Incident Response Plan

How to create an incident response plan?

An incident response plan is a well-documented plan that includes a series of phases that helps IT security professionals recognize and properly react to cybersecurity incidents.

According to Gartner, the SANS Institute (founded 1989) is one of the world’s premier cybersecurity training organizations. The SANS Institute methodology includes 6 incident response phases as follows: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

Within each phase, there are specific areas that should be considered. Next, we will analyze each phase and identify the items that need to be addressed.

The Preparation Phase

This phase is all about ensuring your employees are properly trained regarding their incident response roles and responsibilities in the unfortunate event of a data breach.

Make sure all aspects of your incident response plan (security training, hardware, software resources, etc.) are approved and funded in advance.

Thoroughly explain and document everyone’s roles and responsibilities. This phase must be tested to assure that your employees will perform as they were trained. The more prepared your employees are, the less likely they will make critical mistakes.

Make sure that everyone has been trained on security policies, that your incident response team know their roles and have participated in mock drills.

This is also a good time to update and patch your systems, review your remote access protocols, change all user and administrative access credentials, and harden all passwords.

The Identification Phase

During this phase the security team will determine whether your organization systems have been breached. A cybersecurity incident could originate from many different areas.

Briefly, you will acknowledge how and when the incident was discovered, also who discovered it. You will follow the necessary steps to identify the source (point of entry) of the attack vector. Then you will assess how it affects your operations.

The Containment Phase

When a breach is first discovered, people are usually tempted to securely delete everything so they can just get rid of it. This approach will likely hurt the organization in the long run because you will be destroying valuable evidence that your IT security team will need to determine where the breach started and create a plan to prevent it from happening again.

Instead, contain the breach, quarantine the malware you have identified, so it does not spread and cause further damage to your business. If you can, disconnect affected devices from the Internet.

Have short-term and long-term containment strategies in place. Keeping up-to-date backups is essential to restore your business operations.

The Eradication Phase

Once you have contained the issue, you need to find and eliminate the root cause of the breach. This means all malware should be securely removed, systems should again be patched, and updates should be applied.

Whether you do this in-house, or hire a third party to handle it, you need to be thorough. If any piece of malware or security vulnerabilities remain in your systems, you may still be losing valuable data, and the liability will only increase.

The Recovery Phase

This is the process of restoring the affected systems back to a pre-attack version. During this time, it is important to get your systems, devices, and business operations up and running again.

Make sure you monitor the situation, especially the systems/apps that were previously affected to ensure similar attacks will not reoccur by updating your security incident response plan accordingly.

Lessons Learned

Once the assessment is complete, gather all incident response team members and discuss what you have learned from the security incident. At this point you will analyze and document everything about the breach.

Documentation may be used for data breach insurance. This can save the company from prospective legal costs and fines, not to mention the brand damage associated with a data breach which can be harsh for a business, especially if the organization is a startup.

Identify what worked well in your response plan, what changes need to be applied, what weakness did the breach exploit, etc. All the lessons you learn are valuable and will strengthen your organization against future cyberattacks.

No one wants to go through a security incident, but it is essential to prepare for one. Know what to do when it happens and regularly test your plan’s efficiency. For this purpose, regularly orchestrate cyberattacks to test your organization’s incident response plan and how fast your team reacts. This habit will generate at least two important results: a deep understanding of your plan (tasks, processes) and a list of gaps that should be addressed. If there is room for improvement, all changes must be properly documented for them to have real, lasting value for your security operations team.