How to Set Up an Incident Response Plan that Actually Works

September 26, 2017 by in Incident Response

An ever-evolving technological landscape is changing the way we do business and making many processes far simpler with each passing year.

But with each advancement in our technology comes a tradeoff: increasingly sophisticated cyberattacks.

Malware, phishing, DDoS attacks, drive-by downloads MITMs, malvertising, rogue software – the list goes on.

And the effects of a data breach or cyberattack on a business can be absolutely devastating.

One study by privacy, data protection, and information security researcher the Ponemon Institute found an alarming 90% of businesses that suffer a data loss end up closing their doors within two years. And 80% of those will fail within 13 months.

That’s why businesses today need to prioritize putting comprehensive incident response (IR) plans in place. They’ll not only strategically position you to better neutralize the threat should an attack occur, but they’ll also help mitigate the resulting damage.

Below are few of the best strategies for creating an IR plan that actually works.

Develop a “When Not If” Mindset

The first step to preventing the inevitable is recognizing that it truly is going to happen. There’s nothing to be gained (and too much at stake) from ignorance when it comes to cybersecurity.

Analysts predict that cybercrime will be responsible for $6 trillion in damages annually by 2021 and if your company doesn’t have the proper incident response plans in place, it may not be able to recover from a breach. That’s why it’s absolutely crucial that you shift from a reactive mindset to a proactive one.

When it comes to cybersecurity, it’s better to be safe than sorry.

Build the Right Team

As with any other aspect of business, a well-made plan is only as effective as those carrying it out. As such, your IR team should bring a variety of skills and experiences to your incident response strategy but its core should be built around seasoned IR leads.

Penetration testing, hunt team skills, log analysis, host and network forensics, memory analysis, and threat intelligence skills will all play a key role crafting and refining your strategy over time.

What’s more, putting an experienced IR analyst in the lead will ensure there’s no disconnect between roles and management. But beyond that, strong and effective leadership also needs to be able to articulate the real business need of IT investments and continued preventative measures. Otherwise, the only thing convincing enough to push efforts forward will be the damage from a successful attack.

Track KPIs

KPIs are a key part of translating any effort into a quantifiable measure of success and failure. While tracking these indicators can, of course, be a source of trepidation for some IR staff, the truth is that such metrics are instrumental in translating the value of efforts while also providing a baseline with which to craft and refine future efforts.

These KPIs can include:

  • Time taken for detection
  • Success rate of detection by system tools (vs. number reported by users or admin)
  • Decision speed
  • Number of false positives
  • Nature of the attack
  • Type of tool that led to its detection

In the end, these KPIs will give you the data necessary to measure the effectiveness of your efforts while also providing metrics with which you can communicate your team’s needs to upper-level executives and decision-makers.

Champion Continuous Testing

One of the biggest issues with IR strategies is not that there isn’t a plan in place but rather that the plan is generic, outdated, and not especially useful in the case of an attack. The main culprit here is a lack of comprehensive testing.

Testing should be performed frequently and exhaustively. Ideally, they should simulate a full breach, putting each of your measures to test so you can both identify and mend any weaknesses in the plan.

Understandably, many businesses are reluctant to expend the energy and resources required for this kind of testing. It may take a full day, or even several, to complete these kinds of assessments on the proper scale. But when you take into account the potentially disastrous effects of a full-scale breach ($3.62 million on average), it’s well worth it.

Clear and Consistent Incident Taxonomy

Learning how to identify what is and is not an incident can be integral to your future IR efforts.

In the first place, it will help in designating which types of attacks truly warrant action and which are being safeguarded against by systems in place. What measures need to be taken in the instance of an attempted attack compared to a successful one? What kinds of attacks are you protected against? And ultimately, where can your teams’ efforts be better spent?

Remove the Silo

While many believe that incident response rests solely in the hands of IT and InfoSec, the truth is that the more involved all the affected parties are, the smoother the damage mitigation efforts will be.

If, for example, a data breach does occur, it isn’t just IT and InfoSec that will be involved. PR, marketing, customer support, legal, and human resources may all be affected by the leak and, as such, should have measures in place for how to best handle their respective departments and workflows.

The more communication and collaboration there is, the quicker your company will be able to recover from such an incident and keep the damage from spreading.

Incident Response: A Strategy You Can’t Afford to Ignore

Sophisticated and comprehensive cybersecurity is becoming more of a necessity with each passing year. But as our systems advance even further, so too do those of attackers.

That’s why it’s critical to follow these strategies in both the creation and continued maintenance of an in-depth IR plan. Doing so is sure to help identify gaps, mitigate damage, and position your business to respond efficiently and effectively.

For more information on creating a comprehensive and effective incident response plan, have a look at some of the resources provided by Incident Response, the leading online incident response community.

One Comment
  1. Automated Responder Knowledge (ARK) in Action - DFLabs October 18, 2017 at 8:47 am

    […] is designed to facilitate knowledge transfer from senior to junior analysts and to speed up incident response by applying machine learning to automate the knowledge gathering and […]

Comments are closed.

    IRC

    The First and Only Incident Response Community laser-focused on Incident Response, Security Operations and Remediation Processes concentrating on Best Practices, Playbooks, Runbooks and Product Connectors. In building the Community, the IRC is aimed to provide, design, share and contribute to the development of open source playbooks, runbooks and response plans for the industry community to use. These playbooks or recipes can be in the form of flowcharts, diagrams, sequences, scripts, orchestration platform playbooks and product integration connectors.

    Subscribe to receive updates from the

    Incident Response Consortium