Learning from Incident Response — Get the latest insights from the cyber trenches
Why and How to Build a Proactive Incident Response PlanA thorough and well-tested incident response plan can enable organizations to quickly mitigate and recover from a compromise. By: Patrick Barnett, Incident Response
Organizations have historically relied on a piecemeal, ad-hoc approach to managing cybersecurity incidents. However, the approach does not scale as threat actors become more sophisticated, attacks become more complex, and advanced malware tools and services become more widespread and easy to use. Relying on a reactive approach can increase the time and costs associated with an incident. According to a 2021 report, the average cost of a data breach is more than $4.24 million USD. A proactive approach is necessary. Developing and testing an incident response plan to limit the impact of a compromise is paramount for all organizations, regardless of their size or business model.
Why develop an incident response plan?
As part of their security posture, organizations should implement preventive cybersecurity measures to limit their risk. Endpoint detection tools, antivirus software, and security controls can block many threats. Training employees to recognize and report social engineering attacks and other suspicious activity is also crucial. However, a threat actor may circumvent these protections. An established incident response strategy can help mitigate the impact of a compromise, reduce the downtime of business operations, and limit data loss and costs.
An incident response plan outlines the roles and responsibilities of each team member during an incident. A good plan includes not only information technology and information security staff, but other important roles in the organization (e.g., legal, compliance, audit, human resources, finance, operations, physical security, communications) and applicable third-party providers. It also defines the strategies, objectives, tools, and steps to declare, investigate, analyze, contain, and eradicate the incident. Developing and testing a comprehensive incident response plan has multiple benefits:
- Protect confidential data - Data protection is vital within an organization. Organizations must understand what data is used and stored in their environment and how it is classified and protected. Costs associated with failure to properly secure confidential data include penalties, fines, and legal fees. Threat actors often sell stolen data on underground forums or leverage it in ransomware or social engineering attacks for financial gain. Stolen personally identifiable information (PII) can also lead to identity theft.
- Limit the financial impact - A compromise can have substantial financial implications. If business operations are affected, the organization loses revenue during the downtime. Additionally, there may be fines, legal fees, and compliance penalties, as well as costs associated with investigating the incident, replacing software or hardware, adding security measures, and increasing marketing and public relations efforts. The faster an organization responds to and recovers from a compromise, the less financial burden it incurs.
- Preserve reputational integrity and customers’ trust - A compromise can negatively impact an organization’s reputation and even stock prices, especially if it is mismanaged or resulted in extended downtime for customers. Customers want to be confident that an organization is doing everything in its power to protect their data from cybercriminals. If an organization fails to respond quickly and effectively to a cybersecurity incident, customers can feel betrayed and search for alternate providers.
How to build a proactive incident response plan
Incident response plans help organizations reduce risks and costs associated with a compromise and reduce the amount of time required to recover. There are many layers to a good cybersecurity defense, and these layers may differ across organizations. An incident response plan must contain the necessary steps to address a worst-case scenario and return to business as usual as quickly as possible, minimizing interruption to both the business and customers. A proactive incident response plan should incorporate the following elements:
- Planning and preparation - Everyone involved in responding to an incident must understand the overall incident response strategy and their specific role. They must also have the necessary training and tools to fulfill their duties. The plan should identify a backup for each person in case the primary contact is unavailable. Defining communication channels and escalation procedures may be the most important aspects of an incident response strategy, as efficient communication facilitates a prompt response. As applicable, incident responders should comply with annual continuing education requirements. For example, standards such as Payment Card Industry Data Security Standard (PCI DSS) require at least 24 hours of continuing education each year.
- Identification and investigation - Many organizations use a combination of internal monitoring and third-party managed security service provider (MSSP) solutions to detect and alert on suspicious activity in their networks. They must establish a process for investigating alerts, reporting malicious activity, and escalating security incidents. The incident response plan should document this workflow.
- Analysis - Organizations should have procedures for capturing a forensic copy of memory and disk images on compromised assets so they can conduct a thorough analysis. Many organizations do not have the capabilities to perform rapid forensic analysis of a malware payload themselves, but their MSSP or another third-party provider may be able to conduct this type of analysis within hours or days.
- Search systems and networks for evidence left by the threat actor.
- Analyze tools, malware payloads, or binaries the threat actor leveraged in the attack.
- Document the compromised systems, networks, devices, and accounts to determine the scope of the incident.
This forensic analysis can reveal valuable data such filenames, IP addresses, port information, hashes, heuristic information, URLs, compromised account information, and applications used in the attack. The information enables the organization to determine the best actions to repair damages and prevent further attacks.
- Search systems and networks for evidence left by the threat actor.
- Containment - Incident responders contain the incident by rendering malware payloads benign or by locating all malware artifacts and isolating impacted endpoints from the network. To contain damages, the incident responders coordinate shutdowns of all compromised systems until the threat is mitigated. They should also wipe and rebuild affected systems and methodically change the login credentials of all accounts.
- Eradication - After collecting the forensic information and containing the incident, it is critical to remove the threat actor from the environment and block access vectors to prevent reentry. Actions may include patching exploited vulnerabilities or increasing employee training about phishing attacks.
- Recovery - As the organization resumes normal business operations, incident responders should monitor for indications that the threat actor is attempting to reenter the network. They should closely monitor network traffic, help-desk calls, advanced security tools (e.g., firewalls, endpoint detection tools), and logs. Other team members may focus on developing a risk mitigation strategy and a remediation strategy to protect the organization from future incidents.
- Post-incident review - The post-incident review is often the most overlooked part of an incident response plan, but it is extremely important. This phase enables the organization to learn from the incident and identify opportunities to enhance their incident response plan, playbooks, security tools, and strategies. The incident response team will likely also need to produce a detailed written report describing the incident for stakeholders such as the executive leadership team, board of directors, audit and compliance staff, internal counsel, and their cyber insurance firm.
Testing the plan
Developing an incident response plan is not enough. It should be tested and reviewed at least once a year to ensure that it addresses all necessary steps and that all team members understand the process. Mock tabletop exercises are effective for testing. Everyone with a role or responsibility in the plan should participate to identify areas of concern and hone the plan. Ideally, a neutral third-party coordinates, analyzes, and critiques the mock exercise. Following the critique, the organization should implement any necessary changes and retest the plan as soon as possible.
The cyber threat landscape continues to evolve, and organizations cannot afford to rely on a reactive approach. By proactively developing and testing an incident response plan, an organization ensures that it can effectively and thoroughly respond to cybersecurity incidents and minimize damages, downtimes, and losses.
If you need urgent assistance with an incident, contact the Secureworks Incident Response team.