SOAR Platform / Blog / Incident Response Plans: Why Your Team Needs Them

Incident Response Plans: Why Your Team Needs Them

We hear about cybersecurity attacks in the news all the time. We know they exist in our daily lives and some people fear them, but how dangerous are they?

Many studies show that more than half of organizations lack the capability to gather data from across their own environment or coordinate centralized alerts to the business about suspicious activity. So how many organizations actually have incident response plans? Or how many do not have a plan for attacks like this? Recent studies have shown that 45% do not have any type of incident response plans in place.

When a breach or severe incident occurs businesses need to have an incident response (IR) plan ready on file or easily assessable. The numbers show that while a small portion of organizations has an IR plan in place, and two-thirds do not and for the small fraction that does, never actually have tested it. So if no one has a plan, what is the point of having one? How does an organization even test an incident response plan? Is it like having a fire drill?

Here are some tips for the immediately after, short-term, and long-term incident response to avoid an even more difficult situation:

Immediately thereafter
  • Speed and precision: Take a look at whatever you can find about the adversaries’ behaviors and applicable countermeasures that can provide insight and plan out a course of action. Acting quickly will limit further damage.
  • Plan, then attack: Like a sports team losing at halftime, learn how your opponent is exploiting your weaknesses. In this case, note the exfiltrated information and files, and search for indicators of compromise across the host or network traffic. Needless to say, plan accordingly and choose wisely.
  • Isolating unaffected networks and systems: There’s no need to shut off all systems or take down your networks, but it’s important to identify if possible where the adversary is and isn’t and containerize assets from impacted networks or hosts. Avoiding further infiltration can only happen if you respond quickly and appropriately.
Short-term efforts
  • Record actions: It is important to monitor and track how you defend yourself from an attack in order to remediate and understand what produced positive results and what did not work coupled with where certain vulnerabilities might have been exploited or contributed to the incident.
  • Retain an expert: If you don’t have the required skills, you could be putting your business or even the incident itself at further risk. Hire external and qualified experts to augment your incident response efforts and remediation efforts in the event of a compromise. Monitoring and working with advanced incident response consultants regularly by running breach readiness and incident response tabletop exercises.
Long-term efforts
  • Identify, remediate and assess vulnerabilities: After the immediate threat has been neutralized, the process of recovery must begin as part of a well-orchestrated response. You must identify and remediate the vulnerabilities that threat actors exploit. Prepare your team, change your processes, and update your technology so that you can avoid repeat occurrences. By doing this, you can better identify risk and exposure points within your network perimeter.
  • Deploy network and endpoint monitoring systems: These systems will help your team more efficiently detect and investigate current and future threat events.  Organizations have to do all they can to ensure that they have the highest level of visibility of their IT and networking environment through continuous monitoring and active response.
  • Brief and review the organization’s IR plan: It is critical to analyze and interpret results of a tabletop assessment by using the intelligence you’ve gathered from past experiences, current events, and even expert consultants. Collaborate with information sharing groups, connect with other businesses who have mature incident response teams and have implemented best practice incident response monitoring within their organization.

Maintaining visibility and repeatable processes during any security crisis is crucial to ensure the best reduction loss to your organization. Make sure you have incident response plans! Don’t let moments of high stress and careless mistakes destroy your company or brand. CyberSponse has been proven to save time and money with your organization’s response and cost of doing business.

For more information on Incident Response and on the best in Security Orchestration Automation Response (SOAR), please reach out to our sales team for more information.  CyberSponse was named one of the Top 20 promising companies from RSA 2017 by CIO Review. No participation trophy here!