Put Your Incident Response Plan Together Before The Next Attack

News came out recently that Yahoo agreed to a $350M cut on its sale price to Verizon following the disclosure of two massive security breaches. Yahoo is also on the hook for 50% of any future costs. Some experts are estimating the security breaches will end up costing Yahoo around $1.5B. The Identity Theft Resource Center also recently released a report of confirmed data breaches for 2017. In total, they identify 144 breaches that exposed over 1 million personal records. The incidents they reference span across multiple industries and companies.

No company wants to be on the news due to a breach, but the reality of the situation is, if you’re using technology, you’re going to be attacked at some point. Unfortunately, too many organizations wait until after an incident occurs before developing an incident response plan and by then it’s too late.

The keys to building an effective incident response capability are planning early and practicing often. Below are some tips to consider when putting together your incident response plan.

Prepare Before the Incident

Start with identifying the risk. Understand how an attack could have a negative effect on you. For example, is the primary risk financial loss? Perhaps there is a legal or regulatory risk that if you were to disclose customer data you could be fined or have business suspended. In many cases, the risk is reputational – e.g., will your customers or partners stop doing business with you because of what happened. In other cases, the risk stems from theft of intellectual property or loss of competitive advantage. For manufacturing or other industrial control systems, there could be a personal safety risk to operators and customers. Whatever the risk, identify it and understand what you’re protecting.

Once the risk is identified, assemble the team. Yes, there will probably be a group of technical personnel on the incident response team. You have to think broader than that, though. Consider who to involve from the leadership, legal, human resources, public relations, accounting and operations teams. Understand that the organization may have to spend some money, talk to the media, interact with auditors, calm down customers, etc. The IT team probably shouldn’t be carrying out these types of functions, and if they are it means technical tasks may be going untouched.

When you have the risks identified and the team established, it’s time to document and educate everyone on the plan. Make sure everyone is aware of his or her responsibilities and ready to assemble when the time comes. The plan should include technical capabilities, notification thresholds, and the names of those with decision-making authority.

Detect and Analyze Malicious Behavior

You need to be sure your systems are logging properly and analyzing those logs regularly to understand what normal behavior looks like. If you don’t know what constitutes “normal,” it’s impossible to know what “malicious” looks like. Centralized logging makes this task much easier but, even if you can’t centrally log, at least dedicate some time to understanding what your individual systems are telling you. The worst way to find out there’s a problem is when someone else tells you. By the time that happens you’re probably already in too deep. If you can identify and detect anomalies or malicious behavior before it gets out of hand, your chances of limiting the damage increase dramatically. Don’t just look at this from a network and server perspective, either.  Understand the users and the applications. For example, if your CFO is on vacation with no access to technology but you still see checks being signed, there’s probably something shady going on.

Contain, Eradicate and Recover

If you have the team in place and you can detect malicious behavior, recovery becomes much easier. The first task is to prevent the incident from spreading. That may involve shutting down certain systems or isolating them so they can no longer talk to unaffected systems. It is at this phase that the leadership and other non-technical team members become so important. You’ll have to start weighing the pros and cons of disrupting business operations to contain the threat. The sooner you contain the threat, the easier eradication and recovery become. You don’t want to resume normal operations only to find out that the threat is still spreading to areas you didn’t know about. Once the threat is isolated, you can start eliminating it and getting back to normal.

Post-Incident Reporting

Even though the incident may be over, the team’s job is not finished. Now it’s time to look at what happened and start identifying ways to prevent similar events in the future. At this point, right after an incident is completed, you’ll have executive leadership’s attention for resources. Now’s the time to ask for that security incident and event management system or extra security analysts.  If an employee clicks a link and nothing bad happens, leadership doesn’t care. If they click a link and it leads to five days of downtime then leadership will certainly care, see the tangible effects, and be willing to act. I recommend a post-incident report. Document concerns and needs and report them to the leadership team. It’s important to document each incident and trend the smaller incidents so the leadership team is aware of what’s happening. It’s also a great way to see if you’re trending toward a larger level incident and feed into the detection process.

Put A Cyber Security Plan Into Action

Need a hand documenting or executing a company-wide security plan? Arraya Solutions’ Cyber Security Practice can help. Our team has experience working with all levels and departments within an organization to ensure sensitive data stays out of the wrong hands.

Start a dialogue today by visiting us at www.arrayasolutions.com/contact-us/ or contacting us through social media: LinkedIn, Twitter, or Facebook. While there, be sure to follow us to stay updated on our latest industry insights, special events, and more.