Building an Effective Incident Response Strategy to Combat Cyberattacks
A security incident is all but inevitable for nearly every organization. By “incident” we mean a cyberattack that successfully accesses enterprise resources or somehow puts the finances, operations, and reputation of an organization at risk.
The Art of One-Upmanship
A security incident is all but inevitable for nearly every organization. By “incident” we mean a cyberattack that successfully accesses enterprise resources or somehow puts the finances, operations, and reputation of an organization at risk. A major breach can drive a company out of business. To fight back, every organization needs a cohesive incident response (IR) strategy, backed by a well-trained team to implement it. IR is an organization’s planned approach to detecting and managing cyberattacks. The goal is to minimize risk and to limit the damage, recovery time, and cost of any security incident. Finding and fixing vulnerabilities will reduce the odds of a successful attack on your systems or data. But when an attack succeeds, that’s where your incident response strategy comes into play. Always Start With an IR Plan The Incident Response Plan should offer a detailed, authoritative map guiding the organization from initial incident detection to assessment and triage, and finally, to containment and resolution. It’s essential that your organization drafts, vets, and tests (by enactment) its IR plan before a crisis strikes. The following are steps to get started: Establish policy. A good policy explains the overall high-level priorities for when an incident occurs and guides incident responders in making sound decisions when things go wrong. Build your IR team. A plan is only as strong as the people carrying it out. Who handles which tasks? Get those people trained. Create playbooks.An IR policy offersthe high-level view, but playbooks dive into the weeds by standardizing the steps the IR team takes in specific scenarios. Having playbooks to reference means greater consistency and efficiency in real-life incident response situations. Create a communication plan. Work out in advance how executives, communication specialists, legal counsel, and HR will communicate with one another and the organization. Hold tabletop exercises. Vet the IR plan and talk through the specifics of an attack and how the team will respond. Study what happened and take the time to outline any additional controls needed by brainstorming ways to improve processes. Add brief, audience-specific tabletops—Executive/Board (strategy and communications), Technical/IT (detection and containment), and Company-wide (cross-functional coordination)—to rehearse roles and decisions. For example, start with a realistic scenario: an employee announces twins, prompting a convincing benefits/phishing email that steals credentials and diverts payroll, driving practice in escalation, communications, and recovery. Your IR plan should also include a plan overview; a list of roles and responsibilities; a list of incidents requiring action; the current state of network infrastructure and security controls; detection, investigation, and containment procedures; eradication procedures; recovery procedures; a breach notification process; a list of post-incident follow-up tasks; a contact list; an IR plan testing process; and finally a process for revising all the above as needed. We recommend formal, comprehensive reassessments and annual revisions. Six Phases of Incident Response Because IR plans require a lot of effort, make use of established security frameworks from NIST, the SANS Institute, ISO, ISSA and ISACA for high-level guidance and direction. Each of these organizations’ frameworks differs slightly in approach, but they all describe six phases of IR: Preparation: Build your IR team and create policies, processes, and playbooks. Detection & identification: Employ IT monitoring to detect, evaluate, validate, and triage security incidents. Containment: Take steps to stop an incident from worsening and regain control of your IT resources. Eradication: Focus on eliminating threat activity, including malware and malicious user accounts. Recovery: Focus on restoring normal operations and mitigating vulnerabilities. Lessons learned: Review the incident to establish what happened, when it happened, and how it happened. Flag security controls, policies and procedures that function sub-optimally, and identify how to improve them. Assemble Your Team & Tools The technical team is the core of the IR team, including IT and security personnel with technical expertise across company systems. It might include an IR coordinator, security analysts, threat researchers, and forensics analysts. An IR team might also draw from different departments such as communications/PR, legal, HR, business continuity and disaster recovery, as well as the physical security and facilities departments. Your team should include external players like cybersecurity or IR consultants, external legal representation, cloud service providers, and vendors to supply expertise and controls such as endpoint detection and response (EDR), anti-malware, backup and recovery, cloud access security brokers, data classification tools, data loss prevention (DLP), firewalls, intrusion prevention and detection systems, security information and event management (SIEM), security orchestration, automation, and response tools (SOAR). Defense-in-Depth Most organizations need defense-in-depth, but keep it lean. Get the most from what you already have and add tools only to close a clear gap. Favor a small, integrated stack with clear owners and simple playbooks, and retire anything redundant. Use automation for repeatable tasks so it reduces noise—not work; if capacity is tight, consider a managed partner while you keep oversight. Seek Outside Expertise For organizations facing serious threats or those that have multiple locations, outsourcing may be the key to cybersecurity. Information security providers can take over many aspects of IR work, from managing regulatory compliance to carrying out threat hunting and penetration testing to managing a crisis. Incident response is a cornerstone of any enterprise cybersecurity program. Being able to quickly respond to unavoidable security incidents will minimize damage, improve recovery time, restore business operations, and avoid high mitigation costs. Recent Articles By Author
About Author
