How to build an incident response plan around the 6 phases of incident response, examples to get you started, and a peek at incident response automation.What is an incident response plan?An incident response plan is a set of tools and procedures that your security team can use to identify, eliminate, and recover from cybersecurity threats. It is designed to help your team respond quickly and uniformly against any type of external threat. Show
Incident response plans ensure that responses are as effective as possible. These plans are necessary to minimize damage caused by threats, including data loss, abuse of resources, and the loss of customer trust. Need an incident response solution? Request an incident response demo. In this article:
Why is an incident response plan important?The Ponemon Institute’s Cost of Cyber Crime Study showed that the typical organization experiences an average of 145 security incidents per year and spends $13 million annually year to defend itself. An effective response process can act to significantly reduce these costs. Incident response planning also protects your company’s reputation. IDC found that 80% of consumers would take their business elsewhere if directly affected by a data breach. If a security breach is not handled properly, the company risks losing business, as well as investor and shareholder confidence. Additional benefits of incident response plans include:
What are the incident response steps?According to the SANS Institute’s Incident Handlers Handbook, there are six steps that should be taken by the Incident Response Team, to effectively handle security incidents. 1. Preparation – Perform a risk assessment and prioritize security issues, identify which are the most sensitive assets, and which critical security incidents the team should focus on. Create a communication plan, document roles, responsibilities, and processes, and recruit members to the Cyber Incident Response Team (CIRT). 2. Identification – The team should be able to effectively detect deviations from normal operations in organizational systems, and when an incident is discovered, collect additional evidence, decide on the severity of the incident, and document the “Who, What, Where, Why, and How”. 3. Containment – Once the team identifies a security incident, the immediate goal is to contain the incident and prevent further damage:
4. Eradication – The team must identify the root cause of the attack, remove malware or threats, and prevent similar attacks in the future. For example, if a vulnerability was exploited, it should be immediately patched. 5. Recovery – The team brings affected production systems back online carefully, to ensure another incident doesn’t take place. Important decisions at this stage are from which time and date to restore operations, how to verify that affected systems are back to normal, and monitoring to ensure activity is back to normal. 6. Lessons Learned – This phase should be performed no later than two weeks from the end of the incident, to ensure the information is fresh in the team’s mind. The purpose of this phase is to complete documentation of the incident, investigate further to identify its full scope, understand where the response team was effective, and areas that require improvement. Incident response planning typically includes:
An incident response plan forms the basis of your incident response cycle: Figure 1: The Elements of an Incident Response Cycle
Incident response plan templates to get you started quicklyFollowing are four detailed templates you can use to kick off your incident response planning: TechTarget’s incident response plan template (14 pages) includes scope, planning scenarios, and recovery objectives; a logical sequence of events for incident response and team roles and responsibilities; notification, escalation and declaration procedures; and incident response checklists. Download the template Thycotic’s incident response template (19 pages) includes roles, responsibilities and contact information, threat classification, actions to be taken during incident response, industry-specific and geographic-dependent regulations, and a response process, as well as instructions on how to customize the template to your specific needs. Download the template (requires registration) Sysnet’s security incident response plan (11 pages) includes how to recognize an incident, roles and responsibilities, external contacts, initial response steps, and instructions for responding to several common incident types, such as malware and unauthorized wireless access. Download the template (requires registration) California Government Department of Technology incident response plan (4 pages) includes a 17-step checklist for incident team members to follow, with reference to more detailed procedures for specific types of incidents (which you will have to create on your own). Download the template Incident response plan examples: learn from leading organizationsWhen developing an incident plan, it is valuable to see actual examples of plans created by other organizations. Some of the examples won’t be applicable to your industry’s incident scenarios, but can provide some inspiration. See examples of plans from the following organizations:
How to make an incident response plan successfulWhat are the key considerations for incident response?An incident response plan should include the following elements to be effective:
What are the key roles in an incident response plan?An incident response plan is not complete without a team that can carry it out — the Computer Security Incident Response Team (CSIRT). An incident response team is a group of people — either IT staff with some security training or full-time security staff in larger organizations — who collect, analyze, and act upon information from an incident. They are the focal point of the incident, and are responsible for communicating with other stakeholders within the organization, and external parties such as legal counsel, press, law enforcement, affected customers, etc. What is the relationship between an incident response plan and a disaster recovery plan?An incident response plan should be complemented by a disaster recovery plan. The latter prescribes how an organization manages a catastrophic event such as a natural disaster or accidental loss of data. While an incident response plan focuses on identifying a security event and bringing it to closure, disaster recovery aims at bringing systems back online, subject to a Recovery Time Objective (RTO). The next generation of incident response: Security Orchestration, Automation, and Response (SOAR)There is no replacement for crafting an incident response plan and assigning dedicated individuals to be responsible for it. However, to make incident response more effective and make it possible to deal with more security incidents, a new category of tools has evolved that helps automate the response to security incidents. Security Orchestration, Automation, and Response (SOAR) tools can:
To see an example of an integrated security solution that includes SOAR as well as User and Entity Behavior Analytics (UEBA) and Security Information and Event Management (SIEM) capabilities, see Exabeam’s Incident Responder.
Need an incident response solution? Click here for an incident response demo. Which of the following is not included in an incident response policy?b-Law enforcement team; is NOT included in the structure of an incident response team. However, Coordinating team, Central response team and Distributed incident response team are all included in the structure of an incident response team.
What should an incident response plan include?8 Essential Elements for an Incident Response Plan. A Mission Statement. ... . Formal Documentation of Roles and Responsibilities. ... . Cyberthreat Preparation Documentation. ... . Incident Detection Documentation. ... . An Incident Response Threshold Determination. ... . Management and Containment Processes. ... . Fast, Effective Recovery Plans.. What are the 5 steps to incident response?5 critical steps to creating an effective incident response plan. Preparation.. Detection and analysis.. Containment, eradication and recovery.. Post-incident activity.. Which of the following are the 4 phases of incident response planning?The NIST incident response lifecycle breaks incident response down into four main phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Event Activity.
|