One of the main ways to prevent a cyber attack is to prepare in advance. For example, an effective incident response plan can save your business from financial loss and business disruption. Find out how to create a robust cybersecurity incident response plan to protect your business against a cybersecurity attack.

Cybersecurity incident response plan

Here are the ten main steps to an effective incident response plan. 

1. Determine key stakeholders
2. Identify critical assets
3. Run tabletop exercises
4. Deploy protection tools
5. Ensure maximum visibility
6. Implement access control
7. Invest in investigation tools
8. Establish response actions
9. Conduct awareness training
10. Hire a managed security service

1. Determine key stakeholders

Planning for a potential security incident is not the sole responsibility of the security team. Any security incident to a full-scale breach will affect every department in the company. Therefore, to properly coordinate a response, you need to identify the key stakeholders that should be involved. For example, members of senior management, security, IT, legal, and public relations. 

Firstly, work out who needs to be involved in the organisation planning exercises in advance. Then, establish a means of communication for a quick response. Note that normal channels of communications, like emails, might be impacted in the event of a security incident. 

2. Identify Critical Assets

To determine the potential scope and impact of damage from a security incident, you need to identify your high priority assets. If you have these in advance, your incident response team can focus on the most critical assets during an attack, minimising disruption to the business.

3. Run Tabletop Exercises

Practice makes perfect in incident response. Although it is difficult to replicate the events of a security breach, practice exercises can ensure a tighter coordinated and effective response if a security breach situation occurs. It is crucial for your staff and stakeholders to know their roles in the incident response plan. 

A tabletop exercise should test your organisation’s response on a variety of potential incidents and response scenarios. Common incident response scenarios include:

• An active adversary is detected within your network. Here, the response team must determine how an attacker infiltrated your network, what tools and techniques they used, what they targeted and if they have an established persistence. Then with this information, you will be able to neutralise the attacker. However, you might want to wait to eject the adversary to gain intelligence to discover what they are trying to achieve and what methods they are using to achieve them.
• Successful data breach. If a successful data breach is detected, your team need to determine what was targeted and how. As a result, this will then inform a proper response, including whether you need to consider the impact on compliance and regulatory policies. For example, if you need to contact customers, legal or law enforcement needs to be involved. 
• Successful ransomware attack. If your critical data and systems get encrypted, you need to follow a plan to recover those losses as quickly as possible. For example, you can restore systems using backups. Furthermore, to ensure the attacker won’t repeat the encryption as soon as you’re back online, you must cut off the adversary’s access. 
• High-priority system compromised. If your system is compromised, you might not be able to conduct your business regularly. Therefore, you also need to establish a business recovery plan to ensure minimal disruption. 

4. Deploy Protection Tools

One of the best ways to deal with security incidents is to protect your network in the first place. For example, ensure your organisation has an endpoint, network, server, cloud, mobile and email protection. Learn about how we protect our customer’s networks with Bitdefender.

5. Ensure you have Maximum Visibility

Without proper visibility during an attack, you will fail to respond to an attack appropriately. Before an attack occurs, IT and security teams need to understand the scope and impact of a potential attack by determining adversary entry points and points of persistence. Furthermore, gaining proper visibility includes collecting log data, with a focus on the endpoint and network data. Often, attacks take days or weeks to discover, so it is crucial to have historical data to investigate. Additionally, make sure you back up that data so you can access it during an active incident. 

6. Implement access Control

Attackers can leverage weak access control and infiltrate your organisation’s defences and escalate privileges. Therefore, regularly ensure you have proper controls in place to establish access control, including using multi-factor authentication, limiting admin privileges, changing default passwords and reducing the number of access points you need to monitor.

7. Invest in Investigation Tools

You must invest in tools that provide context during an investigation. For example, the tools you can use during incident response include endpoint detection and response (EDR) or extended detection and response (XDR). These allow you to hunt across your environment to detect indicators of compromise (IOC) and indicators of attack (IOA). EDR tools help you pinpoint the compromised assets, which also help you to determine the impact and scope of an attack. The more data you collect from the endpoints etc., the more context is available during your investigation. As a result, having broader visibility will allow your team to determine what the attackers targeted, how they gained entry and if they still have access. Additionally to EDR tools, advanced security teams could also deploy a security orchestration, automation and response (SOAR) solution that aids response workflows. 

8. Establish Response actions

Detecting an attack is only part of the process because you must also respond. For example, your IT and security teams need to conduct remedial actions to disrupt and neutralise the attacker. Response actions can include,

• Isolating the affected hosts.
• Blocking malicious files, processes and programs.
• Blocking command and control (C2) and malicious website activity.
• Freezing compromised accounts and cutting off access to attackers.
• Cleaning up adversary artefacts and tools.
• Closing entry points and areas of persistence leveraged by attackers (internal and third-party).
• Adjusting configurations (threat policies, enabling endpoint security and EDR on unprotected devices, adjustings exclusions, etc.).
• Restoring impacted assets via offline backups.

9. Conduct Awareness Training

Education programs like phishing awareness will help reduce your risk level and limit the number of successful attacks. Using tools like phishing simulators provides a safe way for your staff to experience and potentially fall victim to a phishing attack. Then, you can enrol those that fail onto a training course and identify riskier user groups who might require additional training. 

10. Hire a Managed Security Service Provider

Many organisations don’t have the resources to handle some security incidents on their own. Furthermore, you need the swift and effective response of an experienced security team. To ensure you can respond, consider working with a managed detection and response (MDR) provider. MDR providers offer 42/7 threat hunting, investigation and incident response as a service. They respond to incidents before they become breaches and reduce the likelihood of an incident happening. You can also use data forensic incident response (DFIR) services to collect evidence to support legal or insurance claims.

Conclusion

When a cybersecurity incident strikes, time is of the essence. Therefore, having a well-prepared, well-understood incident response plan that all key parties can put into action immediately will reduce the impact of an attack on your organisation. For more information about how to create an incident response plan, contact Northstar today.