Like any other emergency situation, security incidents require swift, coordinated action. But operating in a systematic manner when your company’s reputation and revenue are on the line takes a lot of planning. Developing an incident response plan—before an incident occurs—is critical to be able to respond to situations quickly and effectively.
What Is an Incident Response Plan?
An incident response plan is a set of procedures that detail what to do when your organization detects a security event. It outlines who is responsible for what, the steps to take to minimize damage, the order in which those steps must be executed, necessary mitigation tools, how to follow up to ensure that such an event does not re-occur, and more.
The more you prepare for disaster before it happens, the better equipped you’ll be to handle it. Regardless of whether your business has five employees and is operating on a shoestring budget or if you’re a CISO at a Fortune 500 company, you need an incident response plan in place.
It can take months to develop a well-crafted incident response plan that covers all the important elements of dealing with a security incident. This requires taking a long, hard look at your systems, people, and previous security failings to build a robust plan that will help you respond in a moment’s notice. But keep in mind that the plan shouldn’t be too nuanced, as you should be able to apply it to most—if not all—situations.
Most of all, it’s imperative that your plan is:
- Repeatable: so it can be implemented without reinventing the wheel each time it’s needed.
- Standardized: so it can be applied to a variety of situations.
- Documented: so there are no unanswered questions, and everyone involved can see exactly what they need to take care of.
Who Should Be on Your Cyber Incident Response Team (CIRT)?
Some people assume that only members of the security department play a role in preparing for and responding to cyber incidents. This is incorrect. While your security team is critical, there are many more people who should be part of your cyber incident response team, including:
- Top management: to approve decisions at the highest level.
- The IT department: to determine policies.
- The legal department: for legal council.
- Human resources: in cases of insider threats or for any other issues involving employees.
- The communications/PR team: to convey desired messages to both insiders and outsiders.
Each member of the CIRT must be aware of their responsibility during an attack, and it’s a smart idea to conduct practice drills. This will ensure that when the IR plan needs to be enacted, everyone can respond swiftly and precisely to minimize impact and return to business as usual—as quickly as possible.
If you’re still on the fence regarding the importance of developing effective incident response processes, consider this: According to IBM and the Ponemon Institute, the longer threats sit unremediated in your network, the more damage they incur. “Quick detection and response are critical to reporting the exact scope of a breach, figuring out what might have been compromised, and complying with regulatory breach notification requirements,” says IBM’s Limor Kessem. Without proper effort in the planning stage, it will be very difficult to respond to incidents effectively.
Six Incident Response Steps
Every organization is unique and faces its own set of threats. Look at the attacks you’ve fallen prey to in the past and those that affect your industry in general. Then decide what your most sensitive resources and assets are, and prioritize them according to importance and what will most likely be at risk. From this research, you can build out your plan. This is also the right time to assign carefully chosen team members to their specific roles, as outlined above.
2. Implementing the Proper Tools and Detection Techniques
To thwart incidents, you need to catch the anomalous activity in the first place. To do this, you must be able to detect threats across executing processes, network traffic, and user account behavior, as well as continuously log these activities for future investigations. Having the right tools that grant visibility into assets and activities (processes, configurations, network traffic, and user account activity) is a major contribution to the efficiency of the incident response process. Then determine which alerts are false positives and knock those off your list to reveal the real incidents that need to be addressed.
3. Assessment and Triage
In this stage, you need to work quickly to figure out what happened and how—and fill in the gaps as speedily as possible. This is when you consider how the event occurred, how it was discovered, what it’s affecting, and its scope.
Now that you know where the issue is and what systems have been affected, you should quarantine those systems. To do this, disable network access for the affected computers, reset passwords and access credentials, and block accounts that seem suspicious in light of the incident. But make sure you don’t delete information that may be useful in forensic investigations, which could help ensure this kind of event does not occur again.
At this point, it’s time to return the business to normal operations. Now is when you should start restoring systems back into their environment. This includes restoring systems from backups, replacing contaminated files with clean ones, and deploying any missing patches.
6. Post-Incident Activity and Preventing Future Attacks
There is always a lesson to be learned from security incidents. At this stage, examine what could have been done to prevent the attack. Take a look at your organization and try to determine what habits need to be improved and which tools need to be tweaked/replaced. Then update your plan with this new understanding. This step should also include hardening your system according to the weaknesses that were taken advantage of. Now is the time to fix flaws, train employees to avoid future threats, and invest in better tools, if need be.
Bonus Step: Wash, Rinse, and Repeat
As we mentioned above, there’s no point in investing your time and effort into creating an IR plan if it doesn’t work when it’s needed. Make sure you test your plan with drills to identify any incident response steps that need to be improved or clarified.
Cynet 360 is the world’s fastest IR tool. It helps CIRT members respond to and remediate attacks at a moment’s notice. Its automated threat discovery, along with the widest set of remediation actions available, can remove any type of threat and grant visibility into any host, file, or process. Cynet 360’s granular forensics tools are helping organizations conduct investigations that are critical to the IR process. It’s the end-to-end tool that organizations need to build out their comprehensive IR plan.
Having a comprehensive incident response plan in place doesn’t make a security event less troubling, but it does mean that when events occur, you and your team will be able to respond with minimal confusion. While the idea of putting in the time and effort that’s required to develop an IR plan may seem daunting, if you fail to plan your response to cyber incidents, you are planning to fail. By following the incident response steps outlined in this article, you and your CIRT will be fully prepared if/when events do occur.