If you’ve suffered a breach, you know how stressful it is for everyone involved. Read on to get the 7 Steps to a Winning Incident Response Plan.
To borrow from a baseball analogy, the greatest challenge in cybersecurity is that we need to relentlessly defend against known and unknown threats to retain our perfect game. In contrast, the attackers only need a single hit – just a little gap, somewhere, somehow that lets them in. So the first step in dealing with a breach is to accept that they are almost inevitable; mitigation, lessons learned, and improvement are essential.
Unfortunately, cyberattacks are increasing — that’s the nature of the technology-centric age we live in, especially since the pandemic. In 2020, cybersecurity incidents were listed among the top five risks and expected to increase. With statistics showing that cybercriminals attack every 39 seconds and 2021 cyber-attacks costing organizations about six trillion dollars, it’s no wonder why.
7 Steps to a Winning Incident Response Plan
Benjamin Franklin said, “By failing to prepare, you are preparing to fail.” Instead of waiting for a cybersecurity incident to happen, think about your organization’s incident response plan and get ready. Here are the phases of any solid cybersecurity incident response (IR) plan to take into consideration:
Start thinking about your cybersecurity incident response plan straight away. Take a comprehensive inventory of the resources you have, such as people, processes, and technology. Your employee cybersecurity training program and policies play a crucial part in helping prevent breaches; they are often your best last line of defense. Evaluate your risks — how many are there, how do you prioritize them — find gaps, and plan how to address them.
It’s also important to understand your regulatory compliance requirements. Depending on what they are, you may need a documented IR plan, specific technologies, people, or processes in place — or a plan for accounting for gaps you cannot fill. Many compliance regulations are built with realistic expectations and often allow organizations time to implement resources to achieve compliance. These usually include a stipulation that the plan needs to be documented, with milestones for what will be operational and what requirement it achieves. All of this means that you must have a plan.
If your organization suffers a breach, first, take a deep breath. Then, stay calm and focus on establishing the basic facts. It may be challenging to know every detail right away. Think about your security stack. What information do you have that can help you determine breach details? You’ll need to identify the source of the breach, how long have the bad actors been in your systems, how many systems are affected. If you are using cybersecurity tools that provide security analytics, such as behavior tracing, these can be instrumental in helping you view the incident from a historical entity standpoint.
4. Communication and Notification
After determining the scope, you will need to guide the affected employees, partners, vendors, and customers. For example: what are the immediate steps that need to be taken by IT, by the employee, what communication and information do you provide, are all part of your communication and notification plan. Compliance considerations are often critical at this point, so make sure you’re accounting for these.
5. Containment and Eradication
Containment is all about minimizing the impact. It’s about establishing how to stop the incident from spreading and isolating compromised systems and data. Quarantine any suspicious files and data, disable network access for affected devices, and plan for any security patches. Now is the time to update all of your systems and establish a new, safe baseline.
Eradication is more than just the isolation and removal of the malware; it means finding and eliminating the root cause of the breach. Numerous cyber tools and services can assist in malware removal. Additionally, as you did at the identification phase, leverage your SIEM’s behavior tracing to track down the source(s) of the incident to eliminate it.
Once the incident is contained and reacted to, you can focus on recovery. A critical and often overlooked component of recovery is to account for the restoration of cloud data. Do you have an offline, last known good (LKG) copy if that copy is compromised? Recovery services and old-school backups are the saving grace for many organizations. The goal is to bring back devices and data to a where your colleagues are working again, and data loss is minimal.
7. Lessons Learned/Post-Mortem Meeting
Last is the post-mortem part of your incident response plan; it is also the most important. Arrange a meeting to discuss what transpired. Remember that the purpose of the post-incident meeting is not to assign blame to anyone or a group. Instead, focus on what happened. Did any systems or tools fail? Where were the gaps? When could the attack have first been identified? Were any warning signs missed? Ultimately, the most effective post-incident meetings deliver actionable lessons learned that help you prevent future incidents.
Things To Remember After a Cybersecurity Incident
When thinking about your incident response plan, make sure you focus on:
- Communication. Properly conveying what is going on internally and externally is key to addressing the incident quickly and effectively.
- Proactive remediation. After containment, it is vital to recognize where things went wrong to identify and remediate your security gaps.
- Evaluation of your overall security posture. After a cybersecurity incident, your organization needs to determine specific steps to improve your security posture — and whether or not the tools you have in place are sufficiently protecting you. Naturally, you will face some challenges, but addressing them now will help you improve your organization’s security posture in the future.
Not sure if you can recognize the gaps and weak spots in your cybersecurity posture?
Download our Warning Signs e-book to identify your vulnerabilities and discover the best ways to eliminate them.