Creating an incident response plan
Creating an incident response plan can save your organization money by creating a set of well-defined processes for your cyber security team to follow as soon as they discover an incident. These processes reduce the time it takes the team to identify, research, contain, and extract a threat actor from systems, networks, and applications. Defining and rehearsing a response plan will identify gaps which can be remediated prior to a real incident.
The faster your organization can confront and neutralize a security incident, the better you’ll be able to handle a potential breach down the line. Therefore, it’s crucial to proactively form a comprehensive response plan. When you’re working on a response plan of your own, here are six steps that should be included.
The preparation stage of incident response involves identifying and categorizing high-risk data, applications, users, networks, systems, and devices. Additionally, your organization should review current threat intelligence and the current contextual business risk to create the most likely data breach scenarios.
This step focuses on understanding normal behavior within an environment rather than setting alerts when abnormal behavior occurs. For example, a credential theft attack alert might be based on the number of times someone tries to log in to an account but fails.
One of the most difficult parts of the identification process is setting alerts correctly. If the abnormal behavior is defined too broadly, your security team may spend too much time on false alerts – or, start ignoring alerts entirely. On the other hand, defining alerts too narrowly can lead to them missing suspicious or risky activity.
This step is the process of isolating the threat and preventing the threat actor from moving within your networks and systems. In the short term, it might mean isolating a network segment or shutting down a system. In the long term, it might mean deleting accounts or applying a security patch.
Eradication is removing anything that the malicious actor used as part of the attack. For example, this can mean safely removing malware or infected files that were part of the attack.
During this stage, the incident response team returns the impacted networks, systems, accounts, and applications to their “pre-attack” state. This can mean recovering them to a previous backup point as well as validating systems to ensure the vulnerability attackers used is fixed.
6. Lessons learned
Possibly the most important part of the incident response process, the lessons learned stage is the post-recovery discussion that helps determine what worked, what did not work, and what can be improved for the future. This crucial step will help you create an increasingly powerful and lasting response plan.