Incident response isn’t just about cyberattacks. Your business should be prepared for any catastrophic IT event that would affect your business operations, whether it’s power outages, flooding in the server room, or a cyberattack. If anything, the past several years has shown that you must prepare your business for anything.
What is an Incident Response Plan?
An incident response plan is a document that outlines instructions for a team to follow in the event of some form of network disruption, such as a natural disaster, service outage, or cyberattack. It is designed to stop the threat, contain it, and regain network control. The plan defines what constitutes an incident (defining an incident isn’t straightforward or intuitive), which employees or departments are part of the incident response team, and who is responsible for each task in the outline.
According to the National Institute of Standards and Technology (NIST), an incident response plan consists of four areas: preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.
- Preparation - The best way to prepare for any incident is to keep the network as secure as possible and away from potential attacks.
However, several tasks can be performed ahead of time, such as have the contact information of the Incident Response team on hand, implement a system for employees and customers to report incidents, designate isolated hardware for forensic purposes, and keep clean Operating System (O/S) images for faster restoration of affected workstations. - Detection/Analysis - Signs of an incident are categorized into precursors and indicators.
A precursor, such as an exploit in software, can be resolved before an incident occurs.
An indicator is a sign that something has already happened, or is currently happening, such as antivirus alerts, the discovery of strange file names and extensions, and an influx of failed login attempts.
Sometimes these indicators are inaccurate, so an experienced team is required to investigate the claims, and sometimes a third party is called in to assist. - Containment, Eradication, and Recovery - The organization should contain the incident as quickly as possible before too much damage is done.
Different strategies should be developed for different incident types. This will help to implement the best means of containment, such as redirecting an attacker's location to a "sandbox" area of the network or removing affected devices.
These action plans are usually based on the type of risk the incident presents, the time and resources necessary to carry out the process, and whether evidence needs to be retained for legal purposes. Once contained, the threat can be more easily eradicated.
Recovery involves restoring the network to pre-incident standards and remediating any vulnerabilities discovered during the process. - Post-Incident Activity - Holding meetings after recovery is complete can help an organization prepare for future incidents. The IR team can analyze what went right and wrong and where changes need to be made. Any lessons learned should be well documented.
Having an IR plan helps to keep an already stressful situation under control and organized. When the plan is followed, threats are handled more efficiently, leading to a faster recovery.
However, these plans need to be practiced ahead of time to discover any pitfalls or shortcomings. Tabletop exercises are a great way to ensure everyone knows what is expected of them. Then, the next time disaster strikes, enacting an incident response plan can prove to be invaluable.
Resources: