How to create an incident response plan

incident response

An incident response plan can make the difference between stopping a cyberattack and suffering critical data losses. These attacks rise annually, and organizations must be prepared and organized to ensure a swift response. Here’s how companies can create an incident response plan.

Why an Incident Response Plan Is Crucial

An incident response plan, or IRP, could potentially save an organization in the event of a cyberattack. Cybercrime has been on the rise over recent years, especially since the start of the COVID-19 pandemic in 2020. In fact, in 2020 alone, the FBI received over 790,000 complaints, with losses totaling over $4.2 billion.

Organizations of all sizes need to take cybersecurity seriously, from small businesses to the military. In 2021, researchers found that cyberattacks can bring down F-35 fighter jets, which are more vulnerable to attack than most missiles. That’s no small feat, considering the complexity of military technology, and it just goes to show the severity of the situation.

Luckily, organizations can use tactics to protect themselves and defend against cyberattacks. An incident response plan is vital to staying safe amid rising crime rates.

Military organizations and manufacturers can use an IRP to equip jets with data traffic monitoring technology that could help prevent cyberattacks. Additionally, an IRP would allow personnel and pilots to be prepared in the event of an attack, giving them the highest chance to thwart it before it can cause significant damage.

Here’s everything companies should know to implement an IRP and put it into action successfully.

Building the Incident Response Team

The first step to creating an incident response plan is building the computer security incident response team or CSIRT. This is the group of people who lead incident response operations. They will be primarily responsible for creating the IRP and putting it into action in the event of a cyberattack.

There are several main roles in the CSIRT: the executive sponsor, the incident manager, the lead investigator, the PR and communications adviser, the legal adviser, and the HR adviser. Smaller organizations often combine roles with working with fewer personnel, but this is the general roster for most medium and large-sized organizations.

Responsibilities of CSIRT Members

The executive sponsor is someone in the organization’s leadership, such as an executive, member of the board of directors, CISO or CSO. This person’s job is representing the CSIRT, ensuring it has adequate funding and resources and acting as a team leader.

The incident manager is the deputy to the executive sponsor, overseeing the activities of the rest of the CSIRT. Their job is to coordinate meetings and report findings on any cyber incidents.

The lead investigator acts as the primary detective in the event of a cyberattack. Ideally, this role is filled by someone with tried-and-true cybersecurity knowledge, preferably with some digital forensics knowledge. The lead investigator is responsible for determining the cause of the cyberattack and any damage it caused. They are the lead technical professional on the CSIRT.

The PR and communications adviser is responsible for handling any reporting of cyber incidents. Their job is to determine what information to share, with whom and how. Ideally, this person is a communications professional with crisis experience.

The legal adviser is responsible for keeping track of legal obligations about cyber incidents, such as any information the organization is required to disclose. This person is also responsible for communicating with law enforcement and may even handle lawsuits in some situations.

Finally, the HR adviser acts as the liaison between the CSIRT and personnel within the organization. Their primary responsibility is to field any questions or concerns from employees about cyber incidents. The HR adviser will be a crucial team member in an insider attack.

Creating the Incident Response Plan

There are various established frameworks for creating incident response plans. One of the most authoritative and widely used is the IRP framework published by the National Institute of Standards and Technology or NIST.

This framework has extensive documentation, providing plenty of support for organizations creating their IRPs. Here’s an overview of the steps the NIST recommends including in an IRP.

1. Preparation

The first step in any IRP is preparation. This stage includes identifying cyber vulnerabilities and establishing attack prevention strategies. This is where all the contact information for the members of the CSIRT should be listed. Descriptions of each member’s responsibilities should be clearly outlined, as well.

Organizations must conduct a thorough cybersecurity risk assessment to identify any potential vulnerabilities. For example, the risk assessment may reveal a company has weak access control protocols or outdated firewall technology. Insights from a risk assessment indicate where the CSIRT needs to focus its efforts to strengthen defenses.

The preparation section of the IRP should also outline the current cyber defenses the organization already has in place, including anti-malware programs, cybersecurity training education, and network security measures. For example, phishing awareness programs can go a long way toward stopping attackers from getting into company systems, so they count as cyber defense.

Additionally, the preparation section should go over key incident response information. This includes communication resources for responding to incidents, the location where the CSIRT will meet to strategize in the event of a cyber incident, the system for reporting potential cyberattacks, and on-call assignments for personnel.

2. Detection and Analysis

The second section of an IRP is detection and analysis. The goal is to outline how the organization will identify potential cyber incidents and analyze indicators of cyberattacks.

An important part of this section of the IRP is identifying attack vectors. These are the channels and methods a hacker could potentially use to break into an organization’s systems. Identifying them is crucial because it allows attacks to be categorized with responses that are specific to each type.

Examples of common attack vectors include emails, malicious websites, spoofing, credential theft, stolen or misplaced devices, and malicious external media like USB drives loaded with malware.

In addition to possible attack vectors, this section of an IRP also needs to outline key indicators of a potential cyber incident. These need to be monitored around the clock since there typically won’t much notice that something is about to occur. Signs can be as obvious as an alert from anti-malware programs or as subtle as suspicious activity on an authorized user’s account.

This section of the IRP should also include directions for analyzing and reporting cyber incident indicators and contact info for personnel to notify in the event of a potential attack.

3. Containment, Eradication, and Recovery

The containment, eradication, and recovery section is the most important to memorize. This section covers the crucial period after a cyber incident has been recognized. At this stage, the CSIRT and other security personnel will actively respond to the attack and minimize the damage as much as possible.

The containment phase is all about stopping a cyberattack in progress. The exact method for doing this will vary depending on the attack vector. For example, suppose a ransomware program encrypts files through an organization’s servers. In that case, the security team may be able to cut off access to unharmed files before the program can finish encrypting them. Network segmentation can be an excellent cyber defense for containing and stopping attacks like this.

This section of the IRP should outline exactly how the CSIRT will respond to various attacks. For example, organizations’ leaders should decide ahead of time if they will pay ransoms or not.

Additionally, the IRP should include planned methods for recovering the organization’s systems and eliminating any malicious programs. Organizations should also have a strategy for collecting evidence of the attack and any information about the attacker, such as their IP address or any communication they offer. Information like this is crucial to ensuring a rapid response during a cyber incident.

4. Post-Incident

The IRP does not end when an incident does. Organizations must have a procedure for reviewing and reporting what happened. This information is crucial to improving cybersecurity measures and preventing future attacks.

The post-incident review is also a time for reflection for the CSIRT. Its actions significantly impact how well the IRP is used during cyber incidents, so everyone should be open to constructive feedback on their performance. The CSIRT should also analyze its readiness for the particular type of incident. Any lessons learned can update and improve the incident response plan.

Incident Response Training

Once the IRP is complete, organizations and CSIRTs should practice, memorize and understand every aspect. One of the best ways to conduct IRP training is through tabletop incident response games, in which CSIRT members respond to a pretend cyber incident as if it were a real case.

These “fire drills” are a great test of incident response readiness. Tabletop incident response exercises will help identify and address any confusion about the IRP. This ensures everyone knows exactly what to do to have the best outcome possible in a real cyber incident.

Preparing for Cyber Incidents Like a Pro

A comprehensive IRP is a key to a rapid and professional response to cyberattacks. It helps organizations prepare beforehand and offers the clear direction needed to make quick decisions in the crisis management environment of an active cyber incident. Creating an incident response plan is one of the best steps organizations can take to defend against any cyber threats that come their way.