Introduction

Imagine for a second that you live in a neighborhood where increasingly houses get broken into by brazen criminals to steal and break valuable items, kidnap people for ransom, and, in some cases, burn houses to the ground! If those houses belonged to your closest neighbors, would you wait until those criminals break into your home before you do something, or would you proactively do all you can to deter similar acts on your house, including reinforcement of all doors, transfer of some valuable to bank safes, home security cameras, cooperation with relevant authorities, insurance for worst-case scenario, or even moving altogether?

The above illustration may seem like an exaggerated physical threat. However, this is the stark reality in the cyber realm, with tangible real-world consequences such as ransoms, destruction of data—including intellectual property—and extortion. Cybercriminals’ actions have a significant financial impact, often costing organizations millions of dollars, with the damage becoming increasingly severe. For example, the global average cost for a data breach in 2024 was around 4.88 M USD, an increase of 10% year over year {IBM Breach Report 2024}.

Although some cyber incidents may be unavoidable (e.g. zero-day attacks), others are predictable and could be avoided or significantly reduced with proper measures. These measures can be referred to as Incident Response (IR) Readiness.

IR Readiness is a set of periodic processes, procedures, and technologies that help an organization’s personnel proactively and systematically think about likely security incidents, prepare to detect and respond to them at their initial stage, and minimize any damage and cost for confirmed incidents. A good IR readiness prepares the organization to respond to incidents while at the same time increasing its security profile and maturity.

 IR Readiness Journey

Cyber threats and incidents are here to stay, and criminals are ever evolving with complex tactics and techniques, so every organization must prepare to respond to those threats. This preparation can be accomplished through an IR Readiness Journey. Although steps can differ depending on each organization’s level of maturity, the section below gives a blueprint for that journey.

The overview of such IR Readiness Journey in the rest of this article is a guideline from the Check Point Incident Response Team (CPIRT), informed by their vast experience in not only responding to active incidents but also in their work assisting organizations prepare to respond, as well as other best practices as seen by the Cyber security industry and other expert-led organization such as the National Institute of Standards and Technology (NIST) and the CISA.

CPIRT recommends that these IR Readiness steps be completed sequentially and revisited periodically to account for changes in the organization, cyber threat landscape, and new cyber defense knowledge and practices

Figure 1 – Incident Response Readiness Journey

 

1- Asset Tracking/Management:

Simply put, you can’t protect what you don’t know you own—a fundamental truth recognized by most cyber security professionals. However, many organizations still remain unaware of their critical assets, maintain supposedly inactive assets that still have access to their environments, and expose internal resources to public access. This is further complicated by companies’ policies, such as poorly executed Bring Your Own Device (BYOD) policies, that grant access to companies’ resources to outside assets without accounting for them.

Asset tracking can be implemented using both free and paid systems, supported by internal policies, proper training, and company-wide commitment.

For any organization looking to identify where to start or evaluate gaps in their current asset management practices, resources like the National Institute of Standard and Technology SP1800-5 guideline provide an excellent starting point.

2- Framework Adoption

Once an organization has a better understanding of its’ assets, it is worth discussing and adopting a unified cyber security framework.

Adopting a specific framework helps simplify the roadmap to a secure environment through industry best practices. It serves as a guideline towards a specific standard that focalizes security operations and can also serve as a precise internal benchmark.

For starters, NIST’s Cyber Security Framework, commonly referred to as CSF, can be a good starting point for any company looking to standardize its Cyber security policies, processes, and procedures. There are other similar regional or industry-specific frameworks, but most are based or heavily influenced by the CSF.

3- Assets protection/Deployment-Detection-Response

After adopting a unified cyber framework, the next crucial step is to adopt processes, procedures, and technologies to help monitor and detect any known incoming threat. For example, in 2023, only 33% of breaches were detected as part of a concerted effort by security teams and tools; the remaining detections were simply due to luck and attackers’ self-disclosure for financial and other malicious motives {IBM Breach Report 2023}.

At a minimum, organizations should deploy Endpoint Detection and Response (EDR) solutions to all critical assets, with the goal of extending coverage to all devices and network exit nodesOnce all assets are covered, ensure they are properly configured and continuously monitored by a trained team prepared to respond to the earliest signs of an attack. This can be managed by internal teams or through dedicated external Managed Detection and Response (MDR) services.

4- Patch and Vulnerability Management

If not regularly updated and upgraded, any system or protection measures will eventually present vulnerabilities that threat actors can exploit and gain access to the organization’s assets. Each company should adopt a patching system that tracks newly discovered vulnerabilities and patches them as soon as possible. The patching system should consider not only available updates and upgrades but also the severity of any known exploits and their potential impact on the organization and its assets.

5- Incident Response Planning

The organization’s IR response should be in a documented and dynamic Incident Response Plan (IRP). The IRP should not only be documented but also approved by the highest level of the organization. Through the creation and documentation of the IRP, the organization should establish Response Team(s) and identify major stakeholders; establish and review existing third-party contacts and arrangements for IR external support teams; put together response Toolkits, response templates, cyber insurance, and other mitigation steps.

A well-crafted IRP should be straightforward, efficient, and reflect not only the organization’s environment and needs but also be the main guide in responding to real-time incidents.

6- Training

The best asset to an organization is people. People working with technologies, sound processes, and procedures are the key to an incident being a minor event or a full-blown catastrophe. As such, all the people who work for an organization must be trained to become assets and not liabilities regarding security. All the training should be tailored to people’s roles and responsibilities, periodic, and realistic. The training can include Cyber Awareness training, phishing and other common threats awareness, and complex ones such as IR Response drills (Tabletop).

7- Audit and Test of Security Measures

Once the above-cited measures are implemented, it is important that all assets are reviewed on a periodic basis, protection measures are assessed by internal teams and tested by external teams, and the incident response plan and playbook are run through in simulated incidents (Tabletop exercises). All lessons learned, and any gaps discovered should then be reviewed to improve the security measures.

Proactively implementing the above steps can be challenging and costly, particularly for an already stretched cyber security workforce. However, when weighed against the potential financial losses, reputational damage, and recovery expenses, Incident Response Readiness offers a strong return on investment, making it a bargain compared to the costs of responding reactively to actual incidents.

For organizations looking to take a proactive approach to their Incident Response (IR) Readiness, there are various resources available to assist, regardless of size. These include local and federal support, offering both technical and financial aid. Additionally, the Check Point Incident Response Team is available to guide and assist your teams throughout this process.

Over the next few months, our team will dive deeper into each of these steps through blogs and webinars.

You may also like