Best guide to creating an incident response plan.

09Nov

Best guide to creating an incident response plan.

By Articles 0 Comments

What is incident response?

Incident response (IR) is the process by which Computer Security Incident Response Teams (CSIRT) help organizations to identify, stop and recover from any data breach as quickly as possible.

What is an incident response plan?

An incident response plan is a document that guideline organizations about responding effectively to disasters, cyber-attack, or security breaches, helping to mitigate incident-related expenses and reduce the likelihood that they will happen again in the future.

Components of incident response plan

An incident response plan typically includes:

  1. Introduction
  2. Incident Identification and First Response
  3. Resources
  4. Roles and Responsibilities
  5. Detection and Analysis
  6. Containment, Eradication, and Recovery
  7. Incident Communications
  8. Appendices

Introduction

The current section should outline the goals, scope, and guiding principles, highlighting the plan’s purpose. Also, the introduction should include what your plan intends to do and what its limitations are.

Incident Identification and First Response

This section details how the CSIRT recognizes and determines if the plan should activating. Also, particularly in the COVID-19 stage, it is advisable to define in advance who can invoke the plan, how to communicate, and where to meet.

Resources

Incident responders will detail what resources are available to support the team’s efforts, including personnel and equipment. Often they have a kit ready in an incident with contact cards, chargers, spare cables, notepads, etc.

Roles and Responsibilities

It’s crucial to define the roles and responsibilities of the incident response team members, including support contacts or secondary if any member is unavailable.

Detection and Analysis

Here, the team documents how an incident is defined and detected, depending greatly on the type and scope of an attack. Sometimes the CSIRT uses templates, web examples or seeks professional assistance to get real-life insights. These ideas will help generate the playbooks that will form the essence of this section of your plan.

Containment, Eradication, and Recovery

Frequently, this portion of the plan is the most technical of the document. The section outlines the strategies for limiting the incident scope and procedures for eradicating and recovering all affected systems. –In the coming section of the article “How to create an incident response plan,” you will have specific information about Containment, Eradication, and Recovery.

Incident Communications

The communication protocols are effective during the notification incident procedure to stakeholders, customers, and other organizations. Here, the team details all notifications and covers the involvement of internal personnel, cybersecurity consultants, and all providers, even managed service providers, law enforcement, privacy regulators, and analytics forensics specialists. Remind that all the involucred have to be previously identified to avoid improvisations.

Appendices

Depending on the scope and size of your plan, you may choose to include reference materials as appendices to the incident response plan. Some are physical and logical network infrastructure diagrams, web and cloud service connections, backup schedules, etc. Also, documentation of security solutions at sensitive points such as firewalls, IDS/IPS that provide resistance to attack, logs of incidents, etc. Information about phones and emails of all contacts, providers, and partners has to be notified. Therefore, in this section, you will attach all the additional documentation to complement the plan. Many organizations still resort to maintaining a paper copy of the plan and resources if systems are unavailable.

How to create an incident response plan?

The first thing that an incident response plan needs to define is the company’s strategy on how to deal with the incidents. It should list out all needed resources for cyber security, people responsible, and their contacts.

The incident response phases are:

  1. Preparation
  2. Identification
  3. Containment
  4. Eradication
  5. Recovery
  6. Lessons Learned

Keep reading to look at each phase in more depth.

incident response plan
Incident Response Life Cycle Steps.

Preparation:

The incident response preparation phase is key to a successful response. In this scenario, organizations need to define the computer incident response team (CIRT), their roles, responsibilities, and who require to notify. Also, it is the right time to choose the possible sophisticated hardware and software resources. In turn, organizations use the preparation phase to ensure the team’s training according to their responsibilities in a data breach. In effect, when CIRT triages an incident, they must know how to prioritize it and when to escalate it.

One excellent way to evaluate the team’s knowledge is by performing incident response drills. Remind that to higher preparation, less probability to make critical mistakes.

Identify

When an incident happens, the CSIRT has to identify its size and scope to remove it successfully. Indicators of compromise (IOCs) are a vital component of cybersecurity that supports the likelihood of a particular event or incident. They allow to computer security incident response team to quickly identify incidents in organizations and respond to potential threats. Also, many organizations adopt an IOC-based approach to cyber threat hunting. However, the IOC process is not always straightforward and requires proper knowledge and tools to do it effectively.

Containment

The incident containment phase is the process of controlling the scope and severity of cyber-attacks. A containment strategy may include shutting down vulnerable services, locking down system access, and isolating affected devices from the network. Also, securing sensitive data by moving it offline or encrypting it. Even the team can require a deep-dive analysis and need long-term containment to conduct hard disk forensics. This analysis may generate further IOC’s and the identification phase may need to be revisited.

Eradication

Once the incident is successfully contained, then the eradication phase of the threat can start. Here it is where the experts identify what caused the security breach and how to remove it. Usually, patching devices, disarming malware, disabling compromised accounts, and applying updates are the usual actions to eradicate threats.

Recovery

The Recovery phase includes all the actions required to bring back the computing services of an organization following a disruption. Here is where the team starts rebuilding affected devices and restoring data from clean backups saved previously. Also, it’s crucial to make new configurations and ensure that there are no more threats by monitoring compromised devices.

Lessons Learned

Once the threat is resolved, it’s time to analyze all incident response planning and improve them systematically. The team should make a Post Incident Review (PIR) meeting, documenting and updating the playbooks to improve the response. Adding, what went well, and where there were some gaps to help prevent similar incidents from occurring in the future or common cyber-attacks.

Importance of incident response plan

Incident response plans are essential because of collect a set of procedures that help organizations overcome data breaches. Usually, the planning is designed to address any incidents resulting in data loss, theft, disclosure, modification, denial of service, physical destruction, or misuse. Also, it helps organizations protect their customers and other stakeholders by minimizing the impact or severity of breaches. It’s recommended that organizations apply information security incident response policies and best practices to protect state systems and data.

Share this post

Author

Related Posts

29Jan

Using event correlation and AI for Threat Detection and Incident Response

According to Cybersecurity Ventures, cybercrime will cost the world $10.5 trillion annually... read more

12Jul

What is the difference between SIEM and XDR?

The “X” in Extended Detection and Response (XDR) essentially implies more efficient... read more

07Aug

Intrusion Detection System. A guide about the best HIDS tools.

What is Host Intrusion Detection System (HIDS)? A  Host-based Intrusion Detection System (HIDS)... read more

08Apr

Multi-tenant Cloud Architecture

Today organizations have been able to recognize over the years the benefits... read more

14Sep

Hire a white hat hacker for website security

What is a white hat hacker? A white-hat hacker is a hired person... read more

30Nov

A complete guide for GLBA Compliance Using SIEM.

Gramm-Leach-Bliley Act (GLBA) is also regarded as the 1999 Financial Modernization Act.... read more

11Mar

Cost-effective Managed SIEM Service

Contract with a third-party for managed SIEM services is increasingly affordable and... read more

16Nov

Essential SIEM Correlation Rules for Compliance

Technology has come a long way from when 3 incorrect login attempts... read more

06Aug

How to perform a successful Cyber forensic investigation?

Cyber forensic investigation is an emerging field with dynamic growth in the... read more

13Mar

SIEM as a Service

SIEM-as-a-Service (SaaS) and Managed SIEM services have gained popularity among companies aiming... read more