Ready, Set, Respond! Planning an Effective Incident Response Strategy.

Dwight D. Eisenhower, the 34th U.S. president, once said, 'Plans are nothing; planning is everything.' In this post we’ll dive into the fundamentals of incident response planning, and take it a step further to show how planning for an incident goes beyond just documentation.

At Hive Systems (and in our Hive Live episodes) you’ll hear us constantly talk about the need to act, and not react when it comes to cybersecurity. One way to be sure you are proactive in your cybersecurity strategy is by planning for how you will react in the event of an incident. No matter how well you’ve secured your environment, you still need to ensure you have the resources, awareness, and procedures to effectively respond and minimize impact. NIST and SANS offer some of the most popular cyber incident response frameworks that organizations may adopt to prepare for and respond to cyber attacks. In this article, we will review the fundamental aspects of an Incident Response Plan based on both frameworks.

“First, why is incident response planning important?”

When a cyber attack occurs, it's vital to identify the source and take immediate actions to contain and eradicate a threat, whether through patching, wiping and restoring from backups, or implementing other countermeasures. Responding to a cyber attack without an effective and tested incident response plan leads to unnecessary chaos, draining resources, time, finances, and risking damage to the company’s reputation.

”What do I need to do to have an effective incident response strategy?”

There are several phases in an incident response methodology that outline steps that should be taken for effective incident response:

Preparation

First of all, you’ll want to identify whether it’s an event or an incident. According to NIST, an event is any observable occurrence in a system or network and an incident is a violation or imminent threat of violation of an organization’s security policies, acceptable use policies, or standard security practices.

Addressing an incident is a complex task that is too large for one individual or team to handle. A more effective approach is to bring together individuals from various departments or teams and to form a response team, ensuring a complete understanding of the situation and enabling an effective response. This team should have clearly defined roles and responsibilities documented in a formal Incident Response Plan, ranging from incident detection and analysis to documentation and communications.

This collective expertise from various teams will be invaluable in tackling the challenges that lie ahead. Due to the high level of public concern around cyber attacks, incident response teams should include not only technical personnel to mitigate the incident, but also legal and PR/corporate communications professionals to manage external (and internal) communications.

Another critical step is comprehensive documentation, which should be organized as part of the Preparation phase. A thorough Incident Response Plan should be documented and reviewed annually, outlining the incident response phases, roles and responsibilities, incident types and severities, and reporting requirements. As part of the planning phase, a repository should be established for tracking and retaining incident response details, and templates should be drafted to capture incident details from incident reporters.

The Preparation phase extends further than just having the right tools, systems and resources to respond to  an incident. Regular training and incident response exercises are critical to ensuring teams can effectively respond to an incident in real-time.

Detection and Analysis

The priority is to detect the potential security incidents at an early stage by using monitoring systems or tools such as firewalls, IDS, or IPS. Then, indicators should be analyzed in more detail to identify the specific type of attack and its extent. Each type of attack may exploit different vulnerabilities, and understanding the attack vector is critical to crafting an effective response.

Employees, users, and customers should have clear options to report suspected incidents through designated communication channels such as a hotline, email, or secure online form. Once reported, each incident should be categorized by severity , assessing its impact on business functions and data confidentiality. Depending on the assessment results, the incident response team can escalate issues appropriately, directing critical incidents to senior leaders for input and awareness, or to  legal counsel (including external counsel) for proper handling.

Containment, Eradication, & Recovery

Containing the issues by isolating the affected systems as quickly as possible is crucial to preventing further security risk or impact. During containment, immediate measures are taken to control the spread, while a stable, long-term containment strategy is established to secure the affected systems, endpoints, or accounts. Throughout this phase, forensic evidence should be carefully collected to support both legal compliance and post-incident analysis.

After containment, eradicate the threat by removing malware, terminating unauthorized user access, or applying patches or controls. Finally, the systems should be restored from a clean backup to resume normal operations and should continue to be monitored for any new signs of threats.  

Post Incident Activity

Clear communication and transparency about which systems were affected and how the breach occurred builds trust but helps identify ways to prevent similar incidents in the future. Holding a “lessons learned” meeting after each event or incident is vital to review what happened, assess the response plan’s effectiveness, and pinpoint improvements which should all be incorporated into improving the response plan for the future. A thorough After Action Report should be documented to break down the root cause of the incident and mitigation strategies to prevent similar incidents from happening in the future.

The recommendations from these reviews should be incorporated to enhance future incident handling, from updating response procedures to training adjustments. Management’s commitment to incident response is crucial for sharing necessary resources and supporting continuous improvement efforts. Additionally, legal and PR/corporate communications personnel should draft reports and external communications to support breach reporting requirements, ensuring affected parties, regulatory bodies, stakeholders, and even shareholders are informed in line with the legal and regulatory standards.

"Ok so my Incident Response Plan covers all these phases - that's all I need to do, right?"

As mentioned at the beginning of Eisenhower’s quote, “Plans are nothing; planning is everything’’, we must recognize that planning requires significant effort, preparation and expertise, but doesn’t stop at documentation. Incident Response Team members should be trained on their incident response duties at least annually, and the Incident Response Plan should be tested through either simulated or real-time incidents annually to account for organizational changes. Telling everyone what they’re supposed to do in a plan without practicing it will only result in slower response times, communication errors, and can increase the impact of an incident.

Are you interested in learning more about cybersecurity in an approachable way, like the article above? Be sure to check out our other Approachable Cyber Threats (ACT) posts and subscribe to our ACT Digest to stay updated. We’ll send new articles straight to your inbox!