Incident Response: 5 Tips to Ensure Your Plan is Ready

There is a common refrain among security industry veterans that it is not a matter of if, but when, a breach or other security incident occurs. Protection and prevention are only one slice of the pie when it comes to a holistic security program. Incident response, being ready to react and recover from an incident, is also critical to your program.

But according to researchers from Ponemon Institute, 77 percent of organizations admit they do not have a formal incident response (IR) plan in place. Nearly half of those polled noted their plan is informal, ad hoc or not even a consideration.

An IR plan that can be relied in time of need must be formally documented, tested thoroughly and updated regularly. Here are five tips for creating a comprehensive IR plan you can turn to when the time comes.

Have a Plan

As basic as it sounds, as the Ponemon numbers indicate, many organizations still do not even have a written plan. If you don’t have a documented plan, creating one is your first step. What should it contain?

“Design a flexible plan that describes common scenarios (e.g., email phishing) and prescribes a set of high-level actions for response,” said Matt Wilson, chief information security advisor at BTB Security. “Too much detail in your plan removes the ability for the responders to deal with the specific scenario. A strong plan defines an incident, assigns responsibility for incident response, and then describes the key response stakeholders and escalations for incident severity. Refine your plan to strike the proper balance of detail through your regular tests.”

Involve Management Throughout the Process

Get key stakeholders around the organization involved at the outset of writing your plan, that includes C-level management and the legal department. Security is everyone’s business today, and management needs a direct line of visibility into IR planning.

“Senior leadership in many organizations have taken a keen interest in information security, and they expect proactive updates from those with direct InfoSec responsibilities,” said Wilson. “Uncomfortable conversations regarding testing results now are far better than leaving weak practices in place. Formally, and regularly, notify leadership of your findings and needs to allow them to make business decisions regarding potential changes.”

Test It Regularly

Your IR plan is really just a document if it hasn’t been put to the test. The kind of drills you conduct and the regularity of the testing will be highly individual and depends on your organization’s needs. At the very least, it should be tested annually. Others suggest more frequently.

“At least twice a year, your security team should be running a simulated breach or attack, in which they can enact the incident response plan for that scenario,” said Chris Payne, managing director with Advanced Cyber Solutions. “Everyone in the team should be aware of their role and responsibilities during an incident response scenario and the escalation channels available to them. Red Team–Blue Team activities are great, whereby your IT team is split into attack and defensive groups pitted against each other, as it highlights strengths in the groups which can be applied to an incident response scenario.

Testing can uncover weak spots, and give some indication about the potential downtime you are facing, as well as other recovery challenges if data sets become unavailable for any period of time. Involving everyone also has awareness benefits.

“If the drill is realistic and well-plotted by company officials, employees will have to act and respond in real-time to the cyber incident. Not only is this a great technical exercise, it will greatly increase awareness and help develop a serious cybersecurity culture in your organization,” said Linda Hamilton, OFAC compliance officer with Proven Data.

Try Different Testing Approaches

Testing regularly is great, but Wilson suggests organizations mix it up each time.

“While many organizations conduct some form of Red Team exercises or penetration testing as part of their Incident Response Plan ‘stress test,’ it’s often the same testing approach every year,” he said. “Do something different in 2019. Have you let the Red Teamers actually exploit vulnerabilities they find, or merely discover and report on them? What about your wireless networks, mobile devices, web applications, and non-HQ facilities? How about a social engineering exercise to demonstrate the importance of your people in securing your organization, not just the processes and technologies.”

Update It Often

What did you learn in testing? Have you experienced an incident that opened your eyes to vulnerabilities in your plan? Whatever the lessons and challenges uncovered, your IR plan document needs to reflect that.

“I recently had a conversation with a former colleague who got hit with a ransomware attack that locked up all the company data,” said Mike Ahmadi, global vice president of IoT security at DigiCert. “They had never tested their backups for recovery, and discovered they have no way to restore the system. What is really sad about this is this happened to them a year ago and they still failed to test their recovery plan adequately.”

Your IR plan needs to be a living document that changes with the times and is modified after both testing or actual incidents.

“All too often we find the same weaknesses year over year within an organization,” said Wilson. “Why develop the plans, conduct the testing, only to ignore the recommendations? Be sure your remediation plans address the root cause of the issue, not just the symptoms.

“For example, if you only update/patch the specific vulnerabilities on systems, but ignore that they are the outcome of a poor patch management process, you’re destined to have more easily exploitable vulnerabilities in the future,” he said.

Joan Goodchild

Avatar photo

Joan Goodchild

Joan is a veteran journalist, editor and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

joan-goodchild has 38 posts and counting.See all posts by joan-goodchild