By: John G. Laskey, Security Researcher for the InfoSec Institute.

About an Incident Response Plan

An incident response plan is a company’s critical resource during a cyber attack or other computer disaster. These plans are usually created only after an attack occurs, but they’re needed to help prevent and mitigate cyber threats. They identify current risks, assess damage, and lay out the necessary steps to respond during a critical event. Business continuity plans should also address data recovery. Although they cost time and money upfront to create, they can save a company millions in damages by preparing personnel and systems for a possible attack.

A recent report from Bryan Cave’s Global Data Privacy and Security team indicates that companies with an incident response plan can save millions of dollars.  According to the report:

• Incident response plans lower the cost of data breaches by $17 million per incident
• 50% of polled companies aren’t even confident that their response plan is effective
• 78% of polled companies with an incident response plan haven’t reviewed their current plan for any errors
• 22% of polled companies have no response plan at all

One of the main issues companies have such a high rate of non-compliance is that most companies don’t realize the need for an incident response plan until after a major security breach occurs. Some companies don’t even know they need a response plan unless they hire a security consultant. According to Harvard Law, an incident response plan is needed for the following reasons:

• Regulators expect fast response times and incident response plans in place for industries that collect sensitive data such as government, financial and healthcare.
• Incident response plans provide evidence of security best practices during any investigation or security audit.
• Plans protect digital assets and give personnel a playbook to stop future threats from becoming catastrophic attacks that lead to an organization’s demise.

Incident response plans are created by experienced security professionals. These professionals are either consultants or lead security team members within the organization. These security professionals assess the current IT infrastructure, identify any security risks, and create a step-by-step plan to plug vulnerabilities and define standards for future attacks. They also create a standard for monitoring events to allow the corporation to be more proactive during cyber attacks.

Key Elements of an Incident Response Plan

Cyber threats are an extremely technical event that only experienced professionals can mitigate. Companies without the right professional typically create a plan that isn’t refined for protection and risk avoidance but rather respond to threats as they occur. Plans must have the right elements to be effective. The following key elements are a part of a viable incident response plan:

1. Policy and Incident Definition

Before a plan can be developed, the documentation needs a definition of an incident. It could be an incident from within the infrastructure, or it can be an outside threat from a cyber attacker. Threats aren’t always over a network. Social engineering is also a growing concern for security experts. Each type of threat should be outlined and defined to give IT personnel direction for when the plan should be put into place.

2. Roles and Responsibilities

Each team member responsible for responding to an incident should be outlined and defined within the plan. Contact numbers including on-call numbers should be documented. With most teams, a ladder of involvement is created. One team member is the first contact, if this contact isn’t available, their manager is contacted, and the list continues until someone is found to respond to the incident.

3. Performance Objectives

Most IT networks have risks, and these risks should be assessed. Once risks are identified, the security team should put objectives in place to freeze, monitor, and close vulnerability gaps. Training should also be a part of the plan to educate other teams on proper security procedures.

4. External Support

In some cases, local law enforcement must be contacted or a third-party consultant is needed to mitigate the threat. Data recovery services should also be a third party included in the process. These contact numbers should be highlighted and documented in the plan. These professionals are also useful for documenting outside threats and gathering the right information for legal proceedings.

5. Incident Assessment and Response Review

Incident response plans are an ongoing effort, which means the plan should be reviewed annually. New threats are deployed each year, and the response plan should reflect these changes. When a threat occurs, the response should be reviewed and assessed for improvement. Communications, performance objectives, crisis management, and external forensic investigation should all be reviewed after a plan is put into action.

The Most Critical Element

The above five elements are an important part of any plan, but the most critical element is testing. Testing determines the depth of penetration and the amount of digital assets at risk of theft or corruption. It also helps teams practice their response to better perform during a true cyber threat.

Testing can be remote or on-site. If remote, the setup must mirror the local environment. Testing teams should VPN or connect to the local environment as if they are local. These tests should be done annually for PCI compliance, but some companies prefer to perform practices exercises bi-annually to cover monthly threats.

Once the testing exercises are complete, each part of the plan should be evaluated for improvements. Any changes in technical controls and vulnerabilities should be documented and patched to avoid future threats.

If the internal security team is unable to perform testing, outside consultants and security penetration teams are available. These consultants run penetration scripts and identify intrusion detection failures. They can also help train internal teams to properly protect and respond to cyber attacks.

Testing also keeps teams up-to-date with the latest threats, and it can help teams understand when to deviate from standard practices. Advanced incidents usually have different requirements that mean teams must be prepared to understand when incident response plan changes should be made.

After testing, a performance report should be created. This report should contain the following:

• Testing methodology
• Assessment of response times
• Expected results
• Actual results
• Causes of deviation
• Recommendations to remove discrepancies

Creating an incident response plan isn’t an easy task, but it’s crucial for digital protection of all company assets. It reduces the time it takes to mitigate damages during attacks, reduces risks across the entire network, and gives team members a defense plan.