Security Incident Response Plan
The fight to protect your company’s data is not for the faint of heart. As a combative IT warrior, with more systems, apps, and users to support than ever before, keeping everything “in the air” is already a struggle. When it comes to avoiding the worst-case scenario, you need all the help you can get despite your superhero status.
What is a Security Incident Response Plan?
If a five-year-old asked us to explain what a Security Incident Response Plan (SIRP) is, we might say something like this: “It’s kind of like a fire drill, but for the IT people.”
When the worst-case scenario becomes a reality, it is essential to have the right plan in place, to have the right people in the right place (who know what to do), the right tools and the right preparation.
A Security Incident Response Plan can be divided into 6 phases:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons learned
These phases are referred to as the “PICERL” method. It is one of the methods but not the only method to tackle an incident efficiently.
Preparation
Prepare users and IT to deal with potential incidents in case they occur. This step includes but is not limited to:
- Education of the personnel
- Preparing communication templates for internal and external parties
- Have a good SIRP
- Provide tools for identifying and containing threats
- Make sure backups of the most critical assets are available
Part of preparation is also making sure that your network and infrastructure is sufficiently secure and segregated. The better your network and infrastructure is, the better incident response will work. Good infrastructure will speed up the recovery time. A good network setup will help with containing and eradicating the threat.
Identification
First of all you have to identify if there is an incident and how grave it is. To determine the graveness, you have to analyze the threat, what happened and identify the affected systems and users. The following actions help with this step:
- Check log files
- Check monitoring systems
- Check the antivirus, SIEM, EDR
- …
Containment
Isolate affected/impacted systems to prevent further damage (impact control). This is a step where you prefer to use automation.
At this stage, critical decisions have to be made that can impact the business. Decisions must be made fast but there is always a risk that something goes wrong. Organizations should define acceptable risks in dealing with incidents and develop strategies accordingly.
Eradication
Find and eliminate the root cause. After an incident is contained, the components must be eliminated such as deleting malware and disabling breached user accounts. It is important to identify and mitigate all the vulnerabilities that were exploited by the attacker.
More often than not, an attacker will implement a backdoor in the system to be able to gain access at a later moment in time. It is important that these backdoors are found during the eradication process to prevent the attacker from breaching the systems again.
Recovery
Allow affected systems back into production (and monitor them closely). The main focus is to restore systems to normal operation and confirm that the systems are working normally.
This includes:
- Restoring systems from clean backups
- Rebuilding systems from scratch
- Replacing compromised files with clean versions
- Installing patches
- Changing passwords
- …
For incidents on a large scale, the eradication and recovery phase can take months.
Lessons learned
Write down, analyze and review everything with all team members in order to improve the response to future incidents.
Why is a Security Incident Response Plan useful?
A cyber security incident entails a lot of stress. Unfortunately, today it is no longer a question of ‘if it will happen’, but of ‘when it will happen’.
Having a Security Incident Response Plan ensures that you as an organization can remain calmer, that you can act more efficiently and therefore solve the incident faster. After all, it is widely known that the faster a cyber security incident is contained, the smaller its total impact.
But the problem with plans is that they are often designed to sit on the shelf until the day when the proverbial oxygen masks fall from the ceiling. Other than that, they’re just collecting dust (except for the occasional auditor visits).
It is therefore important not to choose a passive, but an active approach when drawing up, using and maintaining your Security Incident Response Plan.
Performing a Tabletop Exercise (TTX) is useful to identify difficulties or problems in the Security Incident Response Plan and to train staff on handling an incident. The goal of a TTX is to simulate a possible incident and solve it by following your SIRP. Afterwards the response plan is updated and optimized where needed.
Let us help you develop your Security Incident Response Plan.
With Spinae we are specialized in cyber security. We are well aware that it is impossible for most companies to draw up a solid Security Incident Response Plan tailored to their organization. Spinae wants to help you with this.
Contact us for further information or an introductory meeting.
Tags: blogCYBER SECURITY