Cybersecurity threats will inevitably affect all operating businesses. Whether a direct intrusion, or a breach on third-party systems. 71% of SMBs have experienced a cybersecurity attack in the past year, and sadly, this statistic is only rising. So how should you prepare for and respond to a cybersecurity incident?
That’s where a cybersecurity critical incident response plan is key.
What is “Incident Response?”
Incident response is the process of managing and responding to an incident, which may be an attack on a company’s information systems or critical data.
It is monumentally important for all organizations because it helps protect them from cyberattacks, aids in their recovery from cyberattacks, and proves they are serious about protecting their data.
In real life, companies have been hacked and lost sensitive information, or have been forced to pay ransoms to get their data back. In May 2021, Colonial Pipeline, the largest refined oil pipeline in the United States covering the entire longitude of the east coast, was unprepared for the ransomware attack in which they were forced to pay the DarkSide gang $4.4 million. Even in cases where data is left intact on company information systems, bad actors simply exfiltrating data can prove devastating to corporate image and balance sheets.
What is an Incident Response Plan?
An incident response plan is a document that outlines the steps that an organization will take when one of their systems is hacked, or when sensitive data is lost. The plan can include procedures for reporting and investigating the incident, mitigating damage, documenting what happened, and notifying interested parties.
It is important for organizations to have a plan in place so they can respond without delay when an incident occurs. This helps them recover from the incident as quickly as possible and avoid any further losses. A well produced plan enables companies to make the most time consuming and difficult decisions upfront, eliminating the need to make such decisions under the acute pressure of an active incident.
Examples of how this term is used in real life include:
Company X was hacked and lost sensitive data about their employees’ salaries. They didn’t have an incident response plan in place at the time, so they weren’t able to recover from this attack very quickly. As a result, they had to pay out more money than they should have because they couldn’t get access to their employee records in time for payroll processing.
Company Y was hacked and had to pay a ransom demand of $50 million dollars in Bitcoin in order to get their sensitive data back from the hackers who stole it from them—this was after they didn’t have an incident response plan in place when the attack occurred!
Seven Phases of Incident Response
We have made the case that it is critically important to have a plan in place in the event of a cyber attack.
Over time, we have found the following seven phases of preparedness will help ensure the best outcome — and in some cases, even save lives!
1. Preparation and Planning
Preparing and planning comprise the first phase of any successful incident response. This is about preparing for the absolute worst-case scenarios. You will have to think about what you need to do in order to successfully identify, contain, and completely remedy an incident.
You will also need to create a strategy for handling incidents by identifying who will respond, how they will respond, where they will access data from, and what tools they will use. Having a plan in place means you have time on your side when a real life incident occurs so that you can make informed decisions without panicking or feeling overwhelmed by having too many options available at once.
As soon as you have confirmed that an incident has occurred, your next steps are to identify the scope of the incident. This includes:
- Identifying all systems affected by this incident
- Determining which networks or subnets are affected
- Identifying the type and scope of the malicious activity (e.g. ransomware, phishing attack)
To successfully identify these elements, you will need to collect and analyze data from a variety of sources within your organization and then determine its implications for your business continuity plan (BCP).
Don`t panic! A common knee-jerk reaction to a cybersecurity breach can be cutting losses by deleting the whole lot and turning systems offline – however, there is a more effective way to respond to a breach with urgency.
Instead, you can:
- Disconnect or ringfence infected systems from the network to prevent data exfiltration and further spread of the malware
- Change access control passwords and tokens
- Quarantine identified viruses for evidence and future analysis
- Disable remote access capabilities for VPN users, and disable wireless access points
- Ensure your backup repository is uncompromised
Once the threat is contained, it will be much easier to ensure.
The next step is to completely eliminate the threat now that it has been contained. The eradication step focuses on removing the infection and restoring infected systems. This step may involve a complete reimaging or restoration of a system’s hard drive to ensure all malicious content has been completely wiped and is no longer present for potential reinfection.
It feels like a nonstop step of effort to respond to an incident. Now it is time to rebuild. As the threat has been contained and eradicated, the next goal is to bring systems back online systematically and resume business continuity.
In this step, complete service should be restored and previously infected systems and/or networks need to be tested, validated, and monitored, to verify the same systems are not reinfected. As an additional step, every affected user within and outside of your organization should be informed of the breach and its current resolution status. In cases where account passwords are compromised, steps should be in place to reset credentials and/or deactivate accounts or Organizational Units (OUs) if necessary.
6. Document Lessons Learned
Capture what you learned from the incident. Use the knowledge for internal training, or share it with your industry and other communities. The following are some data points you can use to get started::
How you identified the threat(s) and took action against it.
How you detected the malicious activity, identified the extent of the attack, and came to understand how it affected your organization.
What would you do differently next time? Consider this question for each prompt above. There are always improvements that can be made, but there are also many lessons learned from each step of this process.
We advise future incident responders to be prepared for an extensive amount of work ahead, especially if there are multiple systems involved in an attack or breach. Also keep in mind how long each phase takes—that way when you are making decisions about how quickly or slowly things need to move along (and what additional resources might be required), your expectations will be realistic based on past experience.
7. Re-test, Repeat
After completing the first six phases, it’s finally time to bring the cleanup effort to a close. An incident response plan should always have a re-testing element, as re-testing provides the opportunity to fine tune your plan to ensure it covers all necessary areas of security within the company. Use your findings to improve the process, adjust the plans and procedures, and find any critical gaps which may have gone unnoticed. Consider a fresh perspective from a trusted source outside your organization to help identify further areas of improvement, or novel approaches you may not have considered.
Five Advantages of an Incident Response Plan
The benefits of your incident response plan may not be immediately obvious while you are still dealing with the aftermath of a cybersecurity breach. However, if you need more reasons to develop an incident response plan, perhaps the following five points will fit the bill:
- Protect Critical Knowledge
All critical information derived from incidents can be used for future planning and execution.
- Prepare for the Worst
Cybersecurity threats can hit you at any moment. Prepare early with an incident response plan.
- Reveal Vulnerabilities
Exploits and vulnerabilities can go easily unnoticed. An incident response plan can help uncover these gaps and fix them before they are exploited.
- Establish Repeatable Processes
Incident response is a continuous cycle, not a one-time event. You can duplicate and update this plan to handle future incidents more quickly and efficiently. Use the plan to establish automated scripts accessible when infiltration occurs.
- Take Responsibility
Incident response documentation shows that an organization has taken the necessary steps to protect data and prevent breaches. In the auditor’s eyes, you have accepted responsibility and taken ownership.
Incident Response Plan Template
Ready to take control of your IT security? Here are some helpful (and free) templates for a cybersecurity incident response plan to get you started.
- National Institute of Standards and Security (NIST): Computer Security Incident Handling Guide
- Pennsylvania Office of Administration: IIT Security Incident Reporting Policy
We sincerely hope that each of the points discussed above sets up your organization for cybersecurity success. We feel they are worthwhile in helping your organization plan ahead for the cyberattacks of today and tomorrow.
Contact ITAdOn’s Cyber Incident Response Team if you have any questions.