With the rise in ransomware and advanced persistent threats, companies need to prepare for an attack. A well designed and updated incident response plan will help your company respond effectively when an attack occurs.
In this article, you’ll find 6 ways to tweak your incident response plan to be better prepared for advanced attacks.
What is an Incident Response Plan and Why Do You Need One?
Security incidents, or data breaches, are events that compromise your organization’s data or operations. An incident response plan is a document that outlines the protocol you need to follow when confronted with security incidents.
A detailed plan can help an organization by providing staff with clear guidelines that they can use to respond faster when a security incident occurs. Every attack is a potential gold mine of information about attackers and their methods. An organized protocol, such as a response plan, lets you make the most of this opportunity. Using an incident response plan you can gather crucial data that can help you mitigate the attack and prevent future threats.
What should be in your incident response plan?
A good incident response plan consists of six steps:
Preparation—the actual planning, which starts with an assessment of your organization’s capacity to detect and handle an attack. Establish policies, communication guidelines, perform ongoing collection and analysis of your intelligence feeds. Document the policies and procedures you will use in subsequent steps when detecting an attack.
Identification—once an incident has taken place, identify the threat. Collect and analyze the data you need to stop the attack. Use this information to identify signs that may indicate further attacks.
Containment— stop the attack, according to the guidelines established during the preparation stage and the data collected in the identification step. Contain the breach so it doesn’t spread. This can involve isolating the affected devices from the internet, or reviewing the remote access protocols.
Remediation— eliminate the cause of the threat, remove malware, patch systems, and update systems.
Recovery— apply disaster recovery and backup strategies.
Lessons Learned— analyze and document everything about the breach, for example, the attackers' point of entry, the response time, and update the plan accordingly.
The quality of your response plan can directly affect the outcome of an attack, thus it is important to constantly update and refine your IRP. Many companies will work with the same response plan for years, but not being sufficiently prepared for an attack can cost your organization millions in data loss.
6 Changes to Your Incident Response Plan to Respond More Efficiently
Advanced persistent threats are on the rise, with ransomware attacks occurring over 4,000 times a day. Since there is no one-size-fits-all response plan, following we will discuss six tweaks that can help you to build a successful incident response plan.
1. Identify critical data and systems.
Ask the question: What resources should your organization protect the most? The answer to this question will help you know where to strengthen the protection. In an event of a security incident, you can thus prioritize your response and restore your most critical data or systems first.
A crucial step is to define what constitutes an incident for your company and the degree of severity it entails. An organization should have a different approach to, for example, a malware attack than to a ransomware attack. You need to match your response to the threat. Categorize the incidents according to the type of attack and develop a mini-plan for each one.
2. Have an up-to-date, workable plan.
An ad-hoc plan is not a plan, a well laid out plan will help your organization save precious time and will provide you with the information you need to respond swiftly to an attack. If you have an incident response plan in place, check it. Keep your plan relevant and up-to-date. Look at the incidents happening in other organizations and update the plan as needed.
Don’t forget to update the supporting documentation too, like critical contact names, or past attacks reports.
3. Keep your security software (and team) up to date.
Having an updated threat detection software, including a data loss prevention software can help you detect and contain threats faster. A backup and disaster recovery solution can help you avoid unnecessary problems. Be sure to include guidelines for disaster recovery in your plan.
Assign each member for your response team a specific role that they need to adopt in the event of an attack. A good response team consists of security analysts, threat researchers, a team leader, and the IT director. A solid response team must be able to detect, eliminate and recover from attacks within a given time frame. They should conduct drills and practice their roles often to minimize response time. For a small business, having a dedicated response team is not often an option. In that case, opting for a third-party service, or buying an incident response retainer could be a solution.
4. Test your plan before you need it.
Most organizations don’t review and update their incident response plans, and 25% only review after a major incident has happened. An organization should test the IRP by conducting drills, that could involve theoretical paper tests, tabletop exercises, and simulated attacks.
Stakeholders from all the organization sectors should participate in such drills, not only the core information security team, to ensure that all team members communicate effectively. Companies can use security orchestration tools to simulate attacks and run the protocols, giving them a picture in real-time of how the incident response plan can work in an actual attack.
5. Get management involved.
You should involve managers from critical departments within the company when creating the incident response plan. The legal department should also be included to address potential legal issues arising from the attacks. Other departments like public relations, customer support, and business teams can help assess the impact the response plan has on customers.
6. Have a post-incident plan.
Once the attack has ended, it is important to document what worked and what didn’t. Use this information to update the plan. Having a formal post-incident protocol will help you document the incident while the information is still fresh and you can gain more knowledge from it.
Every company should have a detailed, up-to-date-response plan. Developing it takes collaboration, using the right software solutions and regular testing. This approach ensures the incident response plan will be ready to use when needed. While building a plan that works smoothly requires resources and effort, ultimately it saves time for IT and security teams and can help prevent the next attack.