Incident Response Planning: A Portion of Planning is Worth a Pound of Gold

When you are hacked, you want to recapture control quickly as hackers move through systems, locking sensitive information and holding it for ransom. You need to determine the extent of the breach immediately, the exact attack vector, and how to insulate the rest of the network. Organizations need an effective incident response (IR) plan to accomplish these actions.

However, not all IR plans are effective or contain the necessary elements to help restore calm in the employee maelstrom unleashed after a breach. We all know the idiom, “An ounce of prevention is worth a pound of cure.” In case of a pending breach, this idiom can be rephrased to “a portion of planning is worth a pound of gold;” planning refers to incident response and gold being extortion funds saved. This article outlines six best practices for effective IR planning.

Best Practices for IR Planning

1. Have an IR plan ready before the incident happens.

You already have a plan for natural disasters, civil unrest, or other disruptions. The same goes for your incident response—have a plan and ensure it’s part of your continuity of operations (ConOps) planning. The IR plan should be a part of your knowledge base and disaster recovery planning process. Outline clear and deliberate steps that are well-informed, specific, and actionable. The goal is to identify, validate, and remediate an incident quickly and safely. A big part of the plan’s success is ensuring that your staff understands and knows how to execute it in challenging circumstances; this requires covering scenarios like compromised cloud-based or on-prem IT services.

2. Obtain visibility; understand the circumstances.

Visibility is paramount; you cannot mount an effective response if you don’t know where the malware lurks and how it got into your network. Adequate visibility comes from advanced detection tools, plus expert guidance from service desk professionals. Together, they validate the attack, determine its severity, and how the malware gained access. Without the aid of IT cybersecurity professionals, you may be overmatched by the sophistication of today’s hackers.

3. Prepare for out-of-band communications.

Malware attacks often affect email servers, messaging systems, and VoIP phone systems. A dimension of the attack almost always involves taking over all communications. Hackers monitor and control these channels to interrupt your ability to manage the attack. Your plan needs a physical communication protocol with a hierarchical order of up-to-date contact information. This information includes mobile phone numbers and alternate, off-network email addresses. It’s imperative to communicate about the breach over out-of-band channels immediately. The idea is to stay in control and ahead.

4. Don’t panic or overreact.

Being hacked is stressful. You want to avoid making rash, heat-of-the-moment decisions. The IR plan defines protocols your incident response team, a group of individuals within your organization trained to respond to and mitigate the effects of a cyber attack, can follow instead of wasting time seeking decision-makers and executing unnecessary actions. If you are hacked, the malware is already in your systems, seeking to do some damage. The incident response team needs a playbook to detect where they’ll be pivoting and how they’re moving around. Responding and mitigating usually take several days, so staying calm and patient is required. The best remediation techniques involve watching the activities related to the breach—when and where they’re logging in, hiding the malware, and what data they’re accessing.

5. Create and implement an incident-specific remediation plan.

Once you have identified the proper channels of out-of-band communications, coordinate efforts in a well-defined chain of command to identify the attack extent while remaining vigilant of all downstream networks, including channel and partner networks. Hackers often return looking for new or previously exploited weaknesses. Your cybersecurity team needs to perform 7/24 monitoring, which refers to continuous, round-the-clock network monitoring for any signs of a cyber attack. This level of vigilance is necessary to ensure that any subsequent attacks are detected and mitigated as soon as possible.

6. Seek help when necessary.

Creating an effective IR plan is time-consuming. Most organizations need in-house service management resources to deal with an attack while running daily operations. Many cybersecurity companies notify you about the data breach but must help you understand the procedural steps to navigate the incident. When a bad actor has infiltrated the network, a third-party cybersecurity company will provide the calm, skilled, around-the-clock support needed to manage the situation effectively. Remember, your single breach situation is only one of the critical circumstances these cybersecurity companies can handle. Dealing with attacks in a timely and quality-assured manner is their job.

Conclusion

One of the most effective tools at a bad actor’s disposal is chaos. The more an organization exhibits a dysfunctional and emotional response, the more time the hacker has to lock your IP and the less time you have to halt the advancement. Most people are familiar with life circumstances that require advanced planning, such as 529 college funding, IRA retirement, and life insurance. For almost every organization, SMB to Fortune 50, a hack is as inevitable as the aforementioned financial planning milestones. The difference between them is that in our personal lives, we have succumbed to the notion that these are inevitable; in our corporate lives, we hedge our bets that a hack will happen to the “other guy.”

If a corporate hack is inevitable, you will need assistance navigating the turbulence, and IR planning should be placed with a higher degree of urgency; in the same manner, we turn to professional money managers to help us prepare for personal events. Corporations need to align with cybersecurity professionals who have navigated many breaches and can incorporate best practices into action items proven to regain control. Just a portion of good IR planning can save a pound of corporate gold.

About the Author

Chris Snyder is a Cybersecurity Expert and Principal Sales Engineer at Quadrant Security, having honed his skills as a Systems Administrator, Threat Analyst, and Paratrooper Infantryman in the US Army. He leverages his diverse background and cybersecurity knowledge to help clients find the best security solutions for their unique needs. Chris can be reached online at [email protected], https://www.linkedin.com/in/christopher-snyder-17336b135/, and at https://www.quadrantsec.com/.