Five tips for creating a practical Incident Response plan

As cyber attackers become more advanced, utilising a diverse range of tools in their hacking arsenal, more organisations than ever before are falling victim.

Research from consulting firm PwC found that cyber crime will affect more than half of British firms over the next two years. The truth is, while all security professionals work tirelessly to stop every breach, the reality is that a novel hacking technique, an extremely persistent attacker, a system misconfiguration or just good timing will stack the odds against them. 

Whilst this might seem like a bleak observation, organisations are far from powerless. With a well-thought-out incident response (IR) plan, business can mitigate the damage done by hackers and recover with minimal damage to finances or loss of company data.

Many organisations have already begun to realise this. However, they have struggled to find the appropriate information and understand the scope required to build an effective IR plan that works well for their organisation. For companies that do manage to put an IR plan in place, most are underdeveloped and underfunded, and as a result fall short when an incident actually takes place.

Anton Chuvakin, VP research at Gartner sums this point up nicely: “This advice — to create an IR plan, now nearly a quarter of a century old — is certainly not heeded by all organisations; organisations continue to struggle with the right amount of information and the right scope of their incident response plans. […] Furthermore, the ‘aha’ moment for many organisations is in drawing the line between ‘doing the planning’ and ‘having a plan.’”*

Regardless of the size of an organisation, having a comprehensive approach to incident response is essential if the company wishes to survive the attack and reduce the impact and cost of recovery. Most importantly, the IR plan should be practical enough for the organisation to act rapidly and effectively in the event of a compromise.

When designing an incident response plan, organisations should start with the following five tips:

  1. Be simple but accurate: The IR plan should be clear, simple and guide the incident response team to make a rapid and detailed determination of the who, what, when, where, why and how. In the heat of the moment, mistakes can be made, even with breach simulations and the most talented incident response team. The first part of a good incident response plan will focus on answering these six critical questions, thereby limiting any emotional-driven actions and allowing for a quick and effective remediation. The plan should also provide accurate guidance so that the organisation can determine the system and data under attack and take actions to preserve critical assets.
  2. Assign detailed roles and responsibilities: Clearly lay out the roles and responsibilities of all the stakeholders. Every single employee in an organisation must have a clear idea of how to respond in the event of an incident, and appropriate actions must be carried out to mitigate the impact and protect loss of sensitive data.
  3. Bring together technical and non-technical teams: The plan should not be confined just to the IT or security department. The IR plan is effective only if both the technical and non-technical teams – including the Legal, Compliance, Human Resources and Public Affairs departments – are committed and take part in the execution of the IR plan. Take time to develop relationships and build a rapport with internal and external stakeholders, who may be able to help the organisation respond to a serious incident.
  4. Provide a classification framework: Create an incident classification framework so that you can properly prioritise the incident response activities. Classification will also help you derive meaningful metrics such as type, severity, attack vector, impact, and root cause for future remediation purposes. There are a myriad of different attack techniques that target different weaknesses, so it is important to pinpoint exactly what caused the incident.
  5. Understand the key priorities of the organisation: Lastly, the IR plan should align with your organisational priorities. Determine what matters most for your organisation, and weave those priorities into your IR activities. For example, if a hospital’s life-saving medical devices are under attack, ensuring patients’ safety is evidently the top priority. If you are manufacturer and your manufacturing process is interrupted, then restoring operations is the top priority. 

A word on the IR team

To properly prepare for and address incidents, a centralised incident response team should be formed. This team is responsible for analysing security breaches and taking any necessary responsive measures. At its core, an IR team should consist of: 

  • Incident Response Manager: The IR manager oversees and prioritises actions during the detection, analysis, and containment of an incident. They are also responsible for conveying the special requirements of high severity incidents to the rest of the company.
  • Analysts: The IR manager is supported by a team of security analysts that work directly with the affected network to research the time, location, and details of an incident. There are two types of analysts:
    • Triage Analysts: Filter out false positives and watch for potential intrusions.
    • Forensic Analysts: Recover key artefacts and maintain integrity of evidence to ensure a forensically sound investigation.
  • Triage Analysts: Filter out false positives and watch for potential intrusions.
  • Forensic Analysts: Recover key artefacts and maintain integrity of evidence to ensure a forensically sound investigation.
  • Threat Researchers: These researchers complement security analysts by providing threat intelligence and context around an incident. They are constantly combing the Internet and identifying intelligence that may have been reported externally. Combining this information with company records of previous incidents, they build and maintain a database of internal intelligence.

Although they are key players in the event of a cyber attack, the incident response team should not be exclusively responsible for addressing all security threats. All business representatives and employees must fully understand and advocate the incident response plan, in order to ensure that emergency procedures run smoothly. 

Collaboration and communication are key

Designing an effective IR plan needs to be a collaborative process. Creating a dialogue between different departments, teams and staff at all levels within the organisation will provide the most complete picture of what is vital.

After all, understanding exactly what the crown jewels are is the first step in ensuring that they are protected.

Tim Bandos, Director of Cybersecurity at Digital Guardian

Image Credit: alphaspirit / Shutterstock