Incident Response Plan

By Robert Townsend on September 25, 2018

Background-

Cyber-attacks are becoming a more serious issue by the year. Today, there is no arguing with the facts: attacks are more frequent, sophisticated, widespread, and costly than ever. In 2015, cyber-attacks cost companies about $3 trillion according to “DarkReading”. By 2021, the number is expected to double, this means more emphasis on cyber security needs to happen as soon as possible. Understanding that cyber attacks are not just a possibility, but an inevitability is the mindset you should have. At this point in time, cyber crime is the most profitable criminal practice in the world. So, what happens when an attacker breaches your companies’ defenses? How would you handle the incident along with the aftermath? According to “Mckinsey”, a global company recently suffered a large data breach and just spent $100 million on the investigation of the incident. This is only a small footprint of the damages that could have occurred due to investors’ loss of confidence in a company. Therefore, you should not just get by with only intrusion detection and data-loss prevention. By having a plan set for moments like this, you can make every minute of response count.

Incident Response Plan-

An incident-response (IR) plan can guide a company or enterprise through instances like, breaches and other forms of cybersecurity events. The primary objective of an IR plan is to limit damage of an event, increase confidence of stakeholders, and recover quickly along with a smaller cost of recovery. An example is the Department of Defense spends around $3 billion a year on cybersecurity, while operating with an assumption that their unclassified network can be breached at any moment. So, this makes them concentrate on maintaining their operations and minimizing damages from any breach. This type of thinking where you expect the worst to happen, so you prepare, and have a plan ready is one of the best approaches to disaster recovery and preparation.

Book

Source 1 – https://manthang.wordpress.com/2011/07/29/five-steps-in-an-incident-response-plan/

Phases of an IR plan-

  1. Preparation

This phase is one of the most important steps to protecting your business. This phase includes: ensuring your employees are properly trained in their IR roles and given responsibilities in the event of something like a data breach, conduct mock data breaches so you can evaluate your IR plan, and finally ensuring that all parts of your plan are funded and approved. (This includes training, software and hardware resources, and execution.) Another step would be to ensure backups are done regularly. The plan should also be documented and thoroughly explains each person’s roles and responsibilities are.

  1. Identification-

This is the step where you identify what type of incident occurred, whether it is a breach and where the origination happened. Some of the questions you will address: when did it happen, how was it found, who found it, areas of impact, affects of operations, and has the source been discovered?

  1. Containment-

During the containment phase, you normally will have found the source of the breach. When you do, you do not want to delete it as this will get rid of the evidence. This step is important since it will help you create a plan to not let it happen again. The main point of this step is to contain the incident/breach so that it does not spread and create more damage for your company. Disconnecting the device from the internet and allowing it to continue stand-alone operations is an option and allow movement to next stage. Once contained an investigation can be done to determine what happened. Copies of drives, external storage, network device logs, system logs, application logs, etc. can be used to find out who/what caused the breach/incident.

  1. Eradication-

This is the process of getting rid of the issue/threat/malware on your computer, system, or network. It should only be done after all internal and external actions are completed. There are two important steps to this phase. The first is cleanup, which consists of running AV software, uninstalling infected software, replacing the hard drive, or even rebuilding the network. The second is awareness and letting those above and below the IR manager know the details within the reporting chain. Whether you implement this step yourself or with a third party, you need to make sure it is done thoroughly. If any trace is left, your liability will increase due to the possibility of the malware/threat spreading again.

  1. Recovery-

This is the process of restoring and returning the affected systems and hardware back to use. You can do this by using service restoration, which is based on corporate contingency plans. You can also use system or network validation, testing, and certifying the system to be either operational or not.  Any compromised system needs to be re-certified as secure and operational. Some questions to address: When can systems be returned to operational use, have the systems been patched, can system be restored from a backup, how long should these systems be monitored, what will ensure similar attacks will not reoccur?

  1. Lessons learned-

Once everything is restored to working condition, learning what was successful and unsuccessful with your IR plan should be documented. Questions like: Was prep good enough, was communication clear, what was the cost of the incident, how can we prevent it from occurring again, what changes need to be made to security, should employees be trained differently, and what weaknesses did the breach exploit? These questions should be answered during the lesson’s learned phase of the IR plan. This phase is where adjustments are made to ensure something like this will not happen again.

Incidence response steps

Source 2 – https://phoenixts.com/blog/7-stages-incident-response-plan/

Conclusion-

Planning for cyber incidents to occur should be the mindset you have with your company. By being ready and preparing your company for these types of incidents, you will handle the disaster with less time spent and less money used. A great IR plan will ensure the stakeholders confidence and will mitigate future disasters from happening.

Sources-

https://www.securitymetrics.com/blog/6-phases-incident-response-plan

https://www.darkreading.com/attacks-breaches/how-to-build-a-cybersecurity-incident-response-plan/a/d-id/1331435

https://www.mckinsey.com/business-functions/digital-mckinsey/our-insights/how-good-is-your-cyberincident-response-plan

https://manthang.wordpress.com/2011/07/29/five-steps-in-an-incident-response-plan/

https://phoenixts.com/blog/7-stages-incident-response-plan/