How to improve your incident response plan

A well-formed, and well-tested, incident response can determine how well an organization responds to a data breach. CSO Online looks at how you can improve your own incident response plan so to reduce the impact of that data breach.

Incident response plans are, in many ways, like family relics. These written instructions, which detail how firms should adequately detect, respond and limit the effects of an information security incident, are highly valued by some, and yet all too often left gathering dust in the cupboard. To many, they remain untried and untested for years, and thus most are unfit for purpose when that untimely data breach becomes reality.

Experts say that a robust incident response plan today should include a policy that specifically defines what constitutes an incident, and that this document should provide a specific, step-by-step guide as to how firms respond to an incident. By following these guidelines, organizations hope to limit the damage of an attack, and reduce the high costs and lengthy recovery time that are usually associated with data breaches.

Yet for all of this, incident response plans divide the InfoSec community. eBay was heavily criticized for its failure to respond to its data breach last year, while many IR plans are often considered to be ill-thought out, or ill-equipped, for today’s world. Worse still, some firms don’t even have one.

[ RELATED: Reviewing incident response plans for data risk preparedness ]

For example, a study from PAC -- polling 200 people from companies with more than 1,000 employees in UK, France and Germany -- found that nearly 40 percent of firms did not have an IR plan. And of those with IR plans, only 30 percent said that they tested and updated these regularly, a concern given the evolving threat landscape.

Indeed, citing the rise of Advanced Persistent Threat (APT) attacks, growing cyber-criminal activity and under-investment in protection and detection, cryptography expert Bruce Schneier said in 2014 that it was the decade of “response”.

Yet sadly, this is taking time to catch-on; a report from AT&T last month indicated that while 81 percent of IT professionals said their firms did have incident response plans in place, only 31 percent of these believed that these were actually effective. Clearly there is work to be done.

IR plan faults

The problem for most companies is that even if they have IR plans, they’re often not fit for purpose.

McKinsey reports that most organizations “don’t truly operationalize their IR plans, which are ineffective due to poor design or implementation, or both.”

The firm says that such documentation is often “out of date” and “generic”, and “not useful for guiding specific activities during a crisis.”

In addition, the consultancy said that these plans can be created by one department, but not implemented by others. Developing such plans in silos not only damages a businesses’ response, but it can also inhibit sharing relevant knowledge and best practices.

McKinsey adds that IR decision-making “is often based on tribal knowledge and existing relationships”, with organizations typically relying on one to two “go-to” people to guide the organization through the crisis. This can result in a single point of failure when the resident expert is not available, or does not have the capacity to lead the response.

Dane Warren, CISO at UK-based product testing company Intertek, tells CSO Online it is difficult to tell why certain incident response plans fail.

“[It’s] hard to say, without knowing the company. However, it is easy to say that an effective IR plan is paramount is any organization – even if it only used for preparation.”

But James Mckinlay, principal security consultant at Praetorian Consulting International and former head of information security at Worldline Global UK&I, tells CSO that often faults are down to departmental issues.

“Not involving everybody that will be needed, internal communications, external communications, law enforcement, legal, hr, executives, risk director, CISO, client relationships”.

What your plan should look like

When creating your IR plan, InfoSec pros say you should set out to define its purpose, the role each team plays in an incident, as well as the lifecycle of the plan itself. Simulation exercises are also encouraged to stress-test these processes, and to prevent business confusion as to each department’s role and responsibility.  

This is critical because IR plans must involve multiple departments, including information security, legal and compliance, human resources, and communications. A core team of cross-departmental reps should also be selected to take the lead in responding to incidents. Some say that one executive should be responsible for the plan and its integration across the business.

Warren believes that security teams can get ahead in this process by understanding the business and where its core assets are.

“Understand your business, and understand what needs to be protected. Aligning these two things will give you the basis for subsequent activities in an incident response scenario,” says Warren.

[ ALSO: Incident response matters ]

“Clearly defined roles and responsibilities are key. Ensuring that people are trained to effectively perform those roles and responsibilities is essential. A clear communication plan, based on the severity, is a must. This may include the general public, customers, internal staff, government officials, and / or suppliers.”

Mckinlay adds that preparation is key, as is having the right leader.

“To prepare a decent incident response plan requires quite a bit of research and tailoring to the company in question.

“Testing a plan, like testing Business Continuity Plans or Disaster Recovery Plans, requires either a very smart proactive security leader or an audit finding that dictates a test.

“Because responsibility for having an incident response plan is likely to fall to the information security manager they have to understand a good one involves a lot of other people and areas outside of IT and security.”

SANS, meanwhile, believes there are six key phases to developing a successful IR plan:

  • Preparation– Preparing users and IT to handle potential incidents should they happen
  • Identification– Figuring out what is meant by a “security incident”, and which events should be acted upon, and which should be ignored
  • Containment– Isolating attacked systems to prevent further damage
  • Eradication– Finding and eliminating the root cause (essentially removing affected systems from production)
  • Recovery– Permitting affected systems, once fixed, back into the production environment
  • Lessons learned – Writing everything down and reviewing and analyzing with all team members so you can improve future incident response efforts

Team and skills

Other InfoSec professionals highlight the importance of having a good security team; At a London conference last year, SANS instructor Steve Armstrong said an incident response team should almost be like Scooby Doo’s team - with different people bringing different skills.

Armstrong said that an effective incident response plan should see “geeks that love to geek, leaders that love to lead and managers that love to manage” but he admitted that this isn't always the case. He said that plans often fall down on communication alone.

Armstrong added that a strong Digital Forensics and Incident Response (DFIR) plan relies on workers sending good intelligence and statistics onto managers, who in turn translate this in business language for company leaders. However, Armstrong warned that any disconnection along the way would see “risk comprehension and funding go away”, with “directors no longer engaged in what’s happening.”

Instead, he urged CISOs to follow the much-publicized OODA (Observe, Orient, Detect, and Act) loop, which was used by air force, to become more fast and agile. This approach is also favored by Schneier.

For example, Armstrong said that a sysadmin or IT security team could observe an intruder on the network, decide a plan of action and then remediate. He urged firms to think about their plan, their communication (for example, how are they going to communicate if their network has become a hostile environment?) and how they can scale up operations. The whole plan, said Armstrong, needs to involve all departments.

This, however, requires skilled personnel and Armstrong warned between perceived skills and actual capability.

“Attackers can see the inefficiencies of your team – they know you're not Bruce Lee. So you've got to make sure you look at the team, look objectively at what they're capable of doing. If they're not [up to speed], look to infill with help, or onsite training.”

So take that incident response plan off the shelf; a robust plan is very much achievable, so long as you get the right processes in place, the right people on-board and that you test it regularly to ensure it is fit for purpose. What are you waiting for?

Join the CSO newsletter!

Error: Please check your email address.

More about AdvancedAPTCSOeBayIR

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Doug Drinkwater

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place