In the event of a cyber attack, failure to act in accordance with best practices and relevant legislation can result in a loss of business income and reputation damage, but also steep financial penalties. For example, organizations that fail to adhere to EU General Data Protection Regulations in the aftermath of an attack can be fined up to $21M, or four percent of their global turnover.
To avoid the worst fallout of a cyber incident, it’s vital that the components of your incident response plan (IRP) are built with consideration of industry guidelines, cyber legislation, and your company’s unique risk profile.
How to Build an Incident Response Plan
It is not possible to create an incident response plan for every cybersecurity threat scenario. Instead, an effective incident response plan should detail a command structure and set of processes that enable your organization to react to numerous threat types in a strategic and measured manner to minimize damage.
While there is no universal one-size-fits-all incident response plan, industry watchdogs like the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) outline important pillars that should compose the framework of any plan. Here, we summarize that framework with the following four key components of an incident response plan.
The first step to incident response is preparing in advance. This should include using risk assessments to bolster the cyber resiliency of your networks, systems, applications, and devices.
To avoid chaos and confusion at the onset of an attack, you must define the roles and responsibilities of the individuals that compose your incident response team. Even if you hire an external incident response service, your team will necessarily be part of the communication process needed to deal with a crisis.
Prepare your communication channels and contact information to ensure the flow of information and a swift response. Don’t overlook these important communication channels:
- Contact info for internal and external team members
- On-call information for incident escalation
- Incident reporting channels, such as phone numbers, email addresses, online forms, and secure instant messaging
- War room for central communication and coordination
- Backup storage facilities and networks for communication, evidence, and other sensitive material.
2. Detection and Analysis
Cyber events often go weeks or months undetected. To minimize damage and effectively respond, your organization needs to verify that a cyber incident has actually occurred and appraise its impact.
Just like an attack can come through any number of vectors, your team may be alerted to a potential incident from various warning systems. Indicators that a cyber incident has occurred or is occurring commonly come from the following sources:
- Automated alerts from network and host-based Intrusion Detection and Prevention System (IDPSs), antivirus software, or log analyzers
- Alerts from network intrusion sensors or file integrity checking software
- Alerts from third-party monitoring services
- Manual discovery from user-reported problems
Once an event has been verified as real, you must have predetermined procedures to analyze its scope and impact on networks, systems, and applications. According to NIST, three key parts of the impact analysis should include:
- The functional impact, or the extent to which an incident has handicapped an organization’s ability to provide services to users.
- The information impact, or the extent to which sensitive information was changed, deleted, or extracted.
- And a recoverability analysis of whether or not a company can recover from the incident, and the resources required to do so.
These impact assessments should serve to help prioritize next steps for containment and recovery.
3. Containment, Eradication, and Recovery
This part of incident response typically involves a mitigation decision to stop the bleeding. This may be to shut down a system, disconnect it from a network, or disable certain functions.
Your IRP should guide you in making the right decision relevant to the type of attack you are experiencing. Factors that could influence this decision include:
- The potential damage or theft of resources
- The need for evidence preservation or collection
- The need to maintain services
- The need for extra time and resources
- The duration of the proposed solution
Before recovery, all traces of the threat must be removed. Again, this will vary by the nature of the incident or attack, but may include:
- Disabling breached user accounts
- Deleting malware
- Identifying and purging remaining vulnerabilities
Recovery means restoring systems to normal operations. This may require restoration from uncorrupted backups or rebuilding systems. Compromised files will need to be replaced, passwords changed, and network security tightened.
4. Post-Incident Improvement
The final step of incident response is taking stock of lessons learned and putting that knowledge to practice to prevent a similar event in the future. This should include a lessons-learned meeting to explore what happened, how it happened, and what corrective actions, tools, or resources are needed to make sure it doesn’t happen again.
Post-incident analysis should also appraise the monetary and non-monetary impact of the cyber attack. Hopefully, data insights can be used to justify increased funding for cyber readiness to avoid future attacks.
Remember, these four components are recommendations to build the general response framework—your specific incident response plan steps should be informed by your organization’s unique operations and risks.
For a more in-depth look at these incident response plan measures, check out this NIST Computer Security Incident Handling Guide.
An Accessible IRP With NetDiligence
Independently crafting an effective incident response plan can be costly and time-intensive. At NetDiligence, we have nearly 20 years of experience helping clients improve their cyber readiness and building incident response plans for specific needs.
With our Breach Plan Connect® tool, companies can customize a step-by-step response plan that adheres to industry best practices, stands up to regulatory scrutiny, and addresses the vulnerabilities of unique risk profiles.
In the event of a potential attack, we help users determine the validity of an incident and set their plan into motion. NetDiligence resources guide users through a response process that includes:
- Notifying law enforcement when necessary
- Contacting legal professionals that specialize in data breach events
- Engaging forensics investigation experts
- Setting up credit monitoring operations
- Hiring a PR firm or breach notification service
- Lodging insurance claims for cost reimbursement
To ensure plans are accessible in moments of crisis, NetDiligence Incident Response Plans are cloud-hosted and mobile-friendly.
Responding to and recovering from a cyber event requires a keen understanding of organizational exposures and legal responsibilities—and a team empowered to act swiftly. With a properly maintained incident response plan, you can position your firm to minimize the damage of an otherwise devastating cyber crisis.
If your company could benefit from a helping hand in building your incident response plan, contact NetDiligence today.