Creating an Incident Response Plan

The last couple of weeks we’ve talked about the cybersecurity threats that have been the most damaging this year and how to reduce your chances of becoming the next target. But, what happens if you actually do become the victim of ransomware, credential stuffing or some other attack? Do you know how to respond?

When you are in the midst of a security incident your stress levels are heightened and time is against you. You need to be able to respond quickly and methodically. Any misstep could cause significant damage to your business’ reputation and bottom line. An incident response plan allows you to think ahead and streamline your actions effectively. The plan will ensure you’ve accounted for the nuances of your business operations, comply with local, state, and federal reporting requirements, and have a solid strategy for keeping your customer informed; saving you lots of unnecessary headaches.

If you are running a small business, you absolutely need an incident response plan. Having a plan will save you time and money. Small businesses, unlike large companies, can’t always afford to staff teams of IT and security professionals to monitor and respond to security events. But an incident plan can be used and distributed to your staff as an SOP (Standard Operating Procedure), allowing even non-technical people to respond effectively to security incidents.

How Do You Create An Incident Response Plan For Your Business?

The biggest challenge in creating an incident response plan is figuring out what kinds of events you should include in your plan. Well I would recommend you start with the big 3. Ransomware, Phishing, and sensitive data breach. At a minimum you should include these. Next, take a look at your industry and the security incidents your competitors have faced over the last few years. You can also review the annual reports from IBM, FBI, and Verizon. These should give you a pretty good starting list of the incidents types that should be addressed in your plan. Then, take an inventory of the types of data you collect, process and store. Identify the locations and systems you use to perform these actions. With this information you now have a good idea of what you need to protect and what the threats are.

To round out your list of incidents, you also need to understand the consumer protection and data privacy laws in your state and the states where your customers reside. These laws define what is considered a data breach, and your business’ obligation for reporting, including how long you have to report the incident and to whom. These definitions and reporting requirements change from state to state and you need to be aware of all of them.

From here you need to walk through how each of the identified threats would impact your data and plan your response.

I realize this is a lot, but just take it one step at a time. If you still aren’t sure where to start, there are tons of templates you can find on the internet where others have built plans. You can start with them as the base and then modify them to fit your needs.

What Are The Steps in an Incident Response Plan?

Within the CyberSecurity community there is a general consensus in the process an incident response plan should follow but how the phases in the process are broken down into steps change from person to person. Some use six steps while others use seven. I prefer the six steps below:

Prepare, Identify, Contain, Eradicate, Recover, Review

For each incident type listed in your plan you need to make sure each of these steps is addressed in the order listed. I will cover each of these steps below.

Prepare

The prepare phase covers all the activities you take before an incident happens. This includes items like writing your incident response plan, getting insurance, and purchasing and deploying security tools.

Identify

In the identify phase, you need to determine if a security incident is happening. You do this by continually asking yourself two questions. How do I know this security incident type is not happening right now? and What evidence would convince me that this incident type is happening right now? The answers to these questions are what drive the need for automated monitoring systems.

Contain

The contain phase is focused on what needs to happen once an incident has been identified. Just like a doctor trying to treat a patient, the first thing you have to do is contain the threat and stop it from spreading or continuing to damage your environment. The most common method for containment is to isolate the affected resources from the rest of the environment. You should not move any further in the process until you have contained the incident. Once you do have it contained you can move the next phase.

Eradicate

In the eradication phase, you focus on finding the source of the malicious activity and removing it from your environment. If you can’t gracefully remove the malicious source then wipe the computer and rebuild.

Recover

Once you are sure the source of the incident has been eradicated, now it is time to recover. The recovery phase is where you return your systems back to the operating state they were in prior to the incident. If you’ve been routinely backing up your data, this is where those backups become worth their weight in gold. You are transitioning from emergency to normal operations again.

Review

Now that things are running normally again, it’s time to perform a review. Look at what happened and assess what you can do to prevent it from happening again. Evaluate your plan. Did you have all the necessary steps in the plan or did you have to make adjustments? How can you make your plan better? The review step is extremely important. If you don’t take the opportunity to improve your response process with the last incident that is fresh in your mind, you’ll just repeat the same mistakes again.

These are the foundations of a robust incident response plan. If you happen to be one of the rare ones who already have a good incident response plan in place, then the next thing you want to look at are opportunities to automate your response.

Unfortunately, security incidents are unavoidable. There are only 3 types of organizations. 1) Ones that haven’t had an incident yet, 2) ones that are recovering from an incident, and 3) ones that have an ongoing incident but aren’t aware of it. No matter which type you are, an incident response plan is an important tool to have. As we start to head into the holidays, consider setting aside some time to create or update your plan.

Do you think I missed anything? Let me know in the comments.

Written by

Gene Wright

When I'm not tanning in the glow of my monitor, I'm outdoors. Running, hiking, MTB, camping, and swimming are my favorites,