How to Create an Effective Incident Response Plan
Introduction
An organization’s incident response plan (IRP) should be their first line of defense against attacks and threats. IRPs are manuals that describe how organizations detect and limit the impact of security incidents. They list the different actors within the organization who have specific responsibilities, and provide a series of instructions to determine the scope of the risk, response options and communication protocols. Ultimately, the IRP goal is to reduce the chances of a similar security incident occurring in the future.
In the domain of IT security, IRPs will address data breaches, denial of service/distributed denial of service attacks, firewall breaches, virus/malware outbreaks or insider threats. Two significant possibilities can occur if an organization does not have an appropriate IRP: (1) It may not detect an attack in the first place; (2) It may not respond correctly to contain the attack and recover sufficiently.
Learn Incident Response
What Are the Benefits of an Incident Response Plan?
Incident response plans help organizations detect security threats and limit the impact of security incidents, while accelerating incident recovery. Other benefits include:
- Agility: Once the organization’s security personnel know their responsibilities, they can immediately react to any threat by following the protocols in the IRP
- Damage limitation: Early detection and reaction means a better chance of restraining the attack, and stopping an incident from becoming an outage
- Communication: Poor communication leads to misinformation, which can be as damaging to an organization as the attack itself; clear communication channels and a centralized point of contact mean internal and external stakeholders receive appropriate information at the right time
- Prioritization: Not all security threats are equal and an organization’s IRP should list different sets of instructions that are matched to the seriousness of the threat
- Investigation: If an incident does occur, the subsequent investigative costs will be lowered by an IRP which should help identify the source of the attack and implement additional security measures
- Compliance: If an attack occurs, industry regulators and/or law enforcers may request access to an organization’s data records; if the organization cannot supply these due to not having an IRP in place, financial penalties may be imposed
Creating an Incident Response Plan: 5 Key Considerations
- Link to business operations
An IRP is a security manual. And like many manuals, some organizations will allow it gather dust on a shelf. This creates false assurance and is worse than having no IRP in place. Thus, the first stage of creating a useable IRP is to ask what role information security plays in your organization. Match business needs and operational risk to information security, and allow this to inform your IRP.
People who will own the IRP and respond to incidents need to take control of the process. As well as security teams, various other functions will be involved, including operational and communication managers.
While each incidence of attack or threat will be different, comparable key performance indicators (KPIs) will measure the success, or weaknesses, of the IRP. Sample KPIs include: time to detect and false positives.
The team responsible for the IRP will need tools and resources to function properly. These can include detection software, secure communication lines, training for personnel and access to external security resources.
Simulate a breach. Implement the IRP. Assess its performance. Repeat. Attacks and threats constantly evolve and therefore, the IRP should be tested and updated at regular intervals to ensure it does not gather dust!
The Six Main Components of an Incident Response Plan
To assist in creating a tailored IRP, organizations should be aware of the six standard steps involved in incident response. While the emphasis on each step will vary for different incidents, these six steps will form the backbone of any response.
- Preparation: This stage contains various sub-stages covering organizational policies and practices; response strategy; communication; documentation; personnel; access control; and, training/tools.
- Detection: The attack or attempted attack must be identified by checking various sources such as log files, error messages, firewalls and other intrusion detection systems. This should reveal the type and severity of the attack.
- Containment: This stage can be broken into three sub-stages:
- Short-term containment: Act as fast as possible to limit damage (e.g., isolate infected network node)
- System backup: Capture forensic image of affected system for later analysis and/or evidence
- Long-term containment: Repair the damaged system to operational state while rebuilding a clean system in next stage
- Eradication: Resolve the issue and remove any malicious elements; this may involve reimaging of system drives to prevent reinfection and upgrading of security measures (e.g., patches to fix vulnerabilities).
- Recovery: Bring affected systems carefully back into full production, ensuring sufficient testing, monitoring and validation at each stage; the system may still be vulnerable and avoiding aftershocks is critical.
- Lessons learned: Complete any outstanding documentation and file a report with any other information that may be useful for analysis. Details should include a timeline of what occurred, what measures were taken, areas for improvement and what personnel need to be informed of any changes to security protocols.
Sources
Computer Security Incident Response Plan, Carnegie Mellon
Incident Response Plan, TechTarget
5 Benefits of Having a Proactive Incident Response Plan, GarlandHeart
Notification of a personal data breach to the supervisory authority, InterSoft Consulting
10 steps for a successful incident response plan, CSO
How To Plan For Security Incident Response, Forbes
Incident Handler's Handbook, SANS
Learn Incident Response