When faced with a real-life cybersecurity threat, few organizations know what steps to take first in order to handle the incident and minimize its impact on the business. Having a well-thought-through cybersecurity incident response plan (IRP) in place is the only way to get yourself fully prepared for dealing with this kind of situation.
In this article, we tell you in detail how you can build an IRP that perfectly fits the needs of your business using the NIST framework for incident response.
Incident response plan: what it is, why you need one, and how to build it
What is an IRP?
An incident response plan is a document containing a structured methodology for handling and mitigating the consequences of security incidents, cyber attacks, and data breaches.
Why is it important to have an incident response plan?
An IRP is highly recommended for businesses of any size. When planning an incident response, it’s important to take a multi-tiered approach to secure your organization’s network and assets.
Plus, you always need to balance security with the productivity of your corporate network and deployed systems.
Checklist for building a sample incident response plan
Below, we give you ten tips to build or check your organization’s incident response plan. Read further for detailed NIST guidelines, key steps, and tips on finding a technological solution.
- Specify the main incident response requirements that you need to follow (NIST, HIPAA, PCI DSS, etc.) along with business-related requirements (response times, recovery strategies, etc.).
- Conduct a security audit to identify the weaknesses in your company’s network and deployed systems that you can address immediately.
- Define what a security incident is. Your employees need to know what events are considered security incidents, how to define their severity, etc.
- Name responsible people who will be in charge during an incident and decide what parties need to be informed and involved in handling an incident.
- Include a comprehensive communication plan. Your IRP must specify who to call first in case of an incident, when to call them, and who to contact if they’re unavailable.
- Make a short list of security incidents your organization is most likely to face or has faced in the past. Plan procedures to address these incidents. Then expand the scope of covered security incidents little by little.
- Add various options to your IRP: levels of possible data breaches, levels of incident severity, types of affected endpoints, etc.
- Plan recovery scenarios. Incorporate backup solutions and specify system restoration and data recovery procedures that should be followed in the event of a security incident.
- Report to proper authorities. Include a list of authorities that should be notified in the event of a specific incident. For instance, GDPR and California’s SB1386 require issuing a public notification in case of a data breach.
- Improve your IRP based on previous incidents. Once you’ve handled a new incident, analyze it in depth to update your current IRP with more effective response strategies, procedures, and scenarios.
Now, let’s see how you can build a fitting IRP for your organization. We’ll start with choosing a guideline to follow when figuring out how to respond to a potential security incident.
NIST as a guideline for building an incident response program
While there are a lot of guidelines and ready-to-use cyber incident response plan templates, not all of them are applicable to all kinds of organizations.
Creating an incident response program from scratch is just as challenging as building an insider threat program. For every organization, the choice of the most effective incident response scenario will depend on the specific IT environment, the threats the organization faces, and the organization’s business needs.
However, the National Institute of Standards and Technology (NIST) provides a series of guides that every organization can use as a baseline for building their incident response program.
In particular, you can follow the recommendations of the Computer Security Incident Handling Guide, 800-61 Revision 2 to effectively manage a potential cybersecurity incident.
According to NIST guidelines for incident management, an incident response plan should include these main phases:
Each phase includes a number of steps an organization should consider adding to their IRP. Let’s look closer at these phases.
An organization should be ready to deal with a cybersecurity incident before it actually happens and plan all necessary response procedures in advance. The preparation phase also includes planning what to do to prevent a data breach or attack from happening in the first place.
Detection and analysis
An organization must be able to detect cyber incidents and have tools and technologies in place to collect, document, and analyze data relevant to the incident. To make this task a bit easier for you, NIST specifies eight attack vectors (see below) and lists the most common signs of a cybersecurity incident.
When required, an organization should also be able to prioritize an incident according to its impact and recoverability and then notify the proper authorities about the breach.
Containment, eradication, and recovery
An organization must be able to effectively handle an attack, remove the threat, and start recovering affected systems and data.
At these phases, it’s also important to gather evidence about the incident to use later both for resolving the incident and in legal proceedings.
After effectively handling a security incident, an organization should use the information learned from the incident to improve its current IRP.
The best thing about the NIST cybersecurity framework is that it’s both flexible and adaptive, so it can be efficiently implemented by large enterprises as well as small businesses. Let’s see how to build a NIST-compliant IRP for your organization.
Tips for implementing a NIST-compliant incident response plan
NIST provides quite detailed incident response guidelines to building an effective IRP. The main problem here is that there’s so much information that you may find yourself lost in recommendations.
Below is a NIST incident response checklist of five must-take steps to make sure your incident response program meets both NIST requirements and your company’s needs.
1) Establish a cybersecurity incident response team
Or at least choose responsible personnel.
No matter the size of your organization or the field you work in, the first thing to do when planning an IRP is to create a cybersecurity incident response team (CIRT).
A CIRT is responsible for coordinating key resources and team members during a security incident so the impact of an attack is minimized and all operations are restored as quickly as possible.
The main functions of the CIRT are to:
- Define incident response policies and procedures
- Handle cybersecurity incidents in a timely manner
- Investigate and analyze previous incidents
- Create an incident reporting capability and establish necessary communications
- Train staff and raise awareness about cybersecurity threats and their mitigation
- Improve the current incident response program
The number of members of your CIRT depends on the size of the company, its potential data loss, and its geographic reach. However, make sure to appoint a team leader who will be in charge of responding to and handling an incident.
Pay special attention to CIRT training: each CIRT member should know key cybersecurity policies and procedures of your organization as well as their specific responsibilities in case of an attack.
2) Plan all procedures in advance
Planning ahead is vital.
Should a cybersecurity incident take place, your CIRT needs to know exactly how to handle it with minimal losses. However, you need to not only compose but also battle test your computer security incident response plan before any real-life incident occurs.
There are four main tasks your CIRT needs to accomplish at the planning stage:
First, you need to determine what events are considered cybersecurity incidents. Then, create an incident response plan for each type of potential incident.
In its Computer Security Incident Handling Guide, NIST specifies a list of attack vectors and suggests developing a common incident response scenario for incidents that use the same attack vector.
Among common attack vectors are:
- External or removable media (for instance, an infected USB device)
- Loss or theft of equipment (a lost corporate laptop or authorization token)
- Web (attacks executed from a web application)
- Email attacks (emails with a link to a malicious website)
- Impersonation (spoofing and man-in-the-middle attacks)
- Improper use (access misuse)
- Attrition (brute-force attacks)
- Other (all other attacks)
Next, prioritize possible threats and attacks based on their impact. After all, there’s no sense wasting time on managing minor attacks when a larger breach remains unaddressed.
The NIST incident response plan offers three impact-based criteria for determining the priority of an incident:
NIST incident severity levels depend on several factors:
- Functional impact determines the impact a particular incident has on business operations.
There are four levels of functional impact:
- None — no functional impact on the organization’s systems
- Low — the organization’s systems are largely unaffected
- Moderate — the organization can’t deliver some of its services
- High — the organization cannot provide at least one critical service to all users
- Information impact depends on the importance and sensitivity of the information leaked during the incident.
Information impact also has four categories:
- None — no data was leaked
- Privacy breach — sensitive personally identifiable information was leaked
- Proprietary breach — possible compromise of trade secrets
- Integrity loss — data was possibly altered
- Recoverability impact is a measure of the resources an organization needs in order to fully recover from the incident.
Recoverability impact has four levels as well:
- Regular — no additional resources are required
- Supplemented — additional resources are required but the organization can predict the overall recovery time
- Extended — the recovery time can’t be predicted
- Not recoverable — the organization is unable to recover from the incident
This three-tiered approach is flexible enough to be adopted by any organization.
Once all the classification work is done, it’s time to start planning standard procedures for responding to different categories of cybersecurity incidents. Consider building containment strategies and standard operating procedures (SOPs) for the most common types of events such as system failures, denial of service, intrusion, and spyware infection.
In a SOP, specify the technical processes, techniques, checklists, and forms to be used by the CIRT in the event of a particular incident.
For further guidance on establishing proper response procedures, you can refer to NIST Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response.
3) Monitor user and network activity
If you can see it, you can manage it.
One of the best ways to prevent a potential attack is by monitoring everything that happens on your network. Consider deploying a user activity monitoring solution to address the problem of insider threats and subcontractor-related security risks.
By keeping an eye on the activity of individual users and activity on your network, you can:
- Detect and terminate an attack at an early stage
- Collect evidence and valuable data for further analysis
To move even further, you can implement a solution with behavioral user monitoring functionality. Using AI-powered technologies, such solutions can detect anomalies and deviations from baseline user behavior within the monitored infrastructure. Don’t forget to mitigate your own corporate risks by building an insider threat incident response plan.
When choosing the right user activity monitoring solution, look for one that also has a flexible incident response system on board. Being able to set custom real-time alerts and automate at least some of SOPs will help you ensure a timely response to cybersecurity incidents.
4) Take care of backups and recovery strategies
No one wants to lose valuable data.
A recovery strategy is a key part of any IT incident response plan.
Just like with handling an incident, it’s better to think about recovering from an incident before any breach actually happens and compose detailed examples of data recovery procedures for different scenarios.
You can start with determining what data is most valuable to your business and take additional care about its protection. This will let you know what to focus on in the event of a real-life cybersecurity incident: what data you’ll need immediately and what assets can be restored the next day or even the next week without causing any damage to the business.
There are two major tasks for your CIRT to keep in mind regarding the organization’s recovery from a cybersecurity attack or data breach:
- Data recovery. It will be difficult to quickly counter a cybersecurity incident without a backup system in place. Deploying a data loss prevention tool and creating backups will help you safely restore all business-critical information if your organization faces a cybersecurity incident.
For better protection of your critical data, choose a hybrid backup solution combining on-premises and cloud-based services. Also, consider limiting access to sensitive data by deploying a identity and access management solutions for NIST compliance.
And if a security incident does happen, make sure to back up the affected systems so you can preserve their current state for forensics.
- Service restoration. The following two steps are critical for restoring your organization’s systems to normal operation after an incident:
- Check your network to confirm that all systems are operational.
- Recertify as operational any systems or components that might have been affected during the incident.
You may also need to reset passwords for users of breached accounts and block accounts and backdoors that potentially enabled the intrusion.
5) What to focus on when updating your incident response plan
There’s always room for improvement.
According to NIST, organizations should review their incident response plans at least once a year. However, given the constant appearance of new cybersecurity threats, it would be wiser to check and update this plan more frequently, especially for larger companies.
Whenever your business faces a significant change, be it entering a new sphere or changing internal infrastructure, these changes should be mirrored in your IRP.
- New attack vectors and security threats relevant to your business
- Updates and changes to local and industry cybersecurity requirements
- Lessons learned from previous attacks and breaches
- Incident handling procedures and solutions that can be improved
For instance, if your organization is a potential target for a new cybersecurity threat, it’s important to prepare an adequate incident response scenario for this type of attack. Plan, test, and document all procedures and recovery tools related to the new threat.
Examining the way real-life incidents have been handled in your organization is also important. Such analysis can show you if your current strategy is good and what can be done to prevent such incidents from happening again.
Real-time incident response with Ekran System
Ekran System provides you with everything you need to respond to user-based insider threats effectively and in a timely manner.
Using our platform, you can:
- Monitor the activity of employees and third-party vendors
- Set custom alerts and notifications
- Terminate suspicious sessions and kill processes
- Block USB devices of a restricted type
- Block users based on specific events
In addition, you can get detailed activity reports and export audit data in a forensic format.
Having an incident response plan is crucial for organizations and businesses of any size.
While there are ready-to-use incident response plan templates, it’s more beneficial to build a customized incident response plan that reflects your specific requirements and to build your own insider threat response plan according to your own internal investigations.
To make this process a bit easier, organizations can refer to common security standards and popular guidelines such as those provided by NIST.
When building an incident response plan in accordance with NIST standards, an organization should cover four major phases of the NIST incident response process:
- Detection and analysis
- Containment, eradication, and recovery
- Post-incident activity
Within each of these phases, a set of tools and procedures should be specified for handling a specific attack vector or specific security issues.
Ekran System offers a rich set of incident response capabilities, from real-time alerts and notifications to proactive manual and automated incident response tools.
Start our 30-day trial to see how you can benefit from using our immediate incident response tools and analysis capabilities.