Fundamentals of an Incident Response Plan

By: Joseph Tso, CISSP

Cyber threats such as ransomware, DDOS, and data thefts are continuing to evolve and become harder to detect every day. According to the Gemalto Breach Index Report, the first half of 2017 there were 918 breaches in comparison to 815 breaches for the whole year of 2016. Cyber incidents are increasing at an alarming rate. It is not a matter of will you be breached but when will you be breached. Will you be prepared when that cyber breach happens? Does an incident response plan exist in your organization?

What is an Incident Response Plan?

An incident response (IR) plan is a set of written documents that provide instructions on what needs to happen when there is a confirmed cyber incident. Incident response plans may differ for each organization, but they traditionally carry the same elements. A computer security incident response team (CSIRT) must be created to follow the instructions within the incident response plan. A CSIRT can consist of members in these departments: IT, Security, Legal, Marketing, and Upper Management. In many cases, the CSIRT can include and outsourced forensic investigation firm.

Requirements for an Incident Response Plan

There are six necessary steps and requirements that must be included in an incident response plan according to the SAN Institute:

•    Preparation: This phase prepares IT, staff, how to handle potential cyber incidents in the event one does occur.
•    Identification: This phase determines when an event is a security incident.
•    Containment: If a security event has been determined, containment is required to limit the damage and isolating the infected system to prevent additional damages.\
•    Eradication: Once the incident has been identified, contained, evidence collected and cause determined, the security threat needs to be eradicated from the system.
•    Recovery: After the system has been cleaned of the threat, the system must be put back into production.
•    Post Mortem: A post-mortem analysis needs to be completed documenting the incident, conducting an analysis of the incident, and learning from the incident to improve future incident response.

These six basic steps are just the fundamentals of any incident response plan. Each incident response plan can vary per organization and can contain more or fewer instructions. To improve on this IR plan, it is recommended that a communication phase should be included. Depending on the severity of the security incident, upper management, legal team, and stakeholders will need to be notified. The communication phase should come right after identification phase. The severity of security incident will determine whether further escalation is warranted, but at the very least, there is some form of communication to members of the CSIRT keeping them apprised of the situation.

Business Continuity Inclusion

Many organizations have a business continuity plan that deals with traditional threats such as man-made or natural disaster. As cyber threats continue to threaten businesses, should we consider having cyber threats be included in a business continuity plan? Data breaches might not threaten a business operation, but Denial of Service attacks and Ransomware have the potential to shut down the business. In the past year alone, Ransomware has shut down hospitals and the shipping giant Maersk, costing them hundreds of millions of dollars. Business continuity plans should be augmented to include a business impact analysis on cyber threats and add in the incident response plan. The incident response plan and business continuity plan will complement each other in addressing cyber incidents. Not all cyber incidents will trigger the need to activate a business continuity plan but at the very least, having it available will prepare a company in the event a cyber incident does affect its business operations.

If your organization already has an incident response plan, I recommend reviewing it and updating it to make sure the information is up to date. If your organization does not have an incident response plan, you should start work on creating it. You never know when you may need it but having one available will help your organization through a cyber crisis. You do not want to be scrambling to figure things out when that happens.

Additional References:

http://breachlevelindex.com/assets/Breach-Level-Index-Report-H1-2017-Gemalto.pdf
https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
https://www.cnbc.com/2017/08/16/maersk-says-notpetya-cyberattack-could-cost-300-million.html
https://www.theverge.com/2017/5/12/15630354/nhs-hospitals-ransomware-hack-wannacry-bitcoin
http://www.infosectoday.com/Articles/Business_Continuity.htm
https://deltarisk.com/blog/4-ways-to-integrate-your-cyber-security-incident-response-and-business-continuity-plans/