An incident response plan is a crucial set of instructions designed to help your IT department—security team at larger companies—properly deal with the slew of network security incidents that can hamper your business at any given moment. Such incidents include (but are not limited to) ransomware, data breaches, service outages, and cyber crimes such as crypto-jacking or malware.
A robust cyber incident response plan should outline with brevity and precision the exact steps your organization should follow to contain the cyber threat, mitigate damage, control incidents, and bring them to a halt. An incident response plan should be drawn up with the input of key company decision makers and stakeholders, including IT staff and security personnel.
The plan should include tools, technologies, and processes to combat and recover from cybersecurity incidents. There should also be a detailed communications plan outlining who should be contacted, both internal and external to the business, following the detection of and recovery from network security incidents.
It’s a huge challenge to create the perfect incident response plan the outset though. In fact, as network security threats evolve, it’s likely the plan will evolve too. Here are five tweaks you should consider making to your incident response plan.
1. Learn from Simulated Cyber Attacks
A great way to refine and improve upon your incident response plan is to learn from simulated cyber attacks carried out against your network/endpoints. Simulated cyber attacks are also the most proactive and prudent method for tweaking your plan compared with learning from real-world attacks. Industry surveys consistently report on worrying trends relating to incident response plans, with a significant proportion of IT executives admitting that their company’s incident response plans are only ever tweaked in response to major real-world incidents.
Further, a solid cyber incident response plan is the single most impactful way to reduce your cyber risk and mitigate the damage caused by a real cybersecurity incident.
While simulated cyber attacks don’t negatively affect your normal operations, they can highlight deficiencies in your incident response plan in a risk-free way. This helpful white paper from EY highlights the importance of cyber security incident simulations and provides some tips for carrying out such exercises.
2. Establish a CSIRT
A computer security incident response team (CSIRT) is a dedicated team solely responsible for cybersecurity incident response. While not every business can afford (or equip) the resources and talent required to form a CSIRT, a team of professionals entirely focused on cyber incident response can make a huge difference — particularly in terms of providing security policy recommendations and training staff in prudent IT practices.
As security threats become more sophisticated and increase in number, it is trending towards mission-critical for enterprises to establish their own CSIRT to thoroughly investigate and respond to the range of network threats that inundate most enterprises daily. This resource provides an overview on how to set up a CSIRT.
3. Effectively Prioritize Incidents
Effective cybersecurity incident prioritization is crucial in the development of a more robust incident response plan. Prioritizing incidents involves a clear designation of network security incidents/alerts/issues, so everyone knows which types of incidents/alerts/issues constitute the need for an urgent response, which incidents can be dealt with less urgently, which alerts to ignore (false negatives) and the type of response suited for specific incidents/alerts/issues.
Incident prioritization should encompass an approach that focuses on the potential functional impact of each incident on the organization, and also factors in the recoverability from said incidents.
For example, while a data breach resulting in access to confidential information is clearly a serious incident, it is not prudent to direct emergency response resources toward recover. This is because once sensitive information has been compromised, there is no way to recover its confidentiality. A better incident response action for a data breach is to direct resources towards containing and investigating the incident, and ensuring it is not repeated.
4. Don’t Neglect The Small Stuff
We mentioned that your cybersecurity incident response plan should be constantly evolving — based on feedback from simulated attacks, genuine network incidents, input from your IT and security team, and general cybersecurity best practices. However, when tweaking your incident response plan, it’s crucial to not neglect seemingly trivial details such as phone numbers, email addresses, and so on.
It would be a waste of an otherwise solid plan if the “small” details within your plan’s documentation are overlooked, such as who to contact in response to particular incidents and how to reach them. People get promoted to new roles or move to different companies all the time, and outdated supporting documentation is one of the easiest things to overlook in your incident response plan— make sure you don’t neglect the small details.
5. Document What You Learn
In the same way a fire drill can’t approximate the intensity of responding to an actual fire, real world security incidents are where you get an opportunity to learn about your plan, test it, and (ideally) improve your incident response plan.
Testing your plan with simulated cyber attacks is beneficial, but make sure you take time during every post-event phase to clearly document what went right and what went wrong. Documenting what you learn will inevitably lead to a stronger plan moving forward.
Whether you decide to establish a dedicated CSIRT or you’re happy delegating responsibility for cyber incident response to your current IT staff, these five tweaks can equip your organization with an incident response plan that is well-thought, organized, effective, and aligned with current network cyber threats.