As part of Solutions Review’s Premium Content Series—a collection of contributed columns written by industry experts in maturing software categories— Max Henderson of Pondurance breaks down the key steps every SOC team should follow when building an incident response plan.
Sad but true: Thousands of organizations across just about every industry suffer data breaches every year. The 2022 Verizon Data Breach Investigations Report analyzed 23,896 incidents equaling 5,212 confirmed data breaches, which means that the odds of not being breached are pretty slim. But hey– knowledge is power, so embracing the knowledge that you’re likely to be breached and being prepared for it inevitably puts the odds in your favor of a smooth recovery.
To be prepared for a cyber-attack means having an incident response (IR) plan, which, according to the NIST Computer Security Resource Center, is “The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber-attack against an organization’s information system(s).” Creating, testing, and maintaining an IR plan is the best way to ensure your organization won’t be brought to its knees by a breach, or even be put out of business altogether.
Elements of a Comprehensive Incident Response Plan
Whether creating an incident response plan for the first time, or looking to refresh an existing plan, there are several critical things to think through.
Ultimately, an IR plan revolves around the lifecycle of a cyber-attack. Every good plan should include these five key steps.
Collect key information, assemble your key stakeholders, assign roles and responsibilities, and document the process to create a formal cybersecurity policy.
Preparing involves identifying the following:
- The types of information your company manages.
- The compliance or data management regulations applicable to your business.
- The security controls you have in place—do you have a security operations center (SOC) running either in-house or through a service provider? Is it providing 24/7 monitoring, detection, and response?
- The list of essential logs and an inventory of all digital assets.
- The location of all company backups—are they stored in an offsite vault? (If not, they should be.)
- All of the stakeholders who would be involved in responding to an incident, from executive staff to IT and cybersecurity personnel, to HR, legal, customer success, marketing, and potentially others.
When every minute counts, it is essential to have a strong security team and security tools to monitor and detect malicious activity throughout your network, endpoints, logs, and cloud on a 24/7 basis.
This step involves:
- Documenting the security tools your SOC team will use to detect threats (even if that team is with a service provider).
- Proactively performing a vulnerability assessment on all of your business applications to identify any weaknesses that need to be patched.
- Bolstering your security team, if necessary, to ensure you have enough people to provide 24/7 monitoring. If you can’t hire more people in-house, then look to a managed detection and response (MDR) partner to fill technology and skills gaps.
- Ensuring that security and activity logs are kept for legal purposes.
- Documenting the team leader if a breach occurs and who they should contact to put the IR plan into action.
Containment and Eradication
Responding to security incidents can take many forms, such as triaging alerts and containing the threat by isolating or shutting down the infected systems to prevent further spread to your network. In addition, leveraging your SOC to hunt for these threats actively is critical to detecting the location of malicious files, backdoors, and other types of threats that can lead to a security incident.
This part of putting the plan into action involves:
- The tailored containment of systems, networks, servers, databases, and devices to minimize any potential damage.
- Determining whether any sensitive information was breached or whether there’s been a loss of data.
- Updating firewalls and network security controls to capture any evidence that could be helpful in a post-breach investigation.
- Preserving all of the evidence for further analysis in hopes of identifying the origin, impact, and intention behind the attack.
- Keeping a log of the incident that includes critical details such as date, time, location, and extent of the damage. This is essential to identifying whether the attack was deployed externally, internally, or even from a misconfiguration or human error. It’s also important to document who discovered and reported the incident, and how.
All hands on deck are required when communicating the incident externally and with other internal departments.
- Work with your marketing team to draft public statements about how you’re dealing with mitigating the incident. The timeliness of a response is important here because too much of a delay can negatively impact the organization’s reputation.
- It’s also very important to work closely with your legal team to determine whether you’ve inadvertently violated any compliance regulations. You should also plan to contact law enforcement or other government agencies that might require notification when a breach occurs.
- Last but definitely not least, ensure everyone across the IR team is coached on how to discuss the matter with customers who might contact the organization with concerns.
Review and report on what happened, what was the root cause, and what could be improved in the IR plan to reduce the time for response and the likelihood of another incident.
During this phase of an incident:
- Restore systems to the pre-incident state, but with appropriate patching, credential resets, and overall security improvements.
- Implement security awareness training among your staff and provide insights into how human errors occur and why password management is essential.
- Discuss how well your IR plan performed.
- Update your IR plan based on what improvements should be made.
- Keep all stakeholders informed about any updates to the IR plan.
It’s a lot, but your organization will be far more secure and resilient having an IR plan in place. The other good news is that having a regularly-tested IR plan can result in significant cost savings. The 2022 Cost of a Data Breach Report reported that “businesses with an IR team that tested its IR plan saw an average of USD 2.66 million lower breach costs than organizations without an IR team and that doesn’t test an IR plan.”
You don’t have to go it alone. If you don’t have the expertise in-house to drive the creation and regular testing of an incident response plan, there are IR service providers that can provide the planning, training, response skills, and guidance required to prepare for and get your organization through a breach. Working with an IR service provider can be especially helpful when that cyber-attack is launched at 3:00 am on a weekend or holiday. Regardless— have a plan, keep it updated and stay safe.
- 5 Key Steps to Include in Your Incident Response Plan - November 8, 2022