Incident response is a structured process an organization utilizes in the event of a cybersecurity incident, designed to support effective preparation, detection, mitigation, and recovery. Although the concept itself is relatively straightforward, there is a certain complexity in the development of a truly thorough plan for critical incident response.
As stated in the Computer Security Incident Handling Guide from the National Institute of Standards and Technology (NIST),
“Computer security incident response has become an important component of information technology (IT) programs. Cybersecurity-related attacks have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventive activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services.”
We will be taking a detailed look at the core components of a critical incident response plan, providing you with a foundational framework for developing and improving your organization’s incident response plan.
What is an Incident Response Plan?
An incident response plan (IRP) is a documented series of procedures that break down the steps that will be taken throughout the process of incident response.
This process enables an organization to enact a timely and effective response to cybersecurity events, allowing for successful containment as well as the development of a strategy to ensure the incident will not happen again.
What are the six phases of incident response?
Generally, the incident response phases are:
- Preparation for cybersecurity incidents
- Identification or interpretation of an attack (and its nature and severity), so that a response can be prioritized appropriately
- Containment of the threat
- Eradication of the threat
- Recovery from the incident
- Post-incident analysis of relevant information to prevent the recurrence of the incident, assess response, etc.
What Should be Included in an Incident Response Plan?
The goal of any incident response plan should be to outline a focused, clearly coordinated approach to dealing with a full spectrum of cybersecurity events. Because the structure, size, and various functions of each organization are unique, each incident response plan will be different, and a generic, one-size-fits-all plan simply will not suffice.
The basic elements of an incident response plan are:
- Mission and goals
- Roles and responsibilities of the critical incident response team
- Documentation of preparation for cyberthreats
- Documentation of the process for identifying a critical incident
- Criteria for when a critical incident will be declared
- Processes for mitigation and containment
- Rapid recovery plans
- Post-incident evaluation and review
All these elements are useful in not only cybersecurity incident response, but also as part of plans for handling incidents such as physical security breaches, office theft, and others.
1. Mission and goals
A robust critical incident response plan should be founded on a set of high-level goals to achieve maximum efficacy.
Begin your IRP with a mission statement that is:
- Simple
- Actionable
- Inclusive of and agreed to by all relevant stakeholders
- Practical
- Flexible and routinely updated
2. Roles and responsibilities of the critical incident response team
An IRP should also document the roles and responsibilities of your incident response team during an attack. Specific individuals should be given ownership of crucial tasks, and the documentation in this section of the IRP should include:
- The members of the incident response team (we will examine this in detail in an upcoming section)
- The processes and key point people for communicating with your organization’s executive management, legal team, public relations team, and cybersecurity providers
- The processes and key point people for communicating with employees, business partners, vendors, and/or customers as needed
- If necessary, a system to quickly automate responses to relevant cybersecurity and/or data privacy regulations, such as the GDPR and CCPA
In smaller organizations, the incident response team may be made up of employees that fulfill other full-time roles; in large organizations, the team may be comprised of full-time incident response staff. Regardless of how your organization opts to structure your IR team, it should feature these important roles:
- Incident response managers: Approve the final plan and coordinate action when an incident takes place
- Security analysts: Review security alerts, pinpoint potential incidents, and investigate an attack to better grasp its scope
- Threat researchers: Obtain contextual information relevant to a given threat, gathering details from the web, security data, threat intelligence feeds, and other trusted sources
- Additional stakeholders: Can include senior management, human resources staff, public relations staff, and/or senior security employees
- Third parties: Can include cybersecurity service providers, legal counsel, and/or law enforcement
Although it is possible to build an incident response team with existing internal staff, a growing number of organizations are opting to centralize their efforts by partnering with cyber incident response companies.
3. Documentation of preparation for cyberthreats
In this portion of an IRP, you will document the processes that are in place to prepare for, prevent, and respond to cybersecurity attacks, such as:
- Cybersecurity awareness training efforts
- An overview of the primary cyber threats most likely to impact your organization
- Policies for responding to cybercriminal demands, such as payments made to attackers
4. Documentation of the process for identifying a critical incident
There should also be a detailed process for detecting a potential incident, one that prioritizes quick and effective action. Document these detection procedures:
- Processes for analyzing security alerts provided by various systems, including intrusion detection, security information/event management, etc.
- Processes for users to report unusual activity and attack attempts
- An escalation process that provides a clear pathway for the prioritization of critical threats
5. Criteria for when a critical incident will be declared
Your organization will need to balance your acceptable level of risk, use of time and resources, and other aspects in order to differentiate between minor and major incidents. Determining an incident response threshold largely depends on your organization’s needs, ability to invest resources, specific industry compliance requirements, and other factors.
6. Processes for mitigation and containment
Once an incident is officially announced, there should be processes for managing and containing these incidents appropriately. These processes may include plans for the establishment of a central communications hub, isolation of impacted resources/users/systems/etc., and other strategies.
One of the most imperative aspects of developing a critical incident plan is determining your organization’s top priorities after an event. It is important to decide whether returning to full operational capacity is your primary focus, or if efforts should be concentrated on gathering forensics (gaining an understanding of what happened, how it happened, and so on). If the main priority is to collect and analyze evidence, the affected systems will need to be treated as a virtual crime scene of sorts; that is, normal use cannot resume until all forensic processes are complete. In many cases, this means that the system(s) may remain offline for an extended period. For some organizations, this is a worthwhile tradeoff; for others, resuming operations carries far more importance. Ultimately, it is a decision that your organization should make long before an incident occurs.
7. Rapid recovery plans
Although managing an incident is essential, equally important is having a plan to recover business operations and productivity. Therefore, your organization will need to devote attention to preparing a strategy for testing affected systems, bringing systems back online, and announcing the closure of an incident.
8. Post-incident evaluation and review
Once an incident has concluded, your organization can use the event to glean valuable knowledge. Learning from an incident empowers your organization to prevent it from happening again, as well as improve your response to future issues.
This IRP component includes plans for:
- Evaluating the incident to pinpoint a root cause
- Patching affected systems
- Assessing the efficacy of the response
- Identifying lessons to be learned
Incident Response: An Evolving Strategy
Perhaps one of the most important things to know about incident response plans is the necessity of their evolution and adaptation. At minimum, your organization should conduct a review of its IRP to identify any needed changes, as well as to implement strategies to scale the plan if necessary.
I hope you found this information helpful. As always, contact us anytime about your technology needs.
Until next time,
Tim