by Brian E. Thomas

Have you dusted off your incident response plan?

Sep 25, 2019
Data BreachIT StrategyRansomware

As security incidents are more prevalent these days, we are seeing organizations that aren't sufficiently prepared because their incident response plan was outdated or non-existent.

As a CIO or senior technology leader for your organization, it is important that you are the champion for ensuring the company’s security posture is solid. You may have a CISO at your organization, depending on the size of the company and your CISO may be very much on top of this. However, it is key that your incident response plan is solid, tested, trained and socialized with all those that would be involved when your plan is activated. 

Every week (more like daily) we see headlines about a financial institution, local government or large school system that is hacked or has become the latest victim of ransomware. In many of these cases these companies find out that their Incident Response Plan was never tested, or worse—it didn’t exist. Many organizations that have a security team and the latest SIEM (Security Information and Event Management) or other security technology, get complacent and put too much emphasis on these tools. A good security program takes a layered approach to security and looks at the organization holistically, from the firewall, to end user education.

As Thor Olavsrud wrote in “Companies complacent about data breach preparedness,” most organizations now have a plan, but these aren’t reviewed, updated or tested regularly as they should be. Olavsrud mentions as security incidents are more prevalent these days, we are seeing that organizations weren’t sufficiently prepared because their incident response plan was outdated or non-existent.

How prepared are you?

By now you and your organization understand the concept of Incident Response (IR), and knows that this methodology will handle breaches, security incidents, ransomware, etc. A good incident response plan is well documented, communicated, trained, and tested annually at a minimum. This plan will incorporate methods that will assist you in responding timely, identifying, minimizing damage, exposure and cost of a cyber-attack. Of course, the plan will consider how best to identify, communicate and learn to prevent attacks in the future.

While you may have assigned a Security Response Team and have trained them, it is important to remind all involved to be clear thinking and focus on the task at hand, as it will be a high-pressure time for everybody. It is paramount that you and your team perform at its highest by having an effective and rapid response. Therefore, having a well-documented IR plan that allows for the team to follow it step-by-step will ensure the success of the recovery.

Don’t try and reinvent the wheel

It’s imperative that you ensure your IR plan has the foundational items needed in a successful plan and recovery. Whether you have an IR plan in place or not, you can start by validating the incident response actions against the response phases defined by NIST (National Institute of Standards and Technology). Your plan should follow the NIST Computer Security Incident Handling Guide (SP 800-61) standard and the steps are outlined as such:

  • Preparation: Advance planning on prevention and handling of incidents or cyber-attacks.
  • Detection and analysis: This includes actively and proactively monitoring anomalies, potential attack vectors, prioritizing these tasks.
  • Containment, eradication and recovery: Having a containment tactic, detecting and mitigating the systems under attack, and recovery plan.
  • Post-incident activity: A key part – documenting and assessing lessons learned and having a strategy for historical retention.

Of course, these are just the outlined steps and you should build much further with your own Incident Response Plan. A critical part of your plan is maintaining it, training for an incident, and socializing it with executive management. Additionally, a key part of this is to be sure you have your internal security response team with a point person(s) named to have the overall responsibility to respond to the attack. This team should include the appropriate people to work an incident, both technical and non-technical staff.

Likewise, many have found that hiring an external Incident Response vendor would solidify their overall IR strategy. Of course, this depends on the maturity level of your security program, size of your company, or budget. Having them on retainer with a set of specific set of SLAs is key, moreover, experience has shown that an outside IR vendor will increase your odds of better and faster recovery. This is really something to consider now that the level of sophistication and frequency of the attacks are at an all-time high. There is also evidence now that some of these attacks are coming from foreign governments which raises the bar as far as your security program.

Security must become part of your DNA

A few key items that you should always keep on the forefront as you prepare for or manage an actual security incident. Number one is a solid communication plan. Obviously, for security reasons you may not divulge certain details of the attack with your organization, like the source of the attack, sensitive areas that may have not yet been confirmed compromised, etc. Until the dust settles and you’ve completed your damage assessment, the best thing to do is to communicate relevant information to your end users and senior management. Once you know exactly what you have in front of you, you and senior management can decide a course of action. For example, if PCI or HIPAA data was compromised, you may have to pull into your legal, HR, and communications officers – which should be part of your IR plan, of course.

The notification process can be extensive, depending on how severe the attack is. For example, if it was a data breach there are privacy laws that need to be considered. These vary from country to country (GDPR, HIPAA) and even state to state, such as California’s SB1386. All these types of scenarios need to be considered when building your Incident Response Plan.

If you recently experienced a minor or major incident, be sure you have completed a lessons-learned debrief and have captured everything that needs to be updated in your plan. You may find that you need to include some money in your budget for a particular tool that would help mitigate security weak points, or decide that you want to invest in a retainer with an outside security firm to assist you with a major incident, should one occur.

It’s important to note that every organization is unique, and their plan will be unique. However, you can certainly start with the NIST framework, collaborate with your industry peers or look to experienced organizations that have already built mature security programs and detailed incident response plans that you can build upon.