Knowing how to write an incident response plan builds on the capabilities of people. If staff are fully aware and trained to report and manage an incident, that event will be handled efficiently.
Experiencing an information security incident is not something anyone wants to go through, but unfortunately dealing with a security incident is a case of when not if. Organisations that suffer a cyber security incident are certainly not alone. According to the World Economic Forum (WEF), cyber security is one of the topmost urgent risks to the global economy. The report, however, highlights the fact that through multilateral efforts, the impact of a cyber-attack can be mitigated.
“Collaborative incident response and information-sharing efforts attempt to centralize cyber security capabilities to reduce the impact of cyberattacks.”
An Incident Response Plan is one such effort. Here is an overview of why you need one and what is involved in creating an Incident Response Plan.
Why Do We Need an Incident Response Plan?
The UK Government’s “Cyber Security Breaches Survey 2021” found that 27% of UK businesses have experienced a data breach and are attacked at least once a week, with 39% losing money and/or assets. Managing this onslaught of cyber threats needs the sharp focus of an Incident Response Plan. This plan provides a template of how to respond effectively when a security incident occurs, such as malware, ransomware and unauthorised access.
Data breaches are rarely realised suddenly: the IBM “Cost of a Data Breach 2020” report points out that in 2019 it took, on average, 207 days to identify a data breach and then 73 days to contain it; that’s an average “lifecycle” of 280 days to reduce the impact on the operations of a company.
Having an Incident Response Plan can help to minimise the time to the containment of a data breach and deal with the aftermath quickly and efficiently. Time is of the essence in terms of breach notification rules as a variety of regulations including DPA2018 and GDPR expect notice within 72 hours of a breach occurring. An Incident Response Plan will inform those in security and compliance roles on how to respond to the incident and offer the details needed to make a breach notification.
What is Included in an Incident Response Plan?
Creating an Incident Response Plan is a process that involves a logical approach that includes how to prepare, detect, respond, and recover from an incident. Having a clear and unambiguous view of what to do when the worst-case scenario happens, can be the difference between disastrous aftermath and a smooth road forward.
The playbook of an Incident Response Plan should cover:
Prepare
As all good DIYers know, preparation is the most important part of a job. The same is true when creating an Incident Response Plan. Preparation for the plan begins with people.
Roles and responsibilities: Who is responsible for what action when an incident happens? Identify an incident response team for incident handling. This should also map back to relevant security policy clauses your company has in place. Training staff is a vital part of preparedness and delivery in the Incident Response Plan.
Resource inventory: Create a list of assets across all departments.
Risk assessment: Identify risk areas along with location and classification of assets. Determine the risk levels of each depending on the likelihood of an attack vs. severity of an incident. Map to the ability to handle an attack against these assets.
Incident types: What type of incidents are likely and what constitutes an incident? If an incident occurs, who is responsible for starting the incident management process? Organisations should also outline the escalation criteria for different types of incidents.
Regulation mapping: Document which regulations are relevant and what requirements need to be met when an incident occurs. Create guidelines for the interaction with external authorities’, post-incident.
Incident log: Include a log to manage the incident response process. This may also be useful for regulatory compliance requirements.
Detect
This second stage of the incident response planning process is about monitoring, detecting, and alerting when an incident occurs.
Detection strategy: What tools and measures are used to detect an incident? This must include threats from known, unknown, and suspected threats. For example, do you deploy network scanning tools, Endpoint Detection and Response (EDR), etc.?
Alerts: What systems are used to alert to a possible breach?
Breach assessment: How will your organisation locate zero-day vulnerabilities or Advanced Persistent Threats (APTs)? A “Compromise Assessment” can be used to locate unknown security breaches and unauthorised account access.
Respond
How an organisation responds to a breach is the key to making sure data exposure is minimised and damage limited. Incident response covers several areas such as alert triage, an important aspect to prevent erroneous incident response attempts. The main aspect covered in the response part of an incident response process is to contain and remove the threat. The Incident Response Plan needs to cover the following areas:
Breach assessment: How to quantify the extent of the threat and if the threat is real. This includes how to triage alerts.
Containment exercises: Once a threat is identified, how will it be contained? This can include isolation of systems to protect against further infection/data leaks.
Assessment of breach metrics: What is the classification of the breached data? Was the data sensitive? Did the breach impact regulatory requirements?
Deal with any infection/vulnerability: What is the general process to remove the infected files and deal with any aftermath of an infection.
Preserve breach artefacts: How to produce a log of the incident and any forensic evidence. Include the who, what, why, and where of the event.
Prepare for breach notification: If necessary, how to prepare for any breach notification required. This should include public notices and may provide templates.
Liaise with legal and compliance (and possibly law enforcement): Details of who is responsible for dealing with legal and compliance and how this is handled.
Recover
Recovery is the last part of the process of incident response. The Incident Response Plan should show how the company moves on from an incident, lessons learned and what type of recovery exercises should be carried out:
Post-incident exercises: How to close off the gaps discovered during the incident response.
Remove the risk: Removing the risk and restoring the systems to a pre-incident state.
Report: Guidance on creating an incident response report to help prevent future incidents. But also, guidelines on continued forensic data gathering and monitoring to ensure continued security
Frameworks and Standards when writing an Incident Response Plan
When writing an Incident Response Plan, it can be helpful to have some guidance from recognised authorities.
ISO 27001 – Annex A.16: is an annex to the ISO 27001 international standard that gives useful advice on how to establish a protocol for dealing with the lifecycle management of a security incident.
NIST Incident Response Process: NIST (National Institute of Standards and Technology) is a U.S. government agency. NIST’s Incident Response Process details the four steps mentioned in this article.
Implementing An Incident Response Plan
Efficient handling of even devastating events will mitigate any present and future impact of an incident. Staff training, however, is a perennial challenge that is unique to the Incident Response Plan of an individual organisation. Every incident approach will be different; each organisation has its own set of threats and internal organisational structures.
Personalised training content can be used to reflect each organisation’s uniqueness and its approach to incident management. By creating a personalised Incident Response Plan that reflects your unique organisation structure, you can ensure that you mitigate against the various threats that a modern enterprise encounters.
