The Incident Response Plan - Preparing for a Rainy Day

The unfortunate truth is that while companies are investing more in cyber defenses and taking cybersecurity more seriously than ever, successful breaches and ransomware attacks are on the rise. While a successful breach is not inevitable, it is becoming more likely despite best efforts to prevent it from happening.

Just as it wasn’t raining when Noah built the ark, companies must face the fact that they need to prepare - and educate the organization on - a well-thought-out response plan if a successful cyberattack does occur. Obviously, the worst time to plan your response to a cyberattack is when it happens.

With so many companies falling victim to cyberattacks, an entire cottage industry of Incident Response (IR) services has arisen. Thousands of IR engagements have helped surface best practices and preparedness guides to help those that have yet to fall victim to a cyberattack.

Recently, cybersecurity company Cynet provided an Incident Response plan Word template to help companies plan for this unfortunate occurrence.

Planning for the Worst

The old adage “hope for the best, plan for the worst” is not entirely accurate here. Most companies are actively working to protect themselves from cyberattacks and certainly not merely hoping for the best. Even so, planning for what to do post-breach is a very worthwhile endeavor so the company can immediately spring into action instead of waiting for the plan to come together. When a breach occurs, and attackers have access to the network, every second counts.

An IR Plan primarily documents clear roles and responsibilities for the response team and defines the high-level process the team will follow when responding to a cyber incident. The IR Plan Template created by Cynet recommends following the structured 6-step IR process defined by the SANS Institute in their Incident Handler’s Handbook, which by the way, is another great IR resource.

The six steps outlined are:

1. Preparation—review and codify an organizational security policy, perform a risk assessment, identify sensitive assets, define which are critical security incidents the team should focus on, and build a Computer Security Incident Response Team (CSIRT).
2. Identification—monitor IT systems and detect deviations from normal operations and see if they represent actual security incidents. When an incident is discovered, collect additional evidence, establish its type and severity, and document everything.
3. Containment—perform short-term containment, for example, by isolating the network segment that is under attack. Then focus on long-term containment, which involves temporary fixes to allow systems to be used in production, while rebuilding clean systems.
4. Eradication—remove malware from all affected systems, identify the root cause of the attack, and take action to prevent similar attacks in the future.
5. Recovery—bring affected production systems back online carefully, to prevent additional attacks. Test, verify, and monitor affected systems to ensure they are back to normal activity.
6. Lessons learned—no later than two weeks from the end of the incident, perform a retrospective of the incident. Prepare complete documentation of the incident, investigate the incident further, understand what was done to contain it and whether anything in the incident response process could be improved.

The IR Plan Template helps organizations codify the above into a workable plan that can be shared across the organization. Cynet’s IR Plan Template provides a checklist for each of the IR steps, which of course, can and should be customized based on each company’s particular circumstances.

Moreover, the Cynet IR Plan Template delves into IR team structure along with roles and responsibilities to prevent everyone from running around with their hair on fire during the frantic effort to recover from a cyber incident. With a lot of moving pieces and tasks to accomplish, it’s critical that the staff prepare and know what will be expected of them.

You can download the Word template here