InfoSec Insider

How to Build an Incident-Response Plan, Before Security Disaster Strikes

Joseph Carson, Chief Security Scientist at ThycoticCentrify, offers a 7-step practical IR checklist for ensuring a swift recovery from a cyberattack.

In a startling discovery, a recent report found that 98 percent of companies have experienced at least one cloud data breach in the past 18 months, compared to 79 percent last year. The same report disclosed that nearly 60 percent of the 200 CISOs and security decision-makers surveyed considered lack of visibility, and inadequate identity and access management, a major threat to their cloud infrastructure.

From ransomware threats to malware attacks, businesses across the globe are experiencing an overwhelming increase in cybersecurity breaches that are both devastating and well-coordinated. Whether designed for individuals to click on compromising web pages or open infected email attachments, most cyberattacks today target human error. In addition to the technology available to keep us safe, your organization also depends heavily on its people to make the right security decisions.

Infosec Insiders Newsletter

So now more than ever, organizations must build up their defenses against persistent attackers who have for instance skillfully mastered the art of abusing weak credentials (one of the many risks, arising from people choosing convenient, easy-to-remember passwords or reusing them across accounts).

Incident Response Plan Checklist

To avoid having to go into emergency-recovery mode during an attack, corporations should methodically plan and prepare for cyber-incidents using the following incident-response checklist, for minimized damage and a swift recovery.

A strong incident-response plan can help a company recover quickly and reduce incident costs. It’s also critical to not only have an incident-response plan, but also to be “incident-response ready,” which means that the plan is periodically tested, similar to a fire drill.

  1. Ownership and Responsibility – The first step in crafting an incident-response plan is to determine the roles within an organization that will be held responsible for ensuring the program’s execution. This includes the team members trained on the steps, tools and technology in place in the plan, and ensuring that the plan is updated to reflect changes or updates within the organization. It is wise for senior staff and executives to take ownership of the incident-response plan to ensure it fully and successfully integrates across all levels and roles of the business. 
  1. Roles and Contacts – In the case of an incident, all external and internal business parties are usually affected, including teams across the executive and C-level suite, legal, human resources, finance, marketing and sales. They must all know how their roles will be impacted during a cyberattack, and what will be expected of them to help the business recover. 
  1. Communication Methods and Contact List – During an incident, traditional means of communication, like email or V0IP, may not be available. To ensure proper and timely communication with customers and employees, organizations need to have contact details and alternative methods of communication prepared. This also includes a clear plan on what will be communicated to who and at what time.
  1. Recording and Identifying – Once an incident has occurred, all aspects and details of the incident must be recorded and documented. When did the incident take place? Who discovered it? At what point did the security and IT teams intervene? Along with these steps, it is crucial to identify the type and nature of the incident and confirm that it is, in fact, an actual incident. 
  1. Containment – Arguably, one of the most essential steps in the plan is containing the threat and stopping the attack. During this step, security and IT teams must decide if it is safe to watch and learn, or if they should immediately contain the threat (by pulling the plug on operations, which is very disruptive, of course). Additionally, security and IT teams must determine the scope of the attack and what sensitive data has been exposed. Use indicators of compromise (IoCs) to help determine the extent of the affected systems, and update any firewalls and network security to capture valuable evidence for forensics.

Throughout this step, organizations need to anticipate potential legal outcomes and any impacts on regulations. Businesses need to ask whether their company’s services should continue during the incident or if law enforcement needs to become involved, depending on the severity and sensitivity of the incident.

  1. Eradication and Recovery – One of the final steps of the checklist is restoring the systems and software to their original state. During this process, security and IT teams should collect evidence for proper digital forensic purposes and eliminate any lingering risks, so attackers cannot regain access. This step will include taking inventory of logs, memory, audits, network traffic and disk images, while patching systems, closing network access, resetting passwords of compromised accounts and identifying the root cause of the incident to prevent similar attacks in the future. Once recovery is underway, you must ensure system integrity, availability and confidentiality to return to business.
  1. Lessons Learned – It’s important to reflect and learn from the cyber-incident. What worked efficiently, and what needs improvement? Taking the time to reflect and draft a response report will help your business better prepare should there be another incident. Learning from the incident will also spark change and further investments in people, training and technology, to improve your organization’s security stature overall.

Creating an incident plan is a time-consuming and daunting task, especially when it feels as if your company is invincible against attacks. But the fact is, with the ever-increasing size of the cyber-threat landscape, and the potential for human error, it is becoming more likely that your organization will become a victim of cybercrime.

How prepared you are will determine the overall impact on your business? It is wise to have a clear and solidified incident-response plan to help your organizations do everything possible to reduce the potential impact and risks of a cyberattack. Be incident-response ready, and have a solid incident-response plan to help your organizations recover quickly.

Joseph Carson is Chief Security Scientist at ThycoticCentrify.

Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.

Suggested articles