Incident Response Plan – A 7 Step Guide

Philip Robinson by    Published On - 02.04.2019   Data Security

All enterprises should have an incident response plan in place to help minimize the damage caused by a cyber-attack. The plan should enable enterprises to recover in the shortest time possible, with the least amount of money spent, and damage caused to their reputation. The plan should include a list of processes that should be executed in the event of a breach and should also provide a clear guideline as to what actually constitutes a security incident.

Enterprises will also need to appoint a Cyber Incident Response Team (CIRT) or Computer Security Incident Response Team (CSIRT), who are the key personnel responsible for executing the incident response plan. The CIRT/CSIRT does not only consist of IT security professionals, but also public relations, human resources, and legal departments, who are required to communicate with executives, stakeholders, supervisory authorities, and the public.

So, first things first…

What is Incident Response?

What is Incident Response?

Incident response is not a method of detecting or preventing data breaches and cybersecurity incidents before they happen. As the name suggests IR is all about how an organization reacts in the aftermath of an incident. The goal of good IR plans is to limit the damage that breaches can cause in terms of data leakage and cost, and reduce the time taken to recover.

Why is Incident Response Key for Security?

Without a strong incident response plan in place, you are likely to suffer the full effects of a data breach incident. That being, significant damages to both cost and reputation as a result of the loss of customer data, trade secrets, intellectual property and the resulting compliance fines. Without an IR plan in place, it could take years to fully recover from a data breach, and many organizations will never truly recover.

7 Important Steps for a Successful Incident Response Plan

The importance of Incident Response cannot be overstated. Organizations have to deal with data security threats every day and even the most minor data security issues can escalate into a full-blown catastrophe. You must ensure that your CIRT/CSIRT members know their roles, perform under pressure and respond in the right ways.

For this, you will need to train up your CIRT/CSIRT team in addition to coming up with an IR plan so that both can work in conjunction with each other.

1. Preparation

The preparation phase consists of ensuring that employees are well trained, specifying the members of the CIRT/CSIRT, and ensuring that the necessary technology has been implemented. Data backups should be taken, and mock data breaches should be conducted to evaluate the effectiveness of the plan and the CIRT/CSIRT team.

2. Identification and Scoping

It is perhaps the most important phase of the IRP. Essentially you will need a fast and effective means of detecting security incidents that require the response of the CIRT/CSIRT. It is therefore essential that you have implemented the right tools and technologies. For example, you will need to use Endpoint Detection and Response (EDR) and Network Traffic Analysis (NTA) solutions in order monitor endpoints and network traffic for indications of suspicious behavior.

3. Data Access Security

You will also need to know exactly who has access to your critical data or assets, where those data or assets are located, and when they are being accessed. Solutions such as the file server auditing component of LepideAuditor, provide you with real-time details of who has access to which data, who has made what changes and at what time.

4. Containment/Intelligence Gathering

This phase involves containing the threat to prevent further damage and gathering as much information about the incident as possible. Again, LepideAuditor enables IT teams, to review a history of the events that took place before the incident and can generate over 300 pre-set reports, which can be used for potential legal proceedings, and satisfy compliance requirements. You can also make use of threshold alerting technology and automated script execution to increase the intelligence of your detection and response strategies.

5. Eradication/Remediation

Naturally, once the threat has been detected, contained and analyzed, enterprises will need to remove the actual threat from the network and restore the system to a functional, uninfected state. Any compromised credentials will need to be reviewed and reset, and this must be well-communicated to those involved.

6. Recovery

The recovery phase is where all systems are put back into production and monitored to ensure that they are functional and showing no signs that they have been compromised.

7. Follow Up/Review

The CIRT/CSIRT should document any issues that are presented during the previous phases of the IRP and make suggestions about how these issues could be resolved during future incidents. This documentation should be included in the training material used in the preparation phase.

Whose Responsibility is Incident Response?

Whatever you call your CIRT or CSIRT team, you should think carefully about who you include within it. You could hire all new staff for this team, or it could be a secondary role. Regardless, they must be well trained with a good head for cybersecurity.

You should have an Incident Response Leader who heads up the CSIRT who makes sure that the IR plan is up to date and used correctly. You should also have Security Analysts that act as the enforcers, essentially enacting the steps of the IR plan. You should also have some sort of research team responsible for providing intelligence related to security threats and incidents.

You should also not limit incident response to the CSIRT team. You could get help from numerous other departments, including management and HR, to help communicate the incident response plan across the business.

What to Do in Response to a Cyber Security Incident

Let’s say you’ve experienced a cybersecurity incident and your CSIRT has effectively followed your incident response plan. You might think, job done. Not quite! Take a step back and review how well your IR plan did and how well your CSIRT team handled the breach. Is there anywhere you can make improvements?

Always keep an eye out for new technology that can help your CSIRT team to detect and respond to security incidents quicker. There are many solutions on the market that can aid incident response, including LepideAuditor, the Data Security Platform from data security company Lepide.

How LepideAuditor helps Improve Incident Response and Empowers the CSIRT

LepideAuditor proactively monitors your key IT infrastructure and alerts you when anomalous user behavior is detected so that your CSIRT can respond in a timely manner. Using the data security platform, you will be able to discover where your sensitive data is, find out who has access to it, determine what changes are being made to it and ensure that the surrounding environment is secure.

LepideAuditor will help CSIRTs to investigate and respond to security incidents quicker through proactive monitoring, real time alerting and detailed reporting. You can even integrate your existing SIEM solution with the data security platform for complete data security intelligence.

Come and take a look at LepideAuditor in action with a personalized demo and see how it can help you improve your incident response.