Did you know it takes 100-200 days on average to detect a cybersecurity incident? And a brand can decline by 31% following a breach (Cisco)? With the increase in cyber attacks over the last decade, an incident response plan is your best chance at defending your organization from the effects of a data breach.

What is a cybersecurity incident response plan?

A cybersecurity incident response plan (or IR plan) is a set of instructions designed to help companies prepare for, detect, respond to, and recover from network security incidents (Infocyte). IR plans are created to communicate issues like malware detection, service outages, data breaches and more. But because a cyber security attack can affect various aspects of an organization, it’s important to also have IR plans in place for areas like HR, legal, public relations, etc.

You can find general IR plan frameworks from organizations like NIST and SANS, however it’s important you also tailor your framework for your business. An IR plan should be specific, actionable, and cover the “who, what and when” of how the incident will be resolved. Overall, the goal of an IR plan should be to minimize damage, protect your data, and ensure your organization is recovering from an incident as quickly as possible.

What should your cybersecurity attack incident response plan include?

Creating an IR plan is a tedious task and should be specific to each business. However there are four essential stages to create your framework: preparation, detection, response, and recovery and follow up.

Stage 1: Preparation

The first step in creating an IR plan is outlining your IR team’s roles and responsibilities and establishing a basic security policy that will guide the rest of the plan. Some items you may want to consider in this section are:

• Determine what data needs to be protected, and decide if you have sufficient IT resources to respond to an attack (hint hint, we can help)!
• Establish executive buy-in, assign roles for any relevant stakeholders, and create a chain of command that includes IT and corporate leaders. A workflow should also be established!
• Gather IR team members contact information and discuss alternative channels of communications
• Identify cybersecurity regulatory requirements
• Create a list of preferred technology vendors for forensics, hardware replacement, and related services
• Store important credentials in a secure and centralized location, and identify who should have access to these credentials and when
• Ensure your system is able to restore from a clean backup
• Create a quick, accurate and consistent communications plan to inform all audiences for when an incident occurs

Stage 2: Detection

The second step in creating an IR plan is detecting any known, unknown, or suspicious threats. As soon as a threat is detected, your IR team should document any and all evidence to help determine how severe the incident is. Some items you may want to consider in this section are:

• Use any automated tools your business has to quickly scan for physical and virtual hosts, systems, and servers that could leave your application and accounts vulnerable
• Consider traditional solutions like EDR, NGAV, etc to detect malware
• Conduct compromise assessments to confirm whether a network has been breached. Then quickly identify any malware and active or dormant threats that have escaped your existing cybersecurity defenses

Step 3: Response

The third step in creating an IR plan is to respond to the threat. This should include containing and neutralizing any threats, and then taking steps to isolate, shut down or disconnect. During this stage, you should be taking steps to eliminate any threats that led to the incident. Some items you may want to consider in this section are:

• Contain systems, networks, data stores, and devices to help isolate the incident (think COVID-19 type measures)!
• Determine if any sensitive data has been stolen or corrupted
• Get rid of any infected files and, if necessary, replace hardware
• Be as detailed and consistent as you can when documenting the incident. Think about the 5 W’s, and detail that out even further.
• Maintain a record of all the artifacts and details of the breach
• Make a public statement. Be careful with this step! In your statement, you should accurately describe the nature of the breach, root cause, how serious the attack is, what steps you’re taking to resolve it, and an outline of when they’ll receive future updates.
• Update any firewalls and network security. This will help capture any evidence!
• Notify the legal team to see if the incident impacts any regulation
• If necessary, contact law enforcement since the incident may also impact other organizations

Step 4: Recovery and Follow Up

The fourth step in creating an IR plan is getting rid of the security risk, reporting on what happened, and updating your intelligence. You should also take this time to assess lessons learned and make sure you are clear of threats moving forward. Some items you may want to consider in this section are:

• Remove the risk so the attacker can’t regain access
• Use your knowledge of the root cause to improve security controls
• Conduct a vulnerability analysis to see if any other vulnerabilities exist
• Restore all systems to a pre-incident state
• Create an incident response report that covers all areas that were affected
• Share lessons learned with your team and stakeholders

Remember, your cybersecurity incident response plan should never be set in stone. While this provides the basic framework, you should constantly be looking to improve it and monitor the situation at hand. Need help creating your IR plan? Thinline Technologies can help! Check out our services page or give us a call at (410) 453-9300 for more info.