How to develop a cyber security incident response plan that actually works

How to develop a cyber security incident response plan that actually works

Having the right capabilities to respond to a data security incident is a necessity in the internet age. As the number and severity of reported security breaches continues to increase, CIOs need to change their team’s mindsets from defence to instant response.

A security incident response plan outlines the process your staff need to follow in the event of a breach. The problem is, techniques advance, everyone gets busy and next minute it’s 2017 and your 2014 IR plan is sitting in Kevin’s bottom draw underneath empty cans of RedBull.

The next issue is, IR plans often lack specifics. This is where their biggest downfall is. They don’t enable the user to have the level of authority they need to make fast, responsive decisions when a breach is detected. As highlighted in a report by McKinsey, IR plans are more often than not generic, lack depth and aren’t implemented across all units of a business. They’re limited to business silos. But breaches can occur in any area of the business and the affected team needs to be able to act fast. To create a more resilient organisational culture that can effectively respond to incidents, consider the following steps.

1. Not all incidents are created equal

In general terms anything that affects the confidentiality, integrity and availability of your products and services is coined an incident. This is quite - well - general and creates the practical issue of prioritising responses and fixes to different incidents.

An effective IR plan needs to have a scale to help the IT security team determine which incidents are critical fixes, all the way to the lowest need. Security contractors Aleph Tav Technologies says “defining the term within the context of your operations requires infallible perception and situational awareness.” This means that your team needs to understand what the top priority is within the particular context of your organisation. According to Aleph Tav Technologies, organisations cannot effectively pair an incident response plan with the level of support and threat management capability it requires without precise identification of the source of a breach, its intent, impact, and entry point.

2. Focus on the incidents that concern your business

Avoid over-scoping in your IR plan and keep it relevant to your business. The SANS Institute states that while your security team should have a general idea of every breach that might occur, your plan should focus on actionable steps for the most likely intrusions to cause critical impact. Veracode suggests security teams ask themselves, “What is our threat landscape and why would hackers and criminals want to attack us?”

And this question needs to be asked every eight weeks, even monthly. Not every two to three years. The IR plan needs to constantly reflect real-world scenarios and encompass learnings from public and personal experience. It’s often here external contractors are brought in to help the team think creatively and outside the box about what information hackers might be after and how they could attempt to gain access to it. 

3. The incident level is high, now what happens?

Once the scale of need is established and your team knows what incidents are mostly likely to take place, they need to know what to do when they find the breach. Aleph Tav Technologies suggest following the What, How and Why formula of incident response. This method starts with identifying the breach, examining it, resolving it and restraining anomalies by using methods, standards and processes that will reduce impact, avoid blackouts, accelerate recovery and effect resilience. This is rapid diagnosis by using intrusion forensic methods, an example is shown below. You can clearly see once the issue is discovered the security team does what they can to shut down the breach in a bid to stop any more data leaks. Creating a visual representation of the steps like the below example will enable your team to easily visualise how their methods can be put into practice.

Aleph Tav Technologies' method after a breach

4. Practice what you preach

IR plans are created to minimise the damage caused by security incidents - that is provided your team can action a response when it really matters. A plan is hardly worth the (virtual) paper that it’s written on if the team buckles under pressure.

Ordinarily, security staff aren’t trained like police and fire emergency crews, but maybe there’s something security professionals can learn from the preparedness of first responders. Upskilling your staff through drills, such as “test” breaches, will help them keep their cool and get on with the job when it’s most needed.  They should know their procedure like the back of their own hand without having to reach for the outdated IR plan. Running through the plan during a monthly meeting can assist with this and can also serve as an occasion to update the plan with practical learnings. During this time of review you may also notice gaps in your security team that need to be filled or current team members need to be upskilled.

5. Restore first, discover the cause later

Once a breach is contained or blocked off, the next step should be restoring the services. Veracode suggest keeping the focus on the customer by getting them back online as quickly as possible, then examine the root cause of the incident.

It can take weeks, even months, to understand the root cause of a sophisticated attack. While engineers and analysts will want to spend a considerable time reviewing this, they should do this only once services have been restored to minimise downtime and damage to the organisation’s reputation. Having said that, this doesn’t mean that a thorough review should be skipped. The best security teams will always review and find the root cause of an incident to reduce the likelihood of future similar breaches.

Report it for the good of the IT world

Sadly, reporting a breach is still not common practice within the business world. Organisations fear for their reputation and the stigma associated with security breaches. However, this attitude will need to change if IT security is to ever stand a chance to keep up with the inventiveness of cyber criminals. The more organisations report the incident to their national security body, even if it is anonymously, the more accurate data will be available to the industry, meaning security boards can provide useful and practical information regarding threats to safeguard the data of others before irreparable damage occurs.

Gain the insights you need to prepare your organisation for a critical breach at CeBIT Australia’s 2017 Cybersecurity conference. Get your tickets today.

Cautionary tales: Cyber security and the Internet of Things