An incident response plan is a document that outlines the needed procedures, steps, and regulations organizations must go through in the case of a virtual threat (data breach) or a physical threat (natural disaster or power shortages). Implementing a cyber breach incident response plan within the organization helps reduce the impact of the damages caused by a threat. The NIST (National Institute of Security and Technology) describes that a breach response plan should have 4 key elements: Preparation (so that an organization can plan accordingly as well as respond to events), Detection and Analysis (analyzing the severity of the incident when it occurs), Containment and Eradication (make sure the damage caused doesn’t worsen), and Post Incident Recovery (all parties concerned in the matter examine the lessons learned, to ensure greater security for the future). The main intentions of the incident response plan is to minimize the damage done, identify stakeholders of the situation, improve recovery time and overall help improve company security. Another benefit of a cyber incident response plan is that it helps identify and protect against potential vulnerabilities.
Team
Apart from the plan itself, the team members that create the incident response plan are also crucial to creating a successful plan, this includes the:
Team Leader/Executive Sponsor– their duties include budgeting the plan and handling communication with the rest of the executives
Incident Manager– Whoever is in charge during the breach
Lead Investigator– The analyst or responder for the incident
Communication/ Public relations – To maintain PR and communications
Legal – A legal representative is needed for the approval of messaging and social laws
Human Resources Representative – To deal with employee-related issues
SOAR
Once the process for the IR is created, the technology necessary for automation of remediation (containment eradication and recovery) needs to be considered. SOAR stands for Security Orchestration Automation and Response. This automation software collects data for all security products owned and threats in order to respond to events with hardly any human assistance. This allows an organization to better focus its security actions in three primary areas: threat/vulnerability management, security operations management, and incident response.
Common Mistakes
It’s important to understand that the method of communication should be specified, in order to ensure that the team can communicate their issues through a primary platform instead of many, which tends to cause confusion. This is also important information in the case of a DDOS attack (Distributed Denial of Service) when a server is flooded with traffic causing a blockage of networks. It’s also important to make surer that communication is prewritten and approved in case of attacks. Finally, it’s important that the team goes through tabletop exercises to make sure everyone is aware of what needs to be done.
Table Top Exercises
Tabletop exercises are activities or simulations with the intent of incorporating proper practice for an organization’s members in order to ensure the best results during the actual threat. There are two main forms of tabletop exercises, which are operational or discussion-based. The main benefit of table exercise is that creates consistency among the team, identifies any faults with the procedure, and helps with recognizing possible resources that could be utilized in the event of a threat or attack. Several common cyber incident response scenarios for tabletop exercises include unauthorized access, device or network compromise, or data breaches.
Tabletop exercises are carried out in order to mimic the real scenario, so when conducting an exercise with the team it’s important to develop the practice scenario thoroughly. It is also advised to have a timekeeper when doing these exercises. Unpredicted situations that arise are important to keep note of and discuss to figure out the best solutions for these situations. Ideally, these exercises are 1-4 hours and tend to be low cost and low stakes.
How Does an Incident Response Plan Benefit a Company?
One of the biggest benefits of an IR is that it reduces the time of limited production or technical halts (downtime) because it gives detailed information on what a company expects its employees to do in almost any scenario. Another key benefit is more so on the PR side, but an IR is crucial in maintaining public trust. When a company has the capacity to recover from an attack, it demonstrates that they are keen on protecting data. The third benefit is that an IR makes sure a company stays compliant. By doing so, it ensures that the company doesn’t encounter an unforeseen lawsuit filed by unhappy clients. This also allows for a company to be as prepared as possible when threats do strike, as the best course of action is already premeditated and the employees would have already been trained through their tabletop exercises. Another key benefit of an incident response plan is that it helps minimize the damage done by an attack. Without a proper cyber breach incident response in place, financial, legal, and operational damages can worsen over time.