Stopping the Next Massive Cyberattack – Step 5: Incident Response Plans

The Do’s and Don’ts of a Strong Incident Response Plan

Check Point’s 2015 Security Report revealed that 81% of organizations said they experienced a data loss incident in the previous year. If there’s one conclusion we can draw from that, it’s that preparing a strong incident response (IR) plan is more critical than ever.

The right IR preparation can be the deciding factor between an extreme breach and a contained incident. Immediate action is crucial in the wake of an attack.  By eliminating uncertainty and debate, your IR plan will help your team act as a swift and a cohesive unit. Your organization can make smarter decisions, reduce damage and associated costs, and speed up your recovery time by creating a thorough plan.

Here are the Do’s and Don’ts of an IR plan that will help you mitigate risk, contain attacks, and quickly return to business as usual.

The Do List

1. Management support is vital to a successful plan. From employees to executives, everyone needs to be on the same page to ensure a plan will be successfully implemented by everyone in the organization.

2. It’s best to map out standard procedures in advance, including a call chain that ensures the right people are contacted in the right order if a crisis arises. Teams won’t have time to debate the right course of action and you don’t want to assume that people will make the right decisions in any situation; they’ll need step-by-step instructions that cover every possible scenario. It’s also important to ensure adequate visibility is available to help investigate incidents. Staff members, tools and logs can provide the necessary information for an investigation to understand what course of action needs to be taken.

3. Include all departments and business functions – not just IT. That includes corporate communications, human resources, legal, and others. By preparing scripts for customer service reps or statements for PR teams, you’ll spare everyone the need to develop messaging in real time.

4. Review agreements and processes with all third parties, from forensics experts to law enforcement, and address any gaps or pending expirations.

5. Conduct a risk assessment that outlines vulnerabilities and expected threats. These lists should be continually refreshed based on changes in the environment.

6. Train the teams so that each person understands his or her responsibilities during an attack, and make sure everyone has access to both the overall plan and departmental guides.

7. Be sure your IR plan covers all critical components, including:

• A data classification framework: This is the most critical element of an IR plan. The theft of confidential employee data could have very different consequences from the loss of intellectual property.

• The type of incidents: Learn more about security incidents that have happened to other organizations. Leverage external threat intelligence and track your own internal intelligence. Ensure this information is available and can be correlated across systems. It’s also valuable to follow the topology used by the National Institute of Standards and Technology (NIST). This service categorizes incidents as unauthorized access, malicious code, denial of service, and inappropriate usage to educate and share information on current security incidents.

• Response objectives: Outline your goals for each data and event type. Maybe your goal is to identify the number of customers affected and the extent of data loss within 4 hours and estimated financial impact of the attack within 8. This will speed up the response time, as your team is already aware of their priorities.

• Operating models: Your plan should spell out escalation paths, team structures, individual roles and protocols. Who decides when to speak to the media? When should core applications be shut down?

• Ensure you have buy-in from people with authority within the organization to operate within the organization with clear boundaries of operation. The company should respect the authorized decision-makers in the event of an incident. Operations will be much smoother when people aren’t competing to call the shots.

8. Test the plan regularly to be sure it stays relevant and effective. Both personnel and technology can change frequently and all departments must be prepared.

The Don’t List

Even teams with the best intentions can make simple IR mistakes. These include:

1. Many teams overlook the importance of updating the plan documentation. There are many moving parts in an effective IR plan, and some of them will quickly become obsolete if the plan isn’t updated regularly. The call chain might list former employees; established procedures might refer to technology that’s no longer in use. Each incident should be a learning opportunity where lessons are evaluated and new controls are considered.

2. Vague instructions are never helpful in the event of an emergency. Any process that relies on assumed knowledge can run into problems, as team members might forget their training or be panicked in the wake of an attack. Each recommended action should be clearly spelled out.

3. Developing disconnected plans is highly impractical. In large organizations, different departments might create their own IR plan or add a unique twist to an established standard. The result is a disjointed plan with gaps and misunderstandings. The plan must be consistent across all business units.

4. Relying on a single person during a highly complicated situation is not going to solve problems quickly. Don’t designate a single mastermind to guide the entire organization through the incident. While this might seem streamlined, it actually creates a single point of failure in a potentially chaotic time. If that person becomes unavailable, the entire plan could be jeopardized.

Incident Response plans might involve some work on the front end, but they will ultimately be your organization’s best friend during an attack. Whether you decide to handle your IR internally or draw on the expertise of outside providers, make a plan now. Be sure to cover all scenarios and test your plan regularly. By preparing in advance, your entire team will feel more confident – and if you are attacked, you’ll understand exactly what to do.

The Check Point Incident Response Team can help craft or review Incident Response plans. The team will also help you mitigate future risks with post-incident reports and security best practices advisement.

This post is part of a series to encourage organizations to implement security solutions to avoid falling victim to cyberattacks. Cybercriminals can strike any organization at any time. We want to help you be protected. To learn about the Five Steps to avoid being the next data breach, read our whitepaper, Stopping the Next Massive Cyberattack.