In today’s digital landscape, organizations should have a mindset of not “if” a cyber attack could happen, but “when.” To shift to this mindset a good start is having an incident response plan for your organization in the event of a cyber attack. The reason for this change in perspective is that there have been an increasing number of cyber attacks every year for the past few years. These attacks have targeted organizations of various sizes and industries.

With this increase in cyber attacks switching your mindset to a “when” mentality will help your organization build resiliency in the event that you become the target. Here we will walk through some key components of an incident response plan to help your organization begin preparing for the worst.

What is an Incident Response Plan?

An incident response plan is a set of guidelines and procedures that an organization establishes for cyber security incidents to help it prepare, detect, respond to, and recover from them. The purpose of having an incident response plan is to minimize damage, speed up recovery time, reduce recovery costs, and also to learn from the incident to prevent another similar incident from happening in the future.

6 Key Components of an Incident Response Plan

1. Preparation

• • Team Formation. Determine who in your organization should be on an incident response team (IRT) based on the roles they have in the organization. This should include roles from legal, communications, management, and IT (this might be internal or through a Managed Service Provider.)
  • Policy Development. After you have your incident response team set up, work on writing clear policies and procedures. The policies need to specify who in the organization will be responsible in the event of an incident and provide the appropriate framework and procedures to follow in a cyber security incident.
  • Training and Awareness. Once you have determined your policies and procedures, be sure to set up tabletop exercises as well as training for all employees in the organization. Everyone should be familiar with the plan even if they do not have a major role on the incident response team.
  • A quick note. Not all incidents are caused by cyber attacks. Some incidents are caused by things such as power outages or natural disasters. It is important to include incidents such as these in your incident response plan. This type of planning will primarily revolve around data and backups. The rest of this article will focus more on cyber attacks.

2. Identification

• • Monitoring and Detection. Once you have set up your policies and procedures your next step is to set up continuous monitoring so that the policies can be put into action. Implementing continuous monitoring for suspicious activity can be done with intrusion detection systems (IDS), security information and event management (SIEM) systems, and other similar tools.
  • Incident Level. It is helpful to develop criteria that can classify an incident both in type and severity. Doing this will aid in the type of response and prioritization during the response.

3. Containment

• • Short-term containment. If an incident occurs, take immediate steps to isolate the affected systems. This includes things such as disabling compromised accounts or blocking malicious IP addresses.
  • Long-term containment. Implement measures to prevent the attack from spreading to other parts of your network. Then prepare for recovery by applying patches, updating configurations, and enhancing security controls to begin rebuilding.
  • (Remember: when actually dealing with an incident steps like the ones above should be determined directly by your organization’s IT provider. This article is not intended to be a comprehensive plan, just a general conversation guide.)

4. Elimination

• • Root Cause Analysis. After you have identified and contained the problem you will need to work on eliminating the root cause of the issue. This involves investigating how the incident occurred and working to shore up defenses in those areas.
  • System cleanup. Remove any malware that might be present and patch vulnerabilities. A few things that might be included here are applying patches, changing passwords and reinstalling software.

5. Recovery

• • System restoration. After the threat has been contained and eliminated, the next step will be restoring your system and then testing its functionality. You’ll also want to doublecheck that the threat has been eliminated.
  • After this whole process has happened damage to the system could still present itself. Be sure to continue monitoring the system so that you can catch and potential issues.

6. Regroup

• • Post-incident Review. After an incident, you will want to have your IRT meet to figure out what went wrong and make corrections and adjustments to prevent a future incident from happening.
  • Be sure to document all your findings and any other pieces of information that are relevant to the incident. Having a lot of documentation can help you increase your organization’s cyber security measures and prepare for future incidents.

Other Practices and Benefits of an Incident Response Plan

• • Regular Testing and Updates. Technology is constantly changing so it is important that you regularly test that your incident response plan is working and then update it as needed.
  • Clear Communication. Your organization’s incident response plan needs to be clear. This will help people know what is theirs to do in the event of an incident and facilitate the flow of communication.
  • Reduce Damage and Recovery. By working to have a robust incident response plan, your organization can better equip itself to decrease the recovery time needed as well as decrease the amount of damage done to your network.

Conclusion

As we have explored, a strong incident response plan is vital for any organization’s cyber security. By preparing for an incident and responding to it quickly, organizations can minimize the damage caused and reduce the recovery time and costs an incident might cause. Having an incident response plan is not just a best practice; it is a necessity.

As always, we are here to help.