They say that “prevention is better than cure” but perhaps we can make a small addition to that. Prevention is never completely in our control but preparation is.
According to Breach Level Index, the frequency of data breaches is increasing rapidly, therefore without a response plan, your organisation is risking having longer recovery times, leading to higher costs. Developing an incident response plan doesn’t have to be a long-winded process. According to the National Institute of Standards and Technology (NIST), an incident response provides a ‘set of instructions or procedures to detect, respond to, and limit the consequences of a malicious cyber attacks against an organisation’s information systems.’ This article will provide a six step guide to creating a comprehensive incident response plan
What Is an Incident Response Plan?
An incident response plan allows for a comprehensive way to manage security breaches. The goal for this type of plan is to identify the attack, contain the damage and eliminate the main cause of the incident.
Why is it important?
It’s simple, the faster your business responds to a security incident, the faster it can reduce the costs, restore its services and processes as well as reduce the exploited vulnerabilities.
An uncontained incident may lead to much larger consequences such as, increased expenses and possibly leading to your organisation receiving heftier fines.
An incident response plans allows for practices and procedures to be in place to mitigate the impact of the incident. It should provide comprehensive guidance for your team to be able to deal with the security threat.
The plan should have the capability to provide direction on isolating incidents as well as analysing their severity, terminating the attack and eliminating the cause, recovering systems as well as undertaking a post-mortem analysis in order for future incidents to be prevented.
Here are six steps to creating a comprehensive incident report plan.
- Preparation – Your incident response team must prepare for a cybersecurity incident by:
- Creating policies to enforce in the case of a cyberattack
- Inspect security policies and undertake a risk assessment
- Prioritise security issues by identifying the most valuable assets and focus on critical security incidents
- Create a comprehensive communication plan
- Set up a corporate security policy
Before the incident response team is able to take action, a criterion for what highlighting when they are needed is crucial. This could range from a phishing attack, or malware detection on the system. Even when the incident is isolated, the incident response team must still be notified.
The incident response team should plan an appropriate response through the following:
- Identifying the incident
- Assessing the cause
- Analysing the severity
- Gathering evidence
- Documenting the incident.
This should address questions such as how the incident came about? Why the incident happened? What caused the incident? And if possible, who caused the incident?
As the threat is identified, the next step is to mitigate further damage. The incident response team can accomplish this by following these three steps:
- Short term containment: This involves responding immediately, so there is no further damage caused by the threat. This might be accomplished through temporarily shutting down hacked servers.
- System Backup: All systems must be backed up before wiping and reimaging. A forensic image can provide a snapshot of the incident which could then be used later to understand how the security incident happened.
- Long term containment: this is temporarily fixing the affected system so that business can run as usual. However, during this process it’s important to rebuild a clean system so they can be brought online during the recovery stage. It’s crucial that measures are taken to prevent the incident from escalating or recurring. Security patches must be installed, accounts and backdoors created by attackers must be removed, and firewall rules must be changed.
During this process, the threat must be contained, and systems need to be restored to their original state. However, the root cause of the attack must still be isolated.
The incident response team must also ensure that all threats and malware are removed and any existing vulnerabilities that were exploited are identified and mitigated, in order to prevent future cyber-attacks.
Although this is a crucial step, it is important that the changes are done whilst having little effects on the operations of your business. This can be achieved by limiting the level of data that is exposed.
This can be done through:
- Identifying as well as fixing affected hosts.
- Isolating the root of the attack so that all instances of the software are removed.
- Being a step ahead by anticipating an alternative type of attack to occur and creating an appropriate response.
Analyse all affected systems to ensure that they are no longer vulnerable and can be restored. This process is important as the affected systems are placed back into the production environment and the incident response team must be certain that it will not lead to another incident.
This is done by restoring systems that are from clean backups, replacing all files that were compromised, installing patches and changing the system passwords, to name a few.
Reflection should be a key part of your incident response plan. It is important for the incident response team to communicate with other partners, suggesting ways to improve the process in the future.
The team must also complete the documentation that couldn’t be prepared during the process of the response. This could include documenting how the incident was managed and how the threat was eliminated. The team should create reports on what could be improved, and the lessons learnt as this could serve as benchmarks for the future.
Experiencing a data breach or security incident without a response plan can have costly repercussions, from reputational damage to financial costs. Through the creation of an incident response plan, organisations can not only mitigate the damages of a security incident, but also prevents future incidents from occurring. With the use of an incident response plan such as the one outlined above, your organisation will be able to manage cyber incidents confidently.
Are you looking for modern IAM solutions that don’t comprise the user experience? Why not download our eBook to help you. Simply click the button below to get started