Prepare for Battle: Let’s Build an Incident Response Plan (Part 2)

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Part 2: Reviewing The Incident Response Plan

In our first part of this series, we covered key considerations when drafting an incident response (IR) plan. Today, let’s cover what plan review looks like and the best way to get buy-in from key stakeholders in the company. Collaborative study helps ensure that all involved parties—including those not in security—understand their roles over the course of an incident.

Prepare Each Player for Incident Response

An effective incident response plan should take into account the organization’s accepted level of risk and prepare for the most probable threats your company and industry will face. For example, if the security function isn’t getting the full attention it deserves, the incident response plan should reveal those weaknesses. If that is the case, priority should be focused on stopping opportunistic, non-targeted threats, as there may be limited capability to detect a targeted attack.

Exhibit A: Preventative controls against a well-funded attacker.

Once the plan provides context on probable attacks, take the time to define roles. All listed personnel should understand what steps to take and where they stand in the process. This includes communication guidelines. If there is general panic and a constant need for updates during an incident, this will frustrate and ultimately slow down the efficacy of your team.

Also, see if anyone hasn’t been included in the plan and add accordingly. Talk with executives, stakeholders, and non-security people and ask, “Are you able to help with these responses? What needs to be done?” When reviewing the IR plan, be sure to update any drafted public relations (PR) content to reflect the latest changes.

Review the Roles and Protocols in Your Incident Response Plan

Ensure that if there is a suspected incident, departments know how to report it, whether it’s via phone, email, communications apps, or in person. And if the suspected incident is on a collaboration system (i.e., email), it’s best NOT to use that system to report it.

The security team should have a general incident triage workflow in order to build context and eliminate false positives; this helps stakeholders understand which items merit higher escalation. From there, all other cross-functional stakeholders should have clear processes to aid with response.

Next, all players should review the protocols for communications during an incident. For example, alternate communication channels should be mapped out when there’s potential that primary channels are compromised, thus protecting remediation plans from the prying eyes of attackers. Communication should be on a need-to-know basis, avoiding unnecessary chatter.

Review for Flaws; Plan for Adjustments

This is the time to really evaluate your ability to detect malicious behavior. Our recommendation is to map your detection capabilities to the attack chain—make a diagram mapping out the steps required to breach your organization. For example, if a remote worker’s endpoint or cloud service credentials are compromised, how might an attacker then gain access to critical internal network assets?

We have found that teams largely have detection coverage gaps early in the attack chain. This includes detections for network scans, the use of stolen credentials, and lateral movement—attackers using privileged credentials to move elsewhere on the internal network. See how our incident detection and response solution can help with this.

The incident response plan should be detailed enough to cover the most frequently encountered incident types, yet flexible enough to allow for changes to meet evolving threats. Reviewing and adjusting the plan to accommodate these evolutions will help close any gaps in containing an attack.

In the meantime, also review for gaps in your response capabilities. Teams will become overwhelmed and side-tracked if they cannot effectively investigate an incident when confronted with one. For more on how we can partner with you to form a comprehensive program, check out our new Strategic Services toolkit.

When to Review Your Incident Response Plan

To get the most out of reviews, define regular intervals for them. While quarterly is ideal, yearly is mandated by compliance standards that require explicit response plans and annual certifications.

Having an incident response plan puts you way ahead of the curve. In order to make the most of this effort, you have to put the plan to the test. Just as all warriors must spar to gain power—or at least undergo a training montage—successful response demands mental preparation and muscle memory. In the next post, we’ll cover best practices for putting your incident response plan to the test, including attack simulations and tabletop exercises. Stay tuned, and please share your own findings and suggestions below.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Rapid7
Rapid7 (NASDAQ:RPD) powers the practice of SecOps by delivering shared visibility, analytics, and automation that unites security, IT, and DevOps teams. The Rapid7 Insight platform empowers these teams to jointly manage and reduce risk, detect and contain attackers, and analyze and optimize operations. Rapid7 technology, services, and research drive vulnerability management, application security, incident detection and response, and log management for more than 7,000 organizations across more than 120 countries, including 52% of the Fortune 100.
Promoted Content
30-Day Trial: UBA-Powered SIEM with Rapid7's InsightIDR
Rapid7 InsightIDR delivers trust and confidence: you can trust that any suspicious behavior is being detected, and have confidence that with the full context, you can quickly remediate. From working hand-in-hand with security teams, we understand how painful it is to triage, false-positive, vague alerts and jump between siloed tools, each monitoring a bit of the network. InsightIDR combines SIEM, UBA, and EDR capabilities to unify your existing network & security stack. By correlating the millions of events your organization generates daily to the exact users and assets behind them, you can reliably detect attacks and expose risky behavior - all in real-time.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?