In my 2 year stint at Deloitte, I’ve often come across huge organizations looking to chalk out an Incident Response Plan for them.
To a layman or to even a businessman, Incident Response Plan (IRP) is an alien term.
A google search on the term will read the definition for you as “an organized approach to addressing and managing a security breach or cyberattack, also known as an IT incident, computer incident, or security incident.”
Doesn’t make it any easier to understand, right?
If I were to define it in one line,” the Incident Response Plan is a set of instructions that will outline an organization’s response to security breaches, or cyber-attack of any kind”. This could be a todo list of one page or even a 50-page document based on the organization’s expanse and scale.
Now that we’re clear on what IRP essentially means, let’s dive deeper into the technical tit-bits of it. Don’t worry, I will try to keep it as ‘non-technical and lightweight’ as possible.
The bigger question arrives “How do you create within an organization a culture where security is everyone’s business?”
The next important step would be to develop an Incident Response Plan or IRP as it is popularly known.
The 7 commandments of Incident Response Plan:
- Overview– introduces the plan; details high-level goals
- Outline of roles and responsibilities- Lists and discusses the duties and expectations of each of the team members.
- Detailed list of incidents requiring action-Outlines the specific threats, exploits and situations that require formal incident response actions.
- Detection, investigation and containment procedures-this includes directives on tasks such as analyzing the situations, getting outside parties involved,gathering evidence and reporting on findings.
- Eradication steps-Provides the general steps for cleaning up the incident and may include network traffic and system log analysis.
- The recovery phase-Adjusting firewall rules and related network configurations.
- Follow-up tasks- Discusses additional reports, enhanced documentation, and lessons learned.
Without the right people in place, any attempted incident response efforts will likely be ineffective. Here the incident response team acts as a savior and maintains day-to-day administration of technical controls.
The Incident Response Team aka Cyber Military of your organization consists of:
- An incident response manager, usually the director of IT, who oversees and prioritizes actions during the detection, analysis and containment of an incident
- Security analysts who support the manager and work directly with the affected network to research the time, location and details of an incident
- Threat researchers that provide threat intelligence and context for an incident.
- Technical team: IT and security team members.
- Executive sponsor: A senior executive charged with overseeing information security.
- Incident response coordinator: The person responsible for ongoing management of the team and incidents.
- Media relations coordinator: Your PR representative in charge of interfacing with the news media and related outlets once a breach occurs.
- Forensic analyst: A forensics expert internal to the company or an outside adviser.
- Outside consultant: A third-party information security or incident response expert.
- Legal counsel: Your corporate attorney or outside law firm that .would represent your organization as needed for incidents and breach.
“How do I know if my IR team is doing a good or a bad job?” asked a client of mine recently at Trixter.
Specific metrics used to measure the effectiveness of incident response initiatives might include:
- Number of incidents detected
- Number of incidents missed
- Number of incidents requiring action
- Number of repeat incidents
- The remediation timeframe
- Number of incidents that led to breaches
Now let’s dive into the methodologies that can be used to assist with incident response
- OODA loop – The OODA loop is a methodology that encourages a business to observe, orient, decide, and act when an incident occurs.
2. Even further, there are IR tools that can provide forensics details such as:
i) source location ii) incident technical information and event replays iii) net flow and traffic analysis iv) vulnerability management v) security incident and event management vi) Endpoint direction and response firewall vii) intrusion prevention and denial-of-service mitigation and viii) forensic analysis.
In essence, incident response tools provide organizations with both visibility and control.
“Please don’t make the mistake of believing these tools can comprise your entire IR Plan.”
While tools and automation may play a large role, they should still only be one component of the overall incident response requirements.
Let me conclude by saying unless and until critical aspects of security are mastered, including incident response, it’s a matter of time before the going gets rough, the questioning begins and intrusive investigations ensue. It’s unreasonable to expect a perfect security program.
“Still, it’s better to get started on improving your incident response efforts now before you’re forced to”.
Follow Trixter on Linkedin for regular updates and tips related to #Cybersecurity.