Incident Response Plan
What Is an Incident Response?
Incident response refers to the process by which organizations handle a potential data breach or cyberattack—from initial mitigation reactions to the restoration of systems. The objective of incident response is to contain the issue to limit damage and decrease recovery time.
It is recommended and often required for regulatory compliance that organizations have an incident response plan in place that defines what constitutes an incident and provides a process to be followed when an incident occurs. Additionally, organizations should identify teams and roles to be responsible for executing the incident response plan, including specifying who should lead the team.
Types of Security Incidents that Warrant a Response
Security incidents can result from vulnerabilities, which are usually a weakness in a computer system, business process, or exploited user. However, malicious insiders can also be the cause of security incidents.
Potential consequences include unauthorized access to sensitive information, theft of assets or money, and service disruptions. There are various types of security incidents that can trigger the execution of a formal incident response plan. A few examples of common security incidents are:
- Distributed denial of service (DDoS) attack
- Malware or ransomware attack
- Successful phishing that has led to the exposure of personally identifiable information (PII)
What Is an Incident Response Plan?
An incident response plan is the detailed documentation of instructions or procedures to detect, investigate, respond to, and limit the consequences of malicious cyberattacks against an organization’s information system(s). An effective incident response plan not only details the required steps to follow, but also identifies teams and their roles to enable the most expeditious approach to action and mitigation.
Key roles on an incident response team include:
- Incident response manager
- Oversees and prioritizes actions during detection, containment, and recovery of an incident
- Conveys relevant information to appropriate parts of the organization, customers, law enforcement, regulators, and the public
- Security analysts
- Implement and maintain technical and operational controls
- Support and work directly with affected resources to repair and restore systems
- Threat researchers
- Provide threat intelligence and context around security incidents
- Monitor for leaked credentials, data leaks, and third-party and fourth-party vendor security posture
- Use a variety of tools to understand current and future threats
Best practices to consider as part of an incident response plan include:
- Continually assess and test the network infrastructure and security safeguards, and make necessary updates in a timely manner
- Create and vet an overview of the plan
- Define procedures for each step of the incident response plan
- Determine the breach notification process
- Develop a list of roles and responsibilities with the support of stakeholders from across the organization
- List the types and scale of incidents that would trigger an incident response plan
- Review the plan on an ongoing basis and make revisions as needed
Three Incident Response Plan Pitfalls
- Failing to identify specific team members and identifying their key roles
- Not having a variety of team members who can identify and address challenges that face particular roles or groups
- Not specifying a team leader
- Using generic templates for incident response plans
- Not customizing templates to fit the unique needs of the organization
- Spending too much time developing a step-by-step plan of what to do without identifying the tools to support the efforts
- Underutilizing tools or using them incorrectly
Incident Response Plan Steps
There are several considerations when developing an incident response plan that will make the plan more effective and easier to implement.
- Lock in support from the C-suite or senior management to ensure that resources are available to assemble the best computer security incident response team (CSIRT)
- Test all aspects of the incident response plan, from software penetration testing to team role-playing
- Build-in contingency plans to account for varied types of attacks that may not go as expected
- Ensure that the overall plan is flexible enough to support agile responses in the event of an attack
- Establish a chain of command in the event of a security incident, and ensure that all potential stakeholders understand each role and the hierarchy
Six Incident Response Plan Steps
According to the SANS Institute, there are six key phases of an incident response plan:
- 1. Preparation
This is widely held to be the most important phase of an incident response plan because security breaches are almost inevitable. Incident response preparation helps organizations identify who will be part of their CSIRT, their roles, and the details of that plan. In addition, the incident response plan should cover policies, strategies, tools, access requirements, communication protocols, documentation of processes, and training.
- 2. Identification
The process of detecting and identifying incidents is a critical part of a successful incident response plan. Done properly, identification supports rapid response, which reduces costs and damages.
This step falls under the purview of the IT staff. They gather events from log files, monitoring tools, error messages, intrusion detection systems, and firewalls to detect and determine incidents and identify their source, type, and scope. This helps determine if the issue qualifies as a security breach incident and triggers the implementation of the correct incident response plan.
- 3. Containment
In the event that an incident is detected, containing it is a top priority. The sooner an incident is isolated, the faster it can be neutralized and, usually, the less damage can be caused by it. During the containment phase, it is important to preserve any evidence that can be used to understand what happened and to help with the prosecution of perpetrators.
- 4. Eradication
Even after containment, a virus or malware can still pose a threat. Eradication neutralizes and destroys the incident’s root cause by removing the threat and restoring affected systems to their previous state.
- 5. Recovery
Before putting previously compromised systems back into production, they need to be tested and validated. This ensures that infected systems are not accidentally restored to infect other systems.
- 6. Post-Incident Review
This final step in an incident response plan is as important as the first. Assessing the cause and effect of an incident will help prevent future issues. It is also helpful to evaluate the incident response plan to determine what worked, what did not work, and what can be improved.
Why an Incident Response Plan Is Important
The importance of incident response plans continues to grow as the number, scale, and frequency of cybersecurity breaches increase. The impact of cybersecurity incidents cannot be underestimated. They ripple across an organization, causing issues that affect internal teams, customers, partners, and frequently attract regulators’ attention. The speed and efficacy of an incident response plan materially change the outcome of a cybersecurity breach.
Incidents range from pesky malware infections to ransomware, with breach sources that span from unencrypted employee laptops to network vulnerabilities. Regardless of the attack vector, any incident activity that is not promptly addressed can, and usually does, mushroom into a catastrophe.
Incident response plans are important because they enable organizations to be prepared to respond to incidents, whether the cause is known or not. They also include preemptive precautions that stop or at least hinder the impact of an incident.
Among the many reasons why an incident response plan is important are:
- Addresses the attack vector that was used
- Creates a communication plan that includes how and when to notify law enforcement, employees, customers, and partners
- Identifies root causes of security incidents
- Improves recovery time
- Limits the duration and damage of security incidents
- Minimizes losses
- Mitigates exploited vulnerabilities
- Outlines plan for post-incident disaster recovery
- Prevents future incidents
- Provides an accurate list of stakeholders
- Reduces potential negative publicity and customer churn
- Restores services and processes
- Streamlines digital forensics
How to Ensure Efficacy of Incident Response Plans
While the actual responses are important, the planning and post-incident phases require the most attention. Reviewing ensures that the incident response plan will continue to meet the requirements, expected and unexpected, in the event of an unanticipated event.
Having a well-thought-out incident response plan expedites time to resolution and can significantly minimize damages. It is also important to review how the incident response plan worked and to identify areas for improvement. Investments in incident response plans are never regretted.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 2nd February, 2022