Incident Response Plan Basics

The question ‘Will I suffer a cyber attack?’ has changed over the past few years to ‘When will I suffer a cyber attack?’.

The increasing complexity in information systems and networks has resulted in a rise of global cyber threats. Organizations need an Incident Response Plan in order to reduce and mitigate the impact of these attacks.

What is Incident Response?

Incident Response or IR refers to the process which an organization responds to and manages “incidents” such as cyber attacks or data breaches. Incidents can be destructive, resulting in significant financial loss or theft of your company’s valuable data.

Most organisations have a host of business continuity and emergency response procedures. All too often organisations don’t have a cyber Incident Response Plan (IRP), or their plan deals with technical procedures but leaves out employee response.

While it is prudent to have staff members who are trained in the detection, analysis or eradication phase of Incident Response, it is equally important that management and stakeholders are aware of the implications a data breach poses, and the appropriate actions they need to take. Data breaches are stressful situations and only made worse by poor incident handling.

What is the difference between a Cyber Event and a Cyber Incident?

When discussing Incident Response, it is important to differentiate between a cyber event, an adverse event, and a cyber incident.

NIST’s ‘Computer Security Incident Handling Guide’ defines a cyber event as “… any observable occurrence in a system or network”. This may be something as simple and seemingly harmless such as sending an email. An event can potentially lead to an incident, but it’s not guaranteed that it will.

An adverse event is one where the observable occurrence has negative consequences. An example is unauthorized access to or nefarious use of administrative privileges that provide access to networks, servers, company computers or other important resources.

A Cyber Incident is the violation of a private network, its policies and procedures, and data sovereignty. This could be a phishing email that has stolen login credentials, an open Remote Desktop Protocol (RDP) port allowing ransomware to be installed on a network, or a botnet sending high traffic volumes to a website.

What is an Incident Response Plan?

An Incident Response Plan or IRP is a set of policies and procedures that deal with cyber events and incidents. The plan should take on a form where all relevant employees are engaged, and all appropriate information is disseminated in an effective manner.

The most important part of your Incident Response Plan is that you have it printed.

Printing a paper copy really cannot be stressed enough. If you are unable to access your servers or cloud storage, then you will likely be unable to access your Incident Response Plan from a computer. The IRP should also have up-to-date contact information for the Incident Response Team (IRT), your cyber insurance broker and legal counsel.

Who is responsible for dealing with a Cyber Incident?

The response to cyber incidents are not ‘one size fits all’ and planning should be done to address multiple scenarios. Usually, the responsibility of the initial response will fall to one person who has de facto power to shut down networks and services to employees and customers as needed. That resource may not be an employee; it could be a member of a third-party Incident Response Team (IRT).

There are three, usually third-party, providers who will be integral in remediating a cyber disruption. These are your cyber insurer, legal representation, and Managed Security Service Provider (MSSP or the IRT). Each of these groups can assist you with the different phases of Incident Response.

The Incident Response Team will be your first call.

The Incident Response Team are the computer security professionals who will investigate and remediate your cyber events and incidents. They’ll provide actionable recommendations on how to begin mitigating the situation. If you don’t have an IRT, your insurer will recommend or contact one who can provide the necessary service. The IRT will follow a specific workflow that safely collects evidence and restores your systems. Thorough reporting will be provided throughout the incident for the benefit of owners, directors, management, law enforcement, shareholders, etc.

The Phases of Incident Response

Incident Response consists of seven phases which your Incident Response Team (IRT) will carry out. Depending on the nature of the incident, the duration of each phase will vary with some phases blending into others. The phases are as follows:

Preparation: The IRT will work with your organization to ensure it is well equipped to handle any potential incidents from a technical, organizational and individual perspective. This includes helping you craft or enhance your Incident Response Plan (IRP).
Detection: The initial discovery of an event will likely be from an employee. The IRT will look at common flaws in your network, software or web portals and sift through different indicators and signs to address the scope of the event.
Analysis: The IRT will analyze and assess the scope of the incident and notify the affected parties. This phase profiles and reviews your files, logs, and systems. There are several tools that IRT members will use to maintain accuracy of events, chronology, and preserving original files. These digital forensics must be handled with extreme care to maintain a chain-of-custody if legal proceedings take place.
Containment: The IRT will make decisions, informed by the first two phases, regarding the severity of the incident and the most effective means to prevent it from spreading. Examples of this may be shutting down systems, disconnecting work stations from the network, network segregation, etc. There are essential criteria to follow in deciding on the most effective containment strategy; damage and theft of resources, evidence preservation, business operations, time constraints, and resources availability.
Eradication: At this point, any trace of malicious software will be removed, breached accounts will be disabled, and identified vulnerabilities will be patched.
Recovery: The IRT will work most closely with the IT department and administrators to restore systems, confirm their functionality and monitor vulnerabilities. Backups may be used if data was altered or destroyed, or applications failed.
Post-incident reporting: After an event is remediated, meetings will be held to go through the incident process to document, discuss and implement any lessons learned. During this meeting, department heads and other stakeholders may discuss highlights on future security measures, resource mobilization, and the efficacy of communication methods will be analysed and distilled into useful recommendations on improving business operations in the case of similar events. Your organization will tie up loose ends, fulfilling any legal action or requirements.

An Incident Response Plan allows your organization to be as prepared as possible for an incident. The goal of maintaining internal and client data privacy should not be overlooked as the consequences of a breach can be devastating both legally and financially. In the event that information systems are disabled, your Incident Response Plan shouldn’t rely on negotiating with the threat actor, but rather, the focus should be on maintaining business operations and restoring the affected systems as quickly as possible. Having regular backups of applications and data, a printed Incident Response Plan, and a competent Incident Response Team will help ensure that your organization is ready for any possible threats and continues to run smoothly.