Is your
organization's
incident response
plan up to par?

Modern cyber attacks are getting harder to prevent. Cyber criminals have a well-stocked arsenal of attack tools and countless techniques for staying hidden. Hacks, social engineering attacks and malware were three of the top four tactics used in data breaches in 2019, according to the 2020 Verizon Data Breach Investigations Report. The continued growth of 5G, cloud computing and Internet of Things deployments means more devices, data and assets for attackers to target.

An ounce of prevention is worth a pound of cure, but when it comes to cyber security, it could be worth a whole lot more. The average cost of a data breach is nearly $3.9 million—a tough bill to swallow. Unfortunately, many response plans are failing: The average time to identify and contain a breach is 280 days, enough time for a breach to wreak some serious havoc.

How you construct your response plan and how you determine when an incident is serious enough to merit a response will depend on how comfortable you are with risk. Once you figure out these parameters, National Institute of Standards and Technology (NIST) guidelines suggest handling security incidents in four key phases:

• Prepare. Develop a plan that aligns with any relevant regulatory requirements, such as the Payment Card Industry Data Security Standard, the General Data Protection Regulation, the California Consumer Privacy Act and the Health Insurance Portability and Accountability Act. Identify key stakeholders inside and outside your organization and define what their roles and responsibilities will be during an incident. Synchronize your response plans with your business continuity plans and stakeholders.
• Detect, analyze and validate. Early detection and validation is crucial, as this will determine which stakeholders need to get involved and what they should do. The NIST and Verizon offer ready-made incident classifications you can adopt as your own. The security controls you use to detect incidents could include endpoint detection and response, file integrity monitoring, data loss prevention, network traffic analysis, security information and event management, and dark web monitoring. Escalate detected incidents to the relevant stakeholders and notify regulators, board members, shareholders, customers and employees where appropriate.
• Contain, eradicate and recover. This step is first about ring-fencing the threat before it can cause any damage (or any more damage). Containment strategies will depend on the type of attack; your response plan should have contingencies for each major incident type (e.g., distributed denial of service attacks, malware infection). Next, you'll need to eliminate the components of the incident—after a malware attack, for example, you'd need to delete the malware, disable any breached user accounts and restore or rebuild any affected systems. After containing and eradicating the threat, you will need to remediate any vulnerabilities and restore operations. Keeping an up-to-date inventory of your organization's critical IT and data assets will help with this stage, and effective use of threat intelligence will help you better understand attackers' tactics, techniques and procedures.
• Review, assess and adjust. Collected incident data is your friend and will help improve response plans. Tracking metrics such as time spent resolving incidents and costs per incident can establish key performance indicators to tell you how well your incident response plans are supporting business objectives. You can use incident data not only to enhance response plans but also to build resilience into the organization—for example, by proactively patching endpoints or updating security controls.

Attackers are always refining their tactics, and your plan must evolve with them. Only 40% of organizations appraised by Verizon between 2016 and 2018 included periodic reviews, testing and updates in their incident response plans.

There are several tests that can help you refine and optimize your plans:

• Paper tests are a typical first step for security operations centers, but they leave plenty of room for error and should probably only be used to document small changes.
• Tabletop exercises are more hands-on and involve key stakeholders running through various security incident scenarios. The more realistic the exercises, the more you'll get out of them.
• Simulated attacks are the most resource-intensive, but they're also the most effective test. Simulated attacks reveal, in real time, just how well your response plans work.