a crisis is to figure out who owns what and try to track down that person. Every element of incident response, from the technical to the non-technical, should have a named stakeholder attached to it with clear responsibilities outlined. People in these roles should have the expertise to carry out what’s expected of them (this is not the time to test your most junior team members). In addition, each incident response role should know exactly what processes they’re accountable for and what’s expected of them when an incident occurs, from determining the initial scope of the breach all the way to crisis communications. If there’s any ambiguity in the plan about who owns what, it may well be forgotten during a crisis.
    
    
  • Technologies and partnerships to enable quick action: When running your incident response drills, make sure you have every tool in the toolbox you need to respond quickly and effectively. You will likely find some areas have large gaps, and others have some wiggle room to improve; where possible, make sure you have the internal technologies and tools available to your teams to do their jobs efficiently, making the most of automation where possible.

  The key here is “quick.” If you don’t have the internal expertise or resources to conduct a quick response, or your toolset isn’t giving you the information as quickly as you need it, then you may want to look into external incident response services to help address these gaps and speed up your incident response times. (Make sure to include this external team in any drills you conduct!)

• How does the Incident Response Process work?

  • Incident management: Our team provides a single point of contact for the investigation, manages all analysis, threat detection, and communications, and documents all findings.
    
    
  • Investigation and analysis: We perform investigation of incident scope, impact, and root cause using InsightIDR, our open-source DFIR tool Velociraptor, your existing log sources, and our years of experience.
    
    
  • Communications: Regular and consistent communications ensuring the right people are kept informed of key events at the right time.

  Remediation and cleanup: Detailed recommendations to get you back to normal including how to remove all attacker remote access capabilities, restore prioritized business processes and systems, and secure compromised user accounts.

• Why the Rapid7 DFIR Team?

  The team of Incident Response Consultants at Rapid7 hold many certifications and are at the front line of defense for thousands of customers.

• What constitutes an in-scope environment?

  The ‘in-scope environment’ refers to the assets (and supporting infrastructure) you have licensed for MDR or MTC. Incidents eligible for incident response are compromises of customer’s in-scope systems or data, as confirmed or reasonably suspected by Rapid7. Rapid7 will not respond to an incident that occurs in an environment that is not in-scope. All incident response services will be provided remotely.

• What should Incident Response include?

  • High-level incident management and coordination
  • Technical analysis of the incident
  • Incident scoping to determine who or what was affected
  • Crisis communications to make sure information is released in a coordinated and beneficial manner
  • Legal response to determine any implications and prepare any needed response or action
  • Remediation and mitigation recommendations and actions to ensure a smooth recovery

• What happens after an Incident Response engagement?

  After successfully responding to an incident, it's not time to rest just yet. The incident response team should conduct a post-mortem to learn from the experience—both to fine-tune their incident response program specifically, and also to re-tune their overall security program. What worked, what didn't work, and what could work better or faster? There's no better teacher than experience, so it’ll be important to glean as many lessons as possible from responding to a real incident.

• What other Incident Response Services does the Rapid7 Incident Response and Professional Services team deliver?

  IR Program Development

  Attackers are constantly evolving. To ensure you’re always prepared, you need a plan, and you need to review it regularly. Our experts will evaluate your environment—from technology and assets to people, processes, and policy—to rate your current capabilities and offer relevant, business-based recommendations to help you meet (and exceed) your IR program goals. Need to build your program from the ground-up? We can help with that, too. Our IR Program Development offering can be customized to help build or improve your aptitude in any facet of incident response.

  Compromise Assessment

  From verifying compromise to validating remediation efforts, a Compromise Assessment can confirm your house is clean (or not). By applying threat intelligence and behavioral analytics with innovative hunting techniques, our experts assess your environment to identify malware and evidence of attacker activity and report on misconfigurations, significant risks, and potential vulnerabilities.

  Detection and Response Workshop

  This program puts your detection and response capabilities to the test against a live, simulated attack within your environment. The goal of this workshop is to evaluate how well your unique detection and response capabilities and current IR plan work to ensure your team can recognize and properly respond to an attack. Our experts will help your team understand how current security measures and controls handle the breach while providing coaching to strengthen your approach to incident response. 

  Tabletop Exercises 

  Tabletop exercises simulate threats on-site to evaluate your detection and response capabilities in a controlled environment. We work with you to create and deliver a meaningful scenario, analyze the results, and provide a list of actionable improvements you can apply to your incident response program.

  Breach Response

  Need immediate help with a breach? Call us at 1-844-RAPID-IR (1-844-727-4347). Our incident response team is ready to collaborate closely with your in-house team to investigate incidents, document findings, and recommend the right remediation activities to help ensure attackers are out and can’t find their way back in. Our incident response consultants can collaborate with your critical stakeholders, ensuring various parts of the business are making key considerations throughout the response process.

  Rapid7 Retainer

  An incident response retainer is an easy way to keep IR experts on standby. In the event of a compromise, retainer customers alert the Rapid7 team, who respond within one hour to gather details and discuss planned incident response activities. All technical investigations are done remotely, and are ready to begin as soon as our InsightAgent can be deployed (or access given to detection and response systems). 

  Retainers are available in 40 hour blocks, and in the (hopeful) event they’re not needed for breach response, can be repurposed into a variety of other Rapid7 professional services. Give us a call, and we’ll set you up with a project manager who can help assess which services are right for your organization. We can then connect you with the best consultants to get you started on the path to stronger incident response.

• What other incident response services are included with Managed Threat Complete?

  Our team helps you build an incident response plan and IR Runbook for engaging with the Rapid7 MTC service.

• What types of certifications does the Rapid7 DFIR Consultant team hold?

  An abbreviated list includes:

  • CISSP
  • CySA+
  • GASF
  • GCFA
  • GCFE
  • GCIH
  • GCIH
  • GSEC
  • SANS Course Contributors 
  • Open-Source DFIR Contributors 
  • Among many others!