Cyber Security Incident Response Plan: How to Proactively Prepare for a Breach

By Joseph Carson, Advisory CISO, ThycoticCentrify

Many organizations are coming to the harsh realization that it’s only a matter of when, not if, they will fall victim to a cyberattack.

These attacks can range from data breaches to ransomware to Distributed Denial of Service (DDoS) attacks and are often a result of malicious actions by cybercriminals or nation-state actors operating from different parts of the globe.

There is no shortage of technology designed to defend against cybercrime, but it will always come down to your organization’s ability to make the right security decisions. Failing to properly train employees on the security measures you have in place can greatly increase the risk of a simple mistake – like clicking a phishing link, for instance – threatening your entire network and infrastructure.

Cyber incident response is a structured technique used to manage an organization’s cybersecurity incidents to limit further damage. Formulating a cyber incident response plan specific to your organization is an investment in its cybersecurity. It should be a permanent item on your breach checklist.

Incident Response Plan

Planning and preparing for a cybersecurity incident is crucial to ensure your response is efficient and organized. A lack of preparation is certain to result in major repercussions should you fall victim to a cyberattack.

Let’s review some steps your organization can take to increase resiliency and response.

1. Ownership and Responsibility – The first step to implementing an incident response plan is to decide who will be responsible for it. Keep in mind who has the appropriate training, what tools and systems are available to handle an incident, and the amount of time that may be required for incident response.
2. Roles and Contacts – There must be clearly specified roles for anyone and everyone who would be involved in incident response regardless of their department or position in the organization. They have to know how a cyber-attack can impact them and what they’re expected to do to mitigate it.

An attack becoming public, for example, can bring a unique set of challenges that your entire organization must be prepared to handle. Your help desk can get overwhelmed with customer calls, which may lead to a DDoS attack on the help desk, so it’s crucial to understand the capacity and strength of your help desk in the event of an attack.

3. Contacts and Methods of Communication – Typical means of communication – such as email, messaging, or VoIP – may be severed in an attack, so it’s important to have alternative contact details and means of communication on hand at all times. Who needs to be contacted during an incident? What is the priority list of contacts? It should also be available offline and include system owners and technical responders.
4. The Threat – Clearly define how the incident was identified. Was it internal, external, a system alert, or another method? Who detected it, and how was it reported? Record all the sources and times that the attack has passed through. At what stage of the incident did the security team get involved?

Document the entire nature of the incident from the type of incident, source, assets and resources affected, location, and extent. Assess the impact on your company based on the data on system classification so you can identify the proper security measures to perform next. It’s crucial for each step taken during the incident to be recorded.

5. Identification and Confirmation – If the incident has not yet been confirmed at this point, you must pinpoint the type of incident and verify that it is a real incident.
6. Containment – This involves stopping the attack to avoid any further harm. You must decide if the incident is safe to watch and learn from once it’s been identified and confirmed, or if you have to take more dramatic measures and pull the plug. The indicators of compromise (IoCs) can help indicate the extent of the impacted systems and update firewalls and network security to record evidence that can be used for forensics in the future. Determine what, if any, sensitive data was stolen and what the potential risk is to your company.

This stage is where you must prepare for potential legal outcomes. Consult with your legal team and review compliance and risks to see if any regulations were impacted. Depending on your country, industry, or the data affected, you may also have to report the incident to appropriate authorities or affected parties such as partners and customers. This is where prepared PR statements are crucial.

7. Eradication – Repair the affected systems to their original state, and compile all the evidence available while maintaining a solid chain of custody. Collect logs, audits, memory dumps, disk images, and network traffic. Digital forensics will be limited without proper evidence compiling, making a follow-up investigation unlikely. Get rid of the security risk so the attacker no longer has access.
8. Recovery – Recovery from the incident is needed to recuperate systems availability, integrity, and confidentiality. Make sure your services have been restored and company operations are back on track. Establish monitoring and continuous detection on the IoCs from the incident.
9. Lessons Learned – Learning from the cybersecurity incident is very important. What went well during the incident, and what could have been done better? Create an Incident Response Report that includes all parts of the company that were impacted by the attack.

A Cyber Security Incident Response Plan is Crucial

No organization wants to experience it, but it’s only a matter of time before you become the victim of a cyber-attack. It’s becoming more and more likely with the ever-expanding cybercrime landscape. Having a solid response plan in place could be the difference in reducing risks and minimizing impact to ensure your company can comfortably move forward following a cybersecurity incident.

About the Author

Joseph Carson is a cyber security professional and ethical hacker with more than 25 years’ experience in enterprise security specializing in blockchain, endpoint security, network security, application security & virtualization, access controls and privileged account management. Joseph is a Certified Information Systems Security Professional (CISSP), active member of the cyber security community frequently speaking at cyber security conferences globally, often being quoted and contributing to global cyber security publications. He is a cyber security advisor to several governments, critical infrastructure, financial, transportation and maritime industries. Joseph is regularly sharing his knowledge and experience giving workshops on vulnerabilities assessments, patch management best practices, the evolving cyber security perimeter and the EU General Data Protection Regulation. Joseph serves as Chief Security Scientist at Thycotic. Joseph can be reached online at Joseph.Carson@thycotic.com and at our company website https://thycotic.com/.