Maksim Kabakou - Fotolia
Breached? Don't panic… if you created a robust IR plan
What goes into a good incident response plan, and what steps should security professionals take to ensure they are appropriately prepared for the almost inevitable attack, and secure buy-in from organisational leadership?
Cyber security incidents are on the rise, and organisations must ensure they have robust incident response plans in place should the worst happen. From threat assessment to rapid recovery strategies, what steps should security professionals take to protect organisations against unexpected disruptions?
As they say in The Hitchhiker’s Guide to the Galaxy: don’t panic! If an incident occurs, it’s important to be clear about your expectations across the business because responding to a security incident is a team sport. A key aspect of this coordination involves communicating actions calmly and concisely; this will help to avoid any knee-jerk reactions, which could escalate an already stressful situation.
From the outset, sticking to a clearly defined incident response process is vital – regardless of the perceived severity of an incident. Part of this means being able to quickly identify if an incident has taken place and then to know which steps are required to mitigate any impacts. That said, it’s also important to be flexible when dealing with a cyber incident because you never know how the situation will evolve.
Hope for the best; plan for the worst
Practicing your response in the event of a cyber incident is a valuable exercise. It’s sensible to prepare for the worst-case scenario – just in case – and work backwards from there. Having a clear idea of what a good resolution looks like is critical, especially when you're communicating with multiple teams quickly.
Every cyber incident is different and there should be a response that accounts for all different types of threat. For example, ransomware requires considerably more forward planning to help mitigate risk – like having the foresight to ensure you keep plenty of regular backups.
With distributed denial-of-service (DDoS) attacks, you need to consider the longevity and impact. DDoS is often quite transient; it might disrupt your site momentarily and then everything will return to normal. Having said that, it’s important to note that a DDoS attack could also be a precursor to ransomware.
Review existing security capabilities – and identify any gaps
To protect your organisation, consider how critical each one of your systems and services is – and the impact if it were to be affected during a cyber attack.
You should also consider three key principles: confidentiality, integrity, and availability. This will enable your organisation to identify one, two or three focuses for its security controls. Once you’ve decided on the controls you need to put in place, you can incorporate the right incident management wrappers around them.
Embrace failure (and learn from it)
Whether we like it or not, failures, large or small, are inevitable. In the context of cyber security, many organisations miss the opportunity to learn from past mistakes.
Maintaining accurate reporting is an effective way to monitor security threats and prevent similar incidents occurring in future. Understanding how your organisation’s systems operate and how they interact with one another is crucial.
Ensuring day-to-day processes, like keeping regular backups, and incident management specific procedures are regularly updated to align with the dynamic security landscape, organisations can bolster their security posture and mitigate harm.
The Computer Weekly Security Think Tank on incident response
- Mike Gillespie, Advent IM: Incident response planning is vulnerable to legacy thinking.
- Sam Lascelles, PA Consulting: Use existing structures to build your incident response plan.
- Jack Chapman, Egress: Incident response planning requires constant testing.
- Becky Gelder, Turnkey Consulting: Incident response plans: The difference between disaster and recovery.
- Chris McGowan, ISACA: Enhancing security: The crucial role of incident response plans.
- Theodore Wiggins, Airbus Protect: The plan for the inevitable cyber attack: Get the gist of NIST.
- Elliott Wilkes: ACDS: The best IR plans are well-revised and deeply familiar.
