7 Steps IT Teams Can Take to Create a Cybersecurity Incident Response Plan (CIRP)

As cyberattacks have become more common the question becomes when, not if, your organization will get hit by an attack. Attacks can come in the form of minor incidents probing for weak security. They can also come in the form of massive data breaches that cost an organization millions. The weaker state of security among SMBs can make them easier targets than larger organizations. 43% of attacks end up targeting SMBs. The prevalence of ransomware attacks adds an added danger to small businesses as hackers target organizations indiscriminately for access points.

 Research conducted by PeerWise found that only 30% of respondents had an incident response plan amidst the heightened tensions with Russia. Having a cyber incident response plan (CIRP) can be the difference between mitigating an attack and letting it cause havoc in your systems. A good CIRP could be the difference between survival or catastrophe for an SMB as 60% of small businesses that are victims of a cyberattack go out of business within 6 months. These factors make having a CIRP more important than ever. This article will look at 7 steps small businesses can take to create an effective cyber incident response plan from start to finish.

Step 1 – Take precautions before making a plan

         While having an incident response plan is important, it will do little if some security measures are not already in place. Many of these measures will also aid you in creating the incident response plan as well as help in the incident response itself.

Perform a risk assessment and risk analysis

Doing a risk assessment and analysis will give you an idea of where vulnerabilities lie in your security systems. They also prioritize which risks pose the biggest threats. This will help you implement a strategy to mitigate those risks. Assessment and analysis also do several things that will aid your incident response efforts. They will show you where the greatest risks lie should an incident occur so you can be prepared to act. This will help guide you on what systems need to be monitored most. Risk prioritization will also help prioritize incident response to minimize damage to critical systems.

The first step in a risk assessment is to identify assets. This is an important step in forming an incident response plan as well. The asset inventory allows you to note which systems are most critical to prioritize, know exactly what needs to be monitored and allows you to best make backups of your data.

Make system backups

It is up to the risk appetite of your organization to decide how often to make backups of data. Organizations should consider what would happen in the case of a ransomware attack where your data is encrypted. If you performed a data backup two weeks before the attack you will be much less pressured to pay the ransom than if your last data backup was performed six months ago. A 3-2-1 backup strategy is another good security practice. This strategy involves having 3 separate copies of data, using 2 different storage devices for data backups, and keeping 1 data backup at an offsite location.

Make use of third party vendors

As a small business, likely much of your security will rely on vendor tools and outsourcing. Utilizing these resources before you suffer an attack is important. If you are left defenseless when a cyberattack occurs, having a plan in place will only get you so far. You’ll want vendors that can help in the case of an incident.

Step 2 – Know how your organization size will shape your plan

Decide how much your company will outsource

         Incident response plans can be performed all internally, be partially outsourced, or be completely outsourced. Your organization’s size and security budgets will determine this. If your organization has a minimal number of IT employees it is likely a good idea to outsource at least some of the process.

For one, incident responses are a stressful time and a lot of responsibility for a very small team to take on. Even more challenging is the fact that someone needs to be available to handle the incident 24/7. When an incident occurs the response needs to be enacted ASAP. Waiting to get hold of your lone IT employee on the phone on their day off can be catastrophic. Monitoring is best when it is constant, which would mean someone needs to be on the job at all hours of the day.

A small business will likely outsource at least some of these duties. An example of a partially outsourced incident response team would be outsourcing incident monitoring to an MSSP, while keeping the rest of the incident response inhouse. Alternatively, the entire process can be outsourced. In this scenario, it is important that an IT member or small team still be knowledgeable on the incident response process to oversee the outsourcer’s response.

Step 3 – Preparing your team for an incident

Establish communication practices

         This step begins the process of forming the incident response plan. It is important to prepare your team for an incident so they know the procedure and policy that needs to be followed as soon as an incident occurs. An important part of this is knowing where communication among an incident response team will happen. Many organizations use Slack for this, but any platform where messages can be relayed quickly and efficiently is key. It should also be documented what the message will look like that announces an incident is in progress. It should be easily recognizable so normal duties can be put off and your team can immediately shift into crisis management.

Document everything

         Good documentation practices should be encouraged both for planning and for during a real incident response. When an incident occurs all steps that team members take should be written down. This will allow you to learn from experience and find ways to improve your plan in the future. Your incident response plan itself should also be well documented. This includes having copies of these documents separate from other data, either on a different device or offsite. Why? If your plans are kept with all other company data and a ransomware attack hits your data gets encrypted. This would include your CIRP and an encrypted plan won’t do you any good.

Make a list of who needs to be contacted during a response

         A list of everyone who should be contacted in the case of an incident should also be prepared as part of the CIRP. This list includes everyone who has a role in directly managing the incident inhouse (the IT team). Executives should also be notified in the case that they need to directly have a hand in response to ensure business continuity, as well as manage fallout should parts of the organization need to go offline.

Sourced from NIST

Outside the company, vendors should be notified who will play a role in incident response. HR should be notified to keep employees informed of the situation. A PR team is good to contact as well to help manage any reports that need to be made to the media. Clients should be made aware of the situation, particularly if their personal information is at risk of being exposed. Law enforcement and other regulatory agencies need to be notified in accordance with laws and regulations specific to your organization depending on industry and geographic location.

Know the roles in the incident response team

         Company employees should know who owns what role. Depending on the size of your small business your team size may vary. Ideally there are different employees taking on different roles to minimize each of their duties. Here are some roles that are good to include in an incident response team: someone from upper management should be on the team to support critical decisions that affect the business such as taking systems offline. An incident manager can act to oversee the incident response and communicate updates to the company as a whole. A technical lead deals with the technical details of the incident, whether that is handling the incident themselves or communicating with third-party vendors. And finally, someone from a different department than IT, such as HR or a legal team, can be in charge of navigating legal and media relations.

Run drills to test for preparedness

         It is good to run drills to test out your CIRP before an incident occurs. This involves running simulated scenarios of different attacks (a ransomware attack, a DDoS attack, etc.) to make sure your incident response team knows the plan. This also lets you test out to see if there may be any inconsistencies in your plan that need to be addressed.

Step 4 – Know how to detect an incident

         To detect an incident it helps to know the what’s and where’s of attacks. What kind of attacks are common and where are common vulnerabilities? Common places attacks occur are through email with phishing attacks. Attacks also can happen from improper use of systems or devices. Our articles on the dangers of remote working and malicious insiders can give some insight into how remote workers can increase security risks for businesses. Equipment that is lost or stolen is another way in which hackers can gain access to a system. Brute force attacks such as DDoS attacks are becoming more common along with ransom DDoS attacks, which adds an extortion element to the DDoS attack.

         Common places to look for deviations from the norm which might suggest an incident are log files, error messages, and firewalls. There are many different mechanisms that can automate detection. These include IDPSs, antivirus software, and log analyzers.

         It is important to take a baseline of all your systems during a period of normalcy to monitor for deviations in that norm. Once an abnormality is detected it will need to be analyzed to determine that it is 1. an active incident that is occurring and 2. prioritize your responses to that incident. The steps you take to deal with the incident should be enacted quickly in a way that minimizes damage as much as possible.

Step 5 – Outline a multistep containment procedure

         The goal of a containment procedure is to minimize damages. There are three steps to take in a containment procedure. The first is short-term containment. This step involves ignoring permanent solutions and instead looks for immediate solutions that can be taken to limit damages as much as possible as quickly as possible. For example, this can include rerouting traffic from a certain source country where a DDoS attack is being launched.

         The next step can be taken in order to provide more information on the attack. This may be necessary if legal action is taken against the attacking party. This step, known as system back-up, is where you take a forensic image of any affected systems while the incident is still underway.

         The final step in the containment procedure is a long-term containment. The goal of this step is to allow for business continuity while containing and eradicating an attack. Systems should be fixed enough to allow for normal business function. Any backdoors hackers left should be removed and affected systems should be patched.

         When determining the best steps to take during a containment procedure certain factors need to be considered. These include figuring out what are the potential damage to resources and the time and resources that will be needed to implement a containment strategy. Service availability and business continuity should also be considered when making decisions. The duration of the solutions you are implementing along with whether it will fully contain the incident tell you whether the solution is only a short-term solution, and if so, how much time that solution will buy you. Finally considering the need for image preservation will weigh on the importance of the second step in the containment plan of system backup.

Step 6 – Eradicate threats and recover your systems safely with business continuity in mind

         While containment procedures aid in mitigating damage and continuing business where possible, eradication focuses on making sure you have gotten rid of the threat entirely. To do this generally means reimaging a system’s hard drives. This will show whether any malicious content remains. After all content is eradicated all systems should be patched accordingly so that another attack cannot breach the same vulnerabilities in the future. Affected systems can also be scanned with anti-malware software to ensure any latent malware is removed.

         The recovery of systems deals with getting all affected systems back online safely. All systems should be carefully monitored once being put online to make sure that they do not become compromised again. Systems may have to be restored from clean backups, or in the case of some more damaging attacks, rebuilt entirely.

         The process of getting systems fully recovered can take time. Immediate attention should be given to getting critical systems back online and making high-value improvements to the security perimeter. Easy changes should also be made such as changing all passwords to the system that could have been compromised. In the long term, focus can be made on more difficult to implement changes to security infrastructure where needed.

Step 7 – Know how to learn from the incident

         Having a CIRP will help mitigate damage, but there will likely be things that you see could have been improved after the fact. After an incident has been dealt with the incident response team should have a meeting where they go over the incident. Each stage should have been documented. Going through the procedure blow by blow can highlight strengths of the plan as well as areas of improvement.

         The overall plan should be evaluated. Did the steps you wrote down cover everything, or were there any parts that needed to be expanded on? The team structure should also be looked at. Did information flow well? Was any one role overwhelmed with an impossible number of tasks that could possibly be delegated next time? As a small business this is also an opportunity to look at the tools and vendors you use. Did the tools you have work efficiently? Do more need to be added for future incidents to better aid in incident response? If you outsource, were you pleased with your MSSP’s response? It is best to look at incidents as a way to learn and improve.

Conclusion

Incident response plans are an integral part of cybersecurity and should be part of any good risk management plan. In order to function well, a CIRP should work alongside other security measures that are implemented. Sign up to receive more articles on fundamental cybersecurity steps for small businesses.