Reducing Cyber Risk: 5 Tweaks to Your Incident Response Plan
According to a 2018 Ponemon Institute study of 2,800 IT and information security professionals, 77% claimed their organization lacked a formal cybersecurity incident response plan. In the first half of 2019, our Mid-market Threat and Incident Response Report found that small and mid-sized businesses can take up to six months (sometimes longer) to discover and remediate security incidents.
An Incident Response Plan is a critical set of instructions designed to help your IT department — security team or security operations center (SOC) at larger companies — properly address real-time security incidents (and future incidents) that impact your business. Such incidents include (but are not limited to) malware infections, ransomware attacks, data breaches, service outages, and cyber crimes like crypto-jacking and phishing.
A robust cyber incident response plan (IR plan) should outline with brevity and precision the incident response process — the steps your organization should follow to contain and reduce the impact of cyber attacks and prevent further damage. An effective incident response plan should be supported by threat intelligence and created with the input of key individuals, including network security IT staff, cyber security analysts, and incident response team members.
Your IR plan should identify the human resources and tools/technology resources available to your incident responders, plus outline response procedures (e.g. triage and remediation processes like root cause analysis and timelining) to combat and recover from cybersecurity incidents. There should also be a detailed communications plan outlining who should be contacted, both internally and externally, following the detection of and recovery from network security incidents.
Developing IR playbooks is a challenge and you won’t create the perfect incident response plan on your first pass — your IR plan should function as an in-house “living” document. Just as network security threats evolve and new computer incidents are discovered daily, your plan also needs to evolve. Here are five tweaks you should consider making to your incident response plan that will strengthen your security posture, accelerate your threat detection time, reduce your response time, and protect business operations in the inevitable event of a security incident.
1. Learn from Simulated Cyber Attacks
A great way to refine and improve your IR plan is to learn from simulated cyber attacks carried out against your network and endpoints. Simulated cyber attacks are also the most proactive and prudent method for tweaking your plan in the short term, compared with learning from real-world attacks. Industry surveys and threat intelligence research consistently highlight worrying trends related to incident response plans, with a significant proportion of IT executives admitting their company’s incident response plans are rarely tweaked in response to major real-world security incidents. Many organizations are moving to a DevSecOps paradigm with close cooperation between developers, ops and security staff, to ensure that network security changes can be made easily and frequently along the entire software development cycle.
Further, a solid cyber incident response plan is the single most impactful way to reduce your cyber risk and mitigate the damage caused by a real cybersecurity incident.
While simulated cyber attacks won’t negatively affect normal business operations, they can highlight deficiencies in your incident response plan in a risk-free way. This helpful white paper from EY discusses the importance of cyber security incident simulations and provides some tips for carrying out such exercises with your in-house security teams.
2. Establish a Computer Security Incident Response Team (CSIRT)
A computer security incident response team (CSIRT) or computer incident response team (CIRT) is a dedicated team solely responsible for cybersecurity incident response. While not every business can afford (or equip) the resources and talent required to form a CIRT/CSIRT, a team of professionals entirely focused on cyber incident response can make a huge difference — particularly in terms of providing real-time security policy recommendations and training your staff in prudent IT security practices.
As cyber security threats become more sophisticated and increase in volume, establishing your own CIRT/CSIRT to investigate and respond to network threats is mission-critical for every business. In the past, computer incident response team (CIRT) and computer security incident response team (CSIRT) were separate from the security operations center (SOC). Now, cybersecurity best practices suggest the two teams are synonymous — one and the same — as outlined in this blog post from Gartner.
New to establishing a CSIRT? Check out this handy tutorial on how to stand up your own in-house CSIRT.
3. Effectively Prioritize Incidents
Effective cybersecurity incident prioritization is crucial in the development of a more robust incident response (IR) plan. Prioritizing incidents involves a clear designation of network outages/security breaches/alerts/issues, so everyone knows which types of security incidents/alerts/issues constitute the need for an urgent response, which incidents can be dealt with less urgently, which alerts to ignore (false positives and false negatives) and the type of response suited for specific incidents/alerts/issues.
Incident prioritization should encompass an approach that focuses on the potential functional impact of each incident on the organization, and also factors in the recoverability from said incidents.
For example, while a data breach resulting in access to confidential information is clearly a serious incident, it is not prudent to direct emergency response resources toward recovering. This is because once sensitive information has been compromised, there is no way to recover its confidentiality. A better incident response action for a data breach is to direct resources towards containing and investigating the incident, and ensuring it is not repeated.
4. Don’t Neglect The Small Stuff
We mentioned that your cybersecurity incident response plan should be constantly evolving — based on feedback from simulated attacks, genuine network incidents, input from your IT and security team, and general cybersecurity best practices. However, when tweaking your incident response plan, it’s crucial to not neglect seemingly trivial details such as phone numbers, email addresses, and so on.
It would be a waste of an otherwise solid plan if the “small” details within your plan’s documentation are overlooked, such as who to contact in response to particular incidents and how to reach them. People get promoted to new roles or move to different companies all the time, and outdated supporting documentation is one of the easiest things to overlook in your incident response plan— make sure you don’t neglect the small details.
5. Document What You Learn
In the same way a fire drill can’t approximate the intensity of responding to an actual fire, real-world security incidents are where you get an opportunity to learn about your plan, test it, and (ideally) improve your incident response plan.
Testing your plan with simulated cyber attacks is beneficial, but make sure you take time during every post-event phase to clearly document what went right and what went wrong. Documenting what you learn will inevitably lead to a stronger plan moving forward.
Whether you decide to establish a dedicated CSIRT or you’re happy delegating responsibility for cyber incident response to your current IT staff, these five tweaks can equip your organization with an incident response plan that is well-thought, organized, effective, and aligned with current network cyber threats.