Expert Tips on Incident Response Planning & Communication
An organization's ability to recover quickly in the wake of a cyberattack is directly proportional to their incident response capabilities. In essence, incident response (IR) is a procedure designed to address security breaches in a coordinated way to limit their negative effects and reduce recovery time and costs.
Much has been said and written about the usefulness and necessity of IR, especially in the context of information technologies. This article, however, focuses on two primary IR aspects:
Learn Incident Response
- Challenges related to putting the IR plan into practice
- Methods to communicate the IR plan
To clarify these points, we invited expert Darrell Switzer to share his insights on effective IR plan development. Darrel is the managing director of incident response and cyber resilience services at Kudelski Security.
1. What Are the Biggest Challenges When Developing, Testing & Implementing an Incident Response Plan?
Switzer: Initially, the biggest challenge is getting the IR plan aligned with the actual capabilities and resources of the organization. The gold-standard IR plan assumes a gold-standard detection and response capability — something that doesn't exist in most organizations.
Best practice incident response plans only work for compliance audits. A strategically implemented incident response plan must align with the company culture, business goals and technical capabilities of the organization to be successful in the long term. Incident response plans taking a purely technical approach to security breaches and do not involve business strategy in the development of the plan routinely fail. Without buy-in from key business stakeholders, the incident response plan will not have the executive support and resource dedication required to be effective.
All members of the primary and extended incident response teams must be trained on their individual responsibilities during an incident. Role playing and tabletop exercises replicating the most likely attack scenarios are effective approaches to exposing the existing plan to critique, exercising your team and their response processes.
Crisis situations demand calm leadership. Executive-level tabletop exercises are also a proven approach to ensure the executive team is prepared to manage a large-scale breach scenario, including how to answer difficult questions and make business-appropriate decisions under pressure.
2. What Is the Best Way to Communicate the Incident Response Plan?
Switzer: Communication of the incident response plan involves several working groups. The first is the executive leadership team who must ensure everyone in the organization is aware of the importance of the incident response plan and must champion any required changes in the organization.
Traditional communication platforms such as newsletters, Intranet and internal company emails are all proven methods to increase your organization's security awareness and gain their needed support in identifying incidents quickly. Attack simulations and tabletop exercises are also very effective ways to help your team understand what actions will be required of them during an incident.
Tabletop exercises should be conducted at the executive and technical level. The executive leadership team needs to understand critical decisions are made during an incident and their impact can potentially extend far beyond the impact of the actual incident. Tabletop exercises geared towards technical teams and subject matter experts are also very effective in identifying gaps in security tools, processes and training. These technical exercises are objective based, requiring the response team to prove the accuracy of tools, effectiveness of containment steps and execution of remediation processes.
Conclusion
It's clear that without an IR plan, the IR team will likely fail to manage a security incident effectively. It is also essential for company leadership and other relevant departments to be involved in the IR planning process. In addition, making incident response (and basic information security for that matter) a key part of company culture seems to be the real solution for preventing many security challenges.
During an incident, it is very likely chaos will rise. Poor data sharing practices between the IR team, IT operations team and other stakeholders can hamper the overall success of incident response. Consequently, a well-defined communication protocol is the perfect tool to manage affected departments and stakeholders in a time of crisis. As any part of the IR plan, the communication plan must be documented, tested and validated regularly to ensure it meets the company's requirements.
Learn Incident Response
Even the most advanced technologies become useless without proper planning, staff training and regular upkeep. Attack simulations and tabletop exercises as a viable alternative to traditional methods of disseminating the IR plan among other employees. Such methods provide excellent illustrative examples and require active participation from all people involved. Following this approach, the two-dimensional text in the IR plan becomes three-dimensional, because participants apply the procedure in practice.
Sources
- CLEAR DATA BREACH COMMUNICATION (2017). Crisis Communication and Incident Response pt. 2.
https://www.clairetills.com/single-post/2017/09/13/Crisis-Communication-and-Incident-Response-pt-2 (26/01/2018) - Drinkwater, D. (2017). 10 steps for a successful incident response plan.
https://www.csoonline.com/article/3203705/security/10-steps-for-a-successful-incident-response-plan.html (26/01/2018) - Kovacs, E. (2016). Suffocating Volume of Security Alerts Challenge Incident Response.
http://www.securityweek.com/incident-response-becoming-more-difficult-survey (26/01/2018) - Seqrite (2017). 5 steps for a successful incident response plan.
http://blogs.seqrite.com/5-steps-for-a-successful-incident-response-plan/ (26/01/2018)
Incident Response
Build your skills responding to each phase of an incident, and get a technical deep dive of the tools and techniques used. What you'll learn:- IR phases and stages
- IR tools and techniques
- Conducting memory, network and host forensics
- And more
In this Series
- Expert Tips on Incident Response Planning & Communication
- Disaster recovery: What's missing in your cyber emergency response?
- How will zero trust change the incident response process?
- How to build a proactive incident response plan
- Sparrow.ps1: Free Azure/Microsoft 365 incident response tool
- Uncovering and remediating malicious activity: From discovery to incident handling
- DHS Cyber Hunt and Incident Response Teams (HIRT) Act: What you need to know
- When and how to report a breach: Data breach reporting best practices
- Cyber Work Podcast recap: What does a military forensics and incident responder do?
- Top 8 cybersecurity books for incident responders in 2020
- Digital forensics and incident response: Is it the career for you?
- 2020 NIST ransomware recovery guide: What you need to know
- Network traffic analysis for IR: Data exfiltration
- Network traffic analysis for IR: Basic protocols in networking
- Network traffic analysis for IR: Introduction to networking
- Network Traffic Analysis for IR — Discovering RATs
- Network traffic analysis for IR: Analyzing IoT attacks
- Network traffic analysis for IR: TFTP with Wireshark
- Network traffic analysis for IR: SSH protocol with Wireshark
- Network traffic analysis for IR: Analyzing DDoS attacks
- Wireshark for incident response 101
- Network traffic analysis for IR: UDP with Wireshark
- Network traffic analysis for IR: TCP protocol with Wireshark
- Network Traffic Analysis for Incident Response: Internet Protocol with Wireshark
- ICMP protocol with Wireshark
- Cyber Work with Infosec: How to become an incident responder
- Simple Mail Transfer Protocol (SMTP) with Wireshark
- Internet Relay Chat (IRC) protocol with Wireshark
- Hypertext transfer protocol (HTTP) with Wireshark
- Network traffic analysis for IR: FTP protocol with Wireshark
- Infosec skills - Network traffic analysis for IR: DNS protocol with Wireshark
- Network traffic analysis for IR: Data collection and monitoring
- Network traffic analysis for Incident Response (IR): TLS decryption
- Network traffic analysis for IR: Address resolution protocol (ARP) with Wireshark
- Network traffic analysis for IR: Alternatives to Wireshark
- Network traffic analysis for IR: Statistical analysis
- Network traffic analysis for incident response (IR): What incident responders should know about networking
- Network traffic analysis for IR: Event-based analysis
- Network traffic analysis for IR: Connection analysis
- Network traffic analysis for IR: Data analysis for incident response
- Network traffic analysis for IR: Network mapping for incident response
- Network traffic analysis for IR: Analyzing fileless malware
- Network traffic analysis for IR: Credential capture
- Network traffic analysis for IR: Content deobfuscation
- Traffic analysis for incident response (IR): How to use Wireshark for traffic analysis
- Network traffic analysis for IR: Threat intelligence collection and analysis
- Network traffic analysis for incident response
- Creating your personal incident response plan
- Security Orchestration, Automation and Response (SOAR)
- Top six SIEM use cases
- How to Use AlientVault SIEM for Threat Detection & Incident Response
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Incident response
Disaster recovery: What's missing in your cyber emergency response?
Incident response
Incident response
Incident response
Sparrow.ps1: Free Azure/Microsoft 365 incident response tool