How to Create a Cyber Incident Response Plan

Introduction

The volume of cyber-attacks worldwide is growing by the day. It is, for instance, estimated that 45% of organizations around the globe will have experienced an attack on their software supply chain by 2025. Cyber-attacks are no longer just a possibility – they are almost inevitable. Thus the cyber incident response plan steps in.

Incident response and preparedness are crucial for businesses to thrive in this ever-evolving digital era. But what are the pillars of a successful incidence response plan? In this article, Silverse’s experts walk you through it.

What is a Cyber Response Plan?

Some cyber-attacks can take months to discover, while others can immediately impair your networks.

All cyber-attacks, however, can damage your business in ways that are difficult to recover from, both reputationally and financially. For instance, the global average cost of a data breach stands at $4.45M – a 15% increase across 3 years.

A cyber incident response plan includes a set of clear instructions to detect and respond to various potential security events.

While businesses can reduce the likelihood of cyber-attacks via measures such as cyber education and managed risk and compliance, there is no fool-proof formula that can guarantee safety from cybercriminals.

This is why it is vital to implement a robust incident response plan, which helps ensure that businesses can recover from a cyber-attack or other event and limit disruptions to operations.

A cyber incident response plan includes a set of clear instructions to detect and respond to various potential security events, including but not limited to DDoS attacks, data breaches, insider threats, and firewall breaches.

Note that the plan is a cyclical progress. This means that response handling does not end at the Lessons Learned/Post-Incident Activity stage (which we will cover below). Instead, it should be updated each time a business experiences a cybersecurity incident.

Is a Response Plan Necessary?

Many cybersecurity regulations, including but not limited to HIPAA, Federal Trade Commission 16 CFR, and Payment Card Industry (PCI) require an incidence response plan.

A well-documented response plan can help demonstrate a commitment to regulatory compliance and avoid potential fines.

The Six-Step Cyber Response and Preparedness Plan

There are two recommended cyber incidence response frameworks: the one by the SANS Institute and the one by the NIST Computer Security Incident Handling Guide. The framework provided below is an amalgamation that offers a bird’s eye view of their strategies.

Note that, as always, when it comes to cybersecurity procedures, certain elements may not apply to smaller businesses, and more detailed plans may be required for larger ones.

Furthermore, it is important to remember that security cannot work solely as a bottom-up process.

Higher-level management, including the C-suite and board, must understand the importance of implementing the response plan.

With that, let us outline the plan.

Step 1: Preparation

This stage establishes the architecture of your response plan, influencing each component of the response process.

Develop a security policy: This document should form the bedrock of all incident response activities and be approved by senior executives. It should outline high-level priorities, determine who will lead incident handling, and include behavioral controls and enforcement of security protocols.
Define communication streams: A communication plan for delivering incident information to senior management, stakeholders, and legal entities should be defined. The contact information of all the incident response team members – both in-house and third-party – should be included.

Step 2: Detection

In this step, security teams determine whether your organization is vulnerable or has been attacked, in order to activate the response plan if required.

This decision is made by identifying deviations from regular processes via analyzing log files, firewalls, error messages, and intrusion detection systems.

For example, managed threat detection can locate vulnerabilities in your network that cybercriminals seek to exploit.

As soon as suspicious activity is discovered, the relevant team members should be alerted. This ties back to having a clear communication plan.

Step 3: Containment

In this stage, the cyber incident is isolated and contained.

The initial stages of containment pertain to quickly preventing further damage, even if it obstructs essential business operations. For instance, you might disconnect infected devices from a network or shut down routers to infected networks.

Containment is steered by the severity of the incident, the criticality of the assets or data, and the imperatives of business continuity.

It is important, in this stage, to include a documentation process for actions taken and evidence of compromise. This will be crucial for the next phase of the response plan.

Step 4: Eradication

In this stage, all threats from your network and devices are removed. It may involve disabling user accounts, deleting malware, and so on. This should be performed in a phased manner along with recovery.

Eradication efforts should include disabling infected systems, scanning those systems for malware and vulnerabilities, and making sure that the vulnerabilities that led to the incident are addressed.

Step 5: Recovery

In the recovery stage, systems are restored to their pre-comprised states. Targeted environments are replaced with sanitary backups.

Note, however, that these backups will probably include the same vulnerabilities that were exploited in the original incident. Hence, it should be addressed with appropriate remediation efforts and security patches.

Step 6: Post-Incident Activity

Cyber-attack recovery is incomplete without reflecting on the lessons learned.

Post the cyber incident, ideally within two weeks, stakeholders and response teams should convene to discuss the event, the way it was managed, and how response efforts can be improved. This meeting should be positioned as an open, blameless forum for feedback and input.

Examples of questions asked during this meeting might include:

Conduct regular simulation exercises and drills. It is better to not wait for a genuine cyber-attack to determine whether your plan is effective.

What happened and at what time?
Who detected and reported the cyber incident?
What information was required sooner?
Were further resources or tools required?
Was recovery inhibited by any steps?
How was the success of the eradication efforts measured?
Could information sharing be streamlined?

Furthermore, the response teams should conclude the incident documentation. Once finished, this documentation should include the entire response sequence. Note that stakeholders should be able to easily understand it.

Lastly, strive to test your cyber incident response plans. Conduct regular simulation exercises and drills. It is better to not wait for a genuine cyber-attack to determine whether your plan is effective.

Conclusion

As cyber criminals grow bolder, achieving cyber resilience becomes more challenging. Comprehensive and continual cybersecurity procedures are required to mitigate risks and address incidents.

Developing an incidence response plan is a major touchpoint in cybersecurity procedures. With it, you will have a clear plan of action when faced with a cyber-attack. An incident can be stressful and difficult to handle, but with the right tools and preparation, you can recover from it.

Partnering with cybersecurity experts like Silverse will help ensure that your response plan is comprehensive, up to industry standards, and follows relevant regulations.