How to Put Together an Incident Response Plan
June 6, 2016 by Lore Engineering Team
An incident response plan thrown together with various programs, such as malware and virus scanners, is ineffective. Unfortunately, this is how many businesses create a response plan. An incident response plan must be designed and tested multiple times to ensure efficiency. The effort put forth in the design and testing phase will decrease the chances of breaches and other damages typical of cyber-attacks, such as data loss.
The SANS Institute reports that businesses fall short when it comes to incident response plans. The reason that most response plans are ineffective is due to a lack of experts available who know how to create a comprehensive incident response plan. Staff may also have limited visibility into events and insufficient automated tools for implementing the plan.
The following are our suggestions for how to put together an incident response plan:
Step 1: Identify Detection Tools
Tony Cole, the Vice President of cybersecurity company Fire-Eye, believes an effective incident response plan is one that utilizes a set of tools that works together like a program. The set of tools identifies the agency’s risk tolerance, and develops and tests the incident response plan regularly. Without these tools, many businesses suffer from an inadequate defense against security threats, leaving the business at risk for cyber-attacks.
Up until recently, businesses spent much of their budgets on tools to detect breaches. At the same time, they were not spending enough on building effective incident response plans. This means that whenever there was a breach, the organization did not have a systemic approach to mitigate the risks or prevent future attacks. While this may have been okay in the past, it’s not going to work in the future, as cyber-attacks become more frequent and damaging. This is why it’s essential for businesses to have an incident response plan once threats and attacks are detected.
Step 2: Detail Action Steps for Stopping Threats and Attacks
Any effective incident response plan absolutely must include processes and priorities to approach the threat and attack. The plan needs to be able to resolve attacks as soon as they are detected by the detection tools mentioned above. Many of these actions may need to be performed manually, but there are several that can be taken care of readily with remediation tools such as anti-malware and antivirus software. All of this needs to be done with the least number of tools possible, which is no easy feat. According to Hewlett Packard Enterprise, most organizations use about 63 technologies for incident response. Most of these technologies are useless, just adding to cumbersome incident response plans.
A thorough review of all the cyber-attack prevention tools should be conducted to identify unneeded or duplicate processes. The review process can eliminate many tools that can make an incident response plan too difficult to follow. Making the incident response plan as detailed as possible and easily follow-able increases its effectiveness.
Step 3: Prevent Future Occurrences
Once the threats and attacks are remedied, the next important part of the incident response plan is to have processes identified to prevent future threats and attacks. Some organizations, according to FireEye, are using signature-based tools. These signature-based tools cannot keep up with the increasing number and speed at which cyber-attacks are coming at businesses. Businesses need to use tools such as host forensics, log forensics tools, and network forensics. These tools provide information about attacks. Cybersecurity teams can analyze this information to understand where the vulnerabilities are, so they can fill in the gaps to keep future cyber-attacks from occurring.
This final piece of an incident response plan is an important one because overtime attacks may slow down because of the prevention put in place. It’s vital not to only choose the right tools such as the forensics tools, but also have staff experienced enough to analyze the information well enough to use it.
A Business Depends on Response and Recovery
The importance of tools to alert, rectify, and prevent cyber-attacks cannot be emphasized enough. Earl Matthew, Vice President for the U.S. Public Sector at Hewlett Packard Enterprise, believes that a business’s cyber resilience depends on the response and recovery after a breach has occurred. The response and recovery during cyber-attacks is what makes businesses resilient. However, the issue is that most organizations do not have staff who are experienced in managing cybersecurity. Actually, Hewlett Packard Enterprise reports that up to 60 percent of organizations do not have the support they need to tackle cybersecurity issues. The solution is bringing in services to fill in the lack of experience.
By outsourcing response and recovery, organizations are able to utilize the skills and experience of a team that understands how to quickly mitigate risk and prevent recurring cyberattacks. These providers can perform comprehensive assessments to identify security vulnerabilities. Services offered by these providers are 24/7 because cyber-attacks can hit day or night.
Whenever a cyber-attack occurs, the incident response plan will be executed. The team will investigate, analyze and identify the best course of action and then proceed. This remediation involves not only cutting the attack off, so it cannot continue to harm the organization’s computers, but it also ensures that the attacker will not be able to infiltrate the computers again. With the knowledge of how the attack occurred, the response team is able to make changes to computer networks to ensure similar attacks do not occur.
Implementing an Effective Response Plan
The Ponemon Institute reported in October 2015 that cyber-threats are getting out of control. Government agencies are experiencing breaches approximately every twelve weeks. These breaches are due to hackers becoming much more creative in their attacks. The only way to prevent these hackers is by identifying threats, stopping them from attacking, and then changing the environment to keep similar attacks from happening.
Since the tools to design and test an effective response plan can be difficult to select and navigate, it is important to seek the knowledge, skills, and experience of people who know how to combat hackers effectively. With the right toolset and monitoring, your organization can be safe from the damaging effects of hackers now and into the future, no matter how sophisticated may become.
For more information on finding the right toolset and monitoring services for an effective incident response plan, contact us here.