Companies across all sectors realize the importance of using technology to both attract and retain customers. However, with technological integration, new cybersecurity threats are emerging every day endangering mobile messaging apps, online banking, and basically every industry. Consequently, it’s important that enterprises establish an incident response plan to deal with minor and major security threats. Despite these threats, a 2018 IBM report found that 77 percent of respondents did not have a consistent incident response plan to deploy in the event of a security breach!
Learn about the importance of an incident response plan with our comprehensive guide. Read on to find out more.
What Is An Incident Response Plan?
An incident response plan (IRP) refers to an organized approach to addressing and managing the aftermath of a security breach or cyberattack. The key to an IRP is that it is orderly and systematic, well thought out. When a breach occurs, a company may go directly into damage control and mayhem might ensue. That is exactly what an IRP combats. IRPs tackle breaches in a way that addresses the problem while saving time and money. An IRP isn’t just a vague, ad hoc idea of what a company would do in the event of an attack; rather, it is a written document with step by step instructions on how to proceed and who to contact.
If a company possesses a large IT department, it should designate a specific team, computer security incident response team (CSIRT), to deal with the issue from all levels. A CSIRT should include not only IT department members but also a public relations representative and C-suite members. A diverse yet cohesive team allows for quick and widespread impact.
The Importance of Incident Response Plans
Breaches cost companies time and money. The longer any vulnerabilities go unresolved, the more extensive damage to a company. For public companies, each breach affects stock evaluation in addition to consumer confidence. The goals of an incident response plan are to:
- Restore operations
- Minimize losses
- Fix vulnerabilities quickly and thoroughly
- Strengthen security to avoid future incidents
IRPs decrease remediation timetable, which can have a significant impact on company budgets. A 2017 IBM study found that if cyber incidents were contained within 30 days, the cost to the company could decrease by as much as USD 1 million. Moreover, IRPs allow companies to address vulnerabilities before they become a more serious threat. Quick resolutions minimize the damage to a company’s reputation.
Who Should Use An Incident Response Plan?
Incident response plans used to be an optional safeguard. However, new cybersecurity compliance standards emerging in all industries, IRPs are quickly becoming a required feature of a well-rounded security plan. The Payment Card Industry Data Security Standard (PCI DSS) requires that complaint entities develop an IRP, test it annually, designate an IRP team, and train employees on how to follow the IRP. Similarly, the Healthcare Portability and Accountability Act also requires an IRP. Even if standards don’t require your company to implement an IRP, it’s still worth developing an incident response strategy. Every industry, from financial to education, should have some kind of IRP in place.
How to Craft An Incident Response Plan
When developing an IRP, there are several things to keep in mind. First, you will need to have the support of the C-suite or senior management. Having such support enables you to assemble the best CSIRT. Second, any plan needs to be tested. Without practice, a team will become rusty and likely make mistakes when a real incident occurs. Third, not every attack is the same, so there is no one-size-fits-all plan. An IRP should outline actionable steps, but also allow for flexibility. Reviewing the IRP twice a year and adjusting it based on changing threats will help balance flexibility and detail. Lastly, designate a chain of command in the event of a security incident. Know which contacts take precedent, whether it be stakeholders, partners, senior management, etc. Each incident may require different people to be made aware of the situation.
With the above points in mind, the SANS Institute created a six-step IRP process. Companies should incorporate the following points into their IRPs and tailor each step to fit their needs.
- Preparation – Preparation begins with bringing together a CSIRT. Make sure there is team cohesiveness and cooperation. An IRP will only run smoothly if all team members can work together. During this stage, the CSIRT should codify cybersecurity policies in terms of how they relate to the IRP. For example, are there any compliance requirements that would affect the IRP process? Additionally, a risk assessment will help prioritize threats. IRP documentation should include roles, responsibilities, and processes.
- Identification – Without the protocols and tools in place to identify irregular/fraudulent activity, an IRP will do a company little good. If monitoring or penetration testing tools identify a vulnerability or breach, the CSIRT should document the evidence, type, and severity of the attack. The identification step formalizes the who, what, where, how, and when of the attack. Documentation should also include an analysis of the “why” attack likely occurred. What was the attacker’s goal and did he/she reach that goal or only enact one phase of an attack?
- Containment – As soon as a breach is identified the immediate concern focuses on containing it. An IRP should outline procedures for short term and long term containment. Short-term containment refers to isolating a system or rerouting traffic through a backup system, whatever it takes to halt the intrusion and restore normal operations. Long-term fixes are designed to rebuild the systems so it no longer has the vulnerability. This often takes significant time due to the design, testing, and bringing-online phases.
- Eradication – Eradication targets the root cause of the breach, whether it be a worm or some other kind of malware. Eradication procedures will vary based on the attack. For example, if the authentication was the weakness, a company may consider using 2FA or even 3FA. Or, if it was an OS vulnerability, it should use a patch. The key is to fix the problem in such a way that it will not be a recurring issue.
- Recovery – During recovery, the CSIRT will bring affected systems or devices back online and determine how long those affected systems will be monitored at a higher level than usual. SANS recommends outlining a timetable for carefully bring devices/systems back online, how tests will verify functionality, and what tools will be used for monitoring, testing, and validating the systems.
- Lessons Learned – Hindsight is a valuable thing; it allows you to look back and see the mistakes that led to the breach. Experts recommend conducting a review no later than two weeks after the incident (while details are still fresh in the mind). During this phase, documentation should be completed and any areas for improvement in the IRP should be noted.
The Cost of an Incident Response Plan
Beyond the cost of the breach itself, the expense of developing an IRP will vary by business. For small businesses, an IRP will not cost as much as a large business simply because the complexity and number of systems in use are different. Companies will also foot the bill for conducting a system audit to map the threat landscape. Again, the cost will vary by business as the audit may be conducted by an internal team or a third-party. Likewise, developing the IRP may be done by an internal team or a third party. In contrast, a company could save money by having the CSIRT both create and maintain the IRP. Although cybersecurity spending trends show that more companies are investing in risk reduction, having a robust IRP requires funding and should not be sidelined.
Challenges to developing an IRP
Tools – Sometimes companies focus too much on developing a step-by-step plan of what to do in the event of a breach, but they fail to use tools that will make the process easier. Even if a company has the tools, it may be underutilizing them or using them in the wrong way. Many companies today are realizing the value of AI tools. To remedy this, keep a list of tools in use, their renewal dates, and any updates that take place. Furthermore, train employees on how to use those tools, and if no one internally understands the tools well, bring in an expert. Although it may cost more at the outset, proper training could make the difference between an unfortunate breach and a detrimental breach.
Team Dynamics and Oversight – As noted above, a CSIRT team should have a variety of team members from network administrators to senior management. The reason for this is that a technical expert may be able to address the vulnerability itself, but he/she may not have experience making business decisions. While it’s important to foster an open team dynamic, it’s equally important to have a chain of command. Designating clear roles and responsibilities is key, along with appointing a strong leader.
Customization – While using IRP templates serves as a good first step, it’s important that companies adopt and adapt templates to their needs. Using a generic IRP is not a good idea because it may over-complicate or under-complicate the process. The more concise the plan the better. Company size and threat priority should influence how an IRP is organized.
Proactive vs Reactive Incident Response
From the name, one may assume that an IRP plan only focuses on how to react to a threat. However, IRPs can be proactive as well. Some would argue that a really effective plan must be proactive. A purely reactive approach centers on determining a plan of action once a breach occurs and then contacting the necessary parties or individuals to alert them about the breach. In contrast, a proactive approach treats the IRP as an ever-evolving document that is continuously tested and updated.
So how can you take a more reactive approach to incident response? First, keep a running list of contact persons from each department, kind of like a point-person who will be able to disseminate any needs that may occur in the event of a breach. Make sure to include both a primary and secondary person. Whoever has a stake in what the breach affects will need to be notified quickly. Second, run mock incidents and train employees. New threats emerge and new mitigation techniques arise, so keeping up-to-date on both serves as a proactive way to prepare for security incidents. Third, once a breach is mitigated and under control, don’t just move on; review how the CSIRT fared. Was the response effective? Were there any mistakes that prolonged the incident? Then, update the IRP accordingly.
Resources for Incident Response
Using the right tools and implementing effective planning requires that companies understand the resources available. Below are just a few of the helpful handbooks and tool reviews that can assist you in developing an IRP.
- GBHackers on Security composed a list of tools for ethical hackers and penetration testing. These tools can be helpful when running mock incidents. The list includes tools, discussion communities, books, and other resources.
- Cyberbit assembled a list of the top five incident response automation tools. Using automated tools will help relieve some of the burdens on incident response teams and IT departments.
- Since customizing IRP plans based on company size makes IRPs more impactful, SANS Institute published a document for small businesses on how to handle security incidents.
- Although a few years old, Carnegie Mellon published an Incident Response handbook that covers how to develop a plan, test it, and improve it. The document is a supplement to the Cyber Resilience Review, a free assessment offered by the Department of Homeland Security.
The bottom line is that an IRP needs three things: a knowledgeable team, an organized plan, and effective tools. If an IRP lacks even one of these things, it will likely fail when put to the test. If you need help developing an IRP or want to learn more about the importance of an incident response plan, contact RSI Security today.