Preparing for the Worst: How to Build a Cybersecurity Incident Response Plan
By 2025, cybercrime will cost companies worldwide an estimated $10.5 trillion every year, compared to $3 trillion in 2015. In today’s volatile threat environment, it is crucial to be prepared in the event the worst happens to limit business downtime, data loss, and reputation damage.
Every organization must have the necessary resources and security controls to mitigate the risk of a breach. But when a threat inevitably finds its way in, an incident response plan kicks off to prevent additional consequences. Let’s explore the incident response process and the essentials of building your own incident response plan.
What Is an Incident Response Plan?
Cyberattacks are becoming more common and sophisticated, meaning it’s imperative that IT meet threat detection (mean time to detect) and response (mean time to respond) times. Three years ago, companies had four hours and 37 minutes to respond before lateral movement. Today, the average breakout time is just 27 minutes, meaning you have less than 30 minutes to be alerted of malicious activity and stop it.
An incident response plan (IRP) is a series of procedures that aids IT staff in the detection, response, and recovery of a cyber incident. These playbooks are defined to limit the consequences of malicious cyberattacks, protecting an organization’s information systems, data, and reputation. An IRP must account for all systems in the environment that could be susceptible to a breach, as they will warrant different responses.
Building Blocks of an Incident Response Plan
Every incident response plan should contain the following elements:
- Preparation: An incident response plan is not a replacement for the people, processes, and technology needed for adequate security. Your security program must include
- proper network security tools (firewall, email security, web security, etc.),
- a central location for logging incidents (SIEM, SOAR),
- tested and hardened backups,
- systems and data classification for criticality, and
- cyber insurance.
- Definition of Critical Items: Identify the most valuable items in your network. Which of your assets would cause the most damage if compromised? Be sure to cover all business units, not just IT. Identify the items that can’t withstand downtime, then build your plan around how critical that system is.
- Evaluation of Dependencies: Beyond the immediate assets in your environment, consider interdependent systems. What are your critical items relying on? Your plan should seek to protect all relevant items.
- Buy-In from the C-Suite, Legal Team, and Board of Directors: All levels of the C-suite need to be involved in the plan, as well as any relevant stakeholders. Legal teams, cyber insurance carriers, and team leaders must be able to communicate needs before the technical team can get to work.
- Form an Incident Response Team: Make a list of key roles and assign all responsibilities to a team. Whether you decide to develop a Security Operations Center internally or outsource managed detection and response, all key contacts and roles should be defined and coordinated.
For example, be sure to include and assign a project manager who collects artifacts, minimizing administrative duties for your security team. Finally, provide education to all relevant members so they are well prepared for an incident. - Testing and Documentation: Bring every aspect of your plan together into one document or playbook, outlining all necessary protocols and information. Don’t forget to also run a test of your plan. You’ll want to identify all possible roadblocks before an incident makes its way into your network.
Incident Response Steps
A standard incident response lifecycle includes the following stages:
- Identification: The first response to an event, this step identifies the full scope of a threat before declaring it an incident. Ideally, this stage is performed 24/7.
- Containment: Cut off relevant communication channels as quickly and efficiently as possible. Isolate compromised systems, disable accounts, and limit lateral movement across the network.
- Eradication: Countermeasures are deployed to mitigate the threat and associated risk to the environment. Remove a threat and restore systems to their previous state while minimizing data loss.
- Recovery: In the case that eradication isn’t possible or enough, recovery is necessary to restore affected systems—whether it’s through re-imaging or backups.
- Post-Incident Reporting, Cleanup, and Hardening: At the end of a response, develop a report on the scope of the incident, including affected systems, vulnerabilities, and stolen information. The lessons you’ve learned should be applied to the preparation step of your plan.
Evaluate your current security posture to improve your defense processes and prevent future incidents from occurring in the same way. Use tools that utilize machine learning and analytics to develop more meaningful alerts and reduce impact.
Your IRP will also incorporate your company’s unique aspects; however, the best practices outlined here will ensure you can respond to any threats to your environment.
These tips will give you the foundation you need to get your own plan started. If you’d like additional support, ProArch's cybersecurity solutions and Managed Detection and Response services can help you be prepared for an incident and improve your security posture so damage is limited and your bottom line is protected.