Surviving the Worst-Case Scenario: Best Practices for Incident Response
There’s no way around it: Cyberattacks are escalating. According to data from the Identity Theft Resource Center (ITRC), the number of reported data breaches from January to September 2021 exceeded the total volume of breaches in 2020 by 17 percent — and with threat vectors such as ransomware and phishing on the rise, this number isn’t going anywhere but up.
What does this mean? It’s a matter of when, not if, when it comes to network compromise, and companies can no longer assume that security frameworks offer invincibility from evolving cyberattack trends. Instead, they need an approach designed to help them survive the work-case scenario — and come out stronger on the other side.
This is the role of robust cybersecurity incident response (IR) plans. Here’s what you need to know about how these plans work, where they can help, and what steps are necessary for effective implementation.
What is a Cybersecurity Incident Response Plan?
A cybersecurity incident response plan provides a framework for teams to follow in the event of a cyber incident or attack. Research firm Gartner defines an IR plan as something “formulated by an enterprise to respond to potentially catastrophic, computer-related incidents such as viruses or hackers.”
While there are no one-size-fits-all approaches to creating a cybersecurity incident response plan, common components include:
- Creating an overall strategy to mitigate risk
- Identifying potential threat vectors
- Assigning specific tasks to team members
- Testing the plan regularly to ensure effective operation.
It’s also worth noting that cyber incident response plans play a role in regulatory compliance. With companies now handling large volumes of financial, personal, and health information from various sources, alignment with compliance expectations requires companies to adopt the mandate of “due diligence.” That is, they must take every reasonable precaution to protect data at rest, in transit, and in use. While businesses can’t avoid every cyberattack, lacking due diligence can lead to legal and regulatory challenges. Robust incident response frameworks help ensure organizations are meeting current compliance goals.
How can a Strong Cyberattack Incident Response Plan Help Put the House Back Together?
A robust IR plan helps put your digital house back together by providing a pathway from initial incident detection to eventual remediation. This is critical because when incidents occur, panic and fear are common responses: Teams want to do everything they can to get networks back on track but simply throwing everything you have at the problem — all at once — often leads to process overlap and policy confusion.
By creating a cyberattack incident response plan that lays out a specific order of events when threats are detected and assigns key tasks to staff, teams can respond in unison when attacks occur. For example, one employee may be responsible for identifying the source of the threat, while another looks to quarantine the affected area. Other team members may be tasked with informing C-suite members about what’s happening and ensuring that backup data is safe from harm.
The Phases of an Incident Response Plan: Timing is Everything
Cyber incidents happen without warning and in real-time — they don’t wait for companies to ready their defenses and prepare for an attack. As a result, timing is everything. Businesses must be ready to respond at a moment’s notice when attacks occur to mitigate the overall impact and get systems back up and running ASAP.
To help streamline this process. The National Institute of Standards and Technology (NIST) defines four key phases:
- Preparation speaks to the actions taken before an attack occurs. These include regular network evaluations such as vulnerability scans and penetration tests, along with the deployment of protective tools such as encryption software, failover backups, and automated incident analysis tools.
- Next is detection and analysis. This includes determining primary attack vectors — such as emails, web applications, brute-force efforts such as DDoS or improper network usage by employees — along with identifying and analyzing signs of compromise such as network performance drops, antivirus warnings, or unusual traffic amounts.
- Containment, Eradication, and Recovery policies determine where attack data will be stored for analysis and debriefing, while eradication looks to remove malware code or breached user accounts once attacks are under control. Recovery focuses on bringing systems back online using a staged approach to ensure no threats remain.
- Finally, post-incident activity asks the question: What did we learn? By using data collected during the attack, companies can assess what information was needed sooner to improve response, what additional steps might speed recovery, and what steps they can take to prevent future incidents.
Top Tips for Managing Collateral Damage After an Attack
After attacks occur and incident response plans activate, it’s critical to manage collateral damage and get back on track. Five best practices include:
#1 Prioritize Visibility
The more you know, the better prepared you are to respond when attacks occur. By prioritizing network visibility, your team can discover what they don’t know and take appropriate action.
#2 Define Recovery Times
Recovery point objectives (RPOs) and recovery time objectives (RTOs) help set goals for getting back on track and provide a finite resolution to the IR process.
#3 Seek Out Answers
While successfully mitigating an attack offers business value, managing long-term collateral damage means looking for answers about what happened, why, and what can be done to prevent similar breaches in the future.
#4 Leverage Active Backups
Multiple local and cloud backups can help get your systems back up and running. By logically segmenting them from operational networks, you can significantly reduce their risk of compromise and streamline the recovery process.
#5 Practice, Practice, Practice
As noted by the Open Web Application Security Project (OWASP), practice is paramount to ensure IR plans work as intended. From regular drills to simulated, unscheduled attacks, the more you practice your cybersecurity incident response plan, the better.
Surviving — and Thriving — After the Worst-Case Scenario
While the goal of cybersecurity planning is to help companies survive the brunt of an attack and come out the other side relatively unscathed, effective IR response offers actionable post-incident threat data to help enterprises reduce the risk of future attacks. Intelligent network modeling from RedSeal, meanwhile, provides the insight and integrations you need to take action and thrive in the wake of cyberattacks quickly.
By creating a comprehensive model of your network across cloud, hybrid and virtual environments, teams can quickly locate compromised devices, determine which assets are accessible, and take steps to stop attackers in their tracks. Integration with IBM QRader, Splunk Adaptive Response Initiative, and ArcSight, meanwhile, provides end-to-end situational awareness for improved response.
Survive the worst-case scenario — and come out better on the other side — with an in-depth cyberattack incident response plan. See how RedSeal can help.