What is an incident response plan?
An Incident response plan is systemic, documented, communicated and ideally rehearsed approach to prepare for, detect, contain and recover from suspected Information or Cyber security breaches
So from Ward Solution experience in a wide variety of sectors these are our top 5 tips to putting in place an effective incident response plan:
1. Cyber Incident Response is a whole of business issue – A cyber event usually impacts significant parts of or whole of business. Organisations that relegate cyber incidents to being a technical issue to be dealt with by IT or the CISO risk a rude awakening and a very ineffective and costly impact to the organisation. Business needs to treat cyber risk and cyber incidents as a potentially critical whole of business risk and devote the necessary focus, resources and time to risk assessing, mitigation planning and incident planning and rehearsing. The IR team needs a reflective set of business and technical resources empowered to make decisions and take the necessary actions to manage the incident. When an incident occurs the business needs to react in a coherent, orderly, structured uninhibited way that can only occur when the entire business is highly familiar with their roles, responsibilities, processes, obligations and tools that comes from a well thought out, documented and rehearsed incident response plan.
2. A pint of sweat is worth a gallon of blood. This is a maxim attributed to General George S. Patton, one of the most effective Word Ward II Generals. Putting in place proactive incident response plans and rehearsing them across the business via table top exercises, red or purple teaming exercises seems like unnecessary sweat and toil from the calm collected vantage point of business as usual environments. Trying to invent and operate incident response roles, processes and playbooks in the middle of a real life critical incident is a sure-fire way to cost the organisation a lot of money, customers and often threatens businesses viability or survival. Putting these planning and rehearsal activities on the long finger or short changing them usually means that an incident creeps up on an organisation before they are ready or when they are complacent that they have the processes in place when they actually lack the robustness that is required.
3. Make sure the incident response plan is systemic . Ensure that you use a recognised, best practice incident response lifecycle of the following typical stages:
- Preparation – prepare the plan in advance, identifying roles, responsibilities, processes, procedures, escalation matrices, resources including service providers and partners
- Prevention – put in place preventative measures to either prevent an incident occurring in the first place or minimise the impact of an incident once it occurs
- Detection – put in place measure to detect as early as possible indicators of an incident or the actual incident occurring – in order to minimise recovery time and shorten exposure time of the organisation to the incident
- Analysis – put in place the tools, resources, services to analyse incidents and offences to determine if real or simply false positives. Once an incident occurs have the tools and capabilities to determine what has/is happening so that you can respond appropriately.
- Containment – ensure you have the data, tools, resources and skills to contain the incident, preventing it spreading, escalating, inflicting further damage
- Eradication – again ensure you have the data, tools, resources and skills to eradicate the incident. Eradication timelines range from instantaneous to weeks, depending on the nature, scale and complexity of the incident
- Recovery – recover your services, data to normal or as near normal as possible operation
- After action review – review the origin, nature and impact of the incident. Review controls and mitigation to prevent or minimise these incidents reoccurring or the impact reoccurring. Also review how your incident response processes and protocols performed during the incident, using the opportunity continuously improve.
4. Put in place the proper resources, tools and partnerships – you need a rich set of tools and capabilities to be able to respond to and manage the wide range of incidents that may occur whether accidental or deliberate. Most organisations cannot afford the costs or focus to put in place, own and manage all of the specialised skills required. Selective outsourcing and partnership of capability, services, resourcing etc makes sense provided these outsourced or partnered resources or service match the responsiveness that may be required and are backed by service levels etc.
5. Incident response doesn’t end when the incident ends – a lot of focus on incident response is the restoration of normal service as soon as possible. A lot of organisations want to breathe a sigh of relief, sweep up the incident detritus and move on with business as usual. However a structured after action review of the origin, nature, artefacts and outcome of the incident offer an organisation the opportunity to continuously improve their risk register, threat intelligence and their incident handling and response processes.