Since we are in the middle of Cybersecurity Awareness Month, I want to know about your incident response plan or IRP. When you created your cybersecurity program, how did you go about developing an incident response plan for your information security team? What steps did you take? Who did you involve?
Some of you might be thinking, “I don’t have time to create an Incident Response Plan, John!”
Well, ok, I understand that, but think of this analogy: You are the coach of a high school basketball team, and you’re getting ready to play your first league game. Have you practiced at all? Have you run a few drills? Do you know who on your team is good at shooting the ball? Who’s good at passing the ball? Who’s good at defending? Who do you want as the captain of the team? Who do you not want on the team? Who might be best holding a clipboard or keeping score?
Would you put your team on the court without any plan or any practice? I don’t think you would. You would want to be as prepared as possible before you put your team on the court.
So today I want to talk about the basics of creating your IRP, about planning and being prepared for something more dangerous to you and your company than a basketball game.
An IRP can be customized for your specific company or organization of course, but you will want to cover this basic format for three general types of incidents: High, Medium, and Low. Sometimes these are called Priority 1, 2, or 3 incidents and sometimes they are given colors, like red, yellow, and blue. Regardless of the scale you use, the following information below is a general guide for WHAT you want to do when you respond to an incident.
Suggested steps for response and remediation for High Level Incidents or Priority 1 (Examples: Active ransomware, data exfiltration, or other obvious malicious activity)
Time frame to respond: 2 hours or less
Escalation Procedure
Suggested steps for response and remediation for Medium Level Incidents or Priority 2 (odd behavior from web browser like redirecting to support website, or desktop application requesting login credentials)
Time frame to respond: 2-4 hours
Escalation Procedure
Suggested steps for response and remediation for Low Level Incidents or Priority 3 (adware, add-on search toolbars, peer-to-peer software)
Time frame to respond: 24–48 hours
Escalation Procedure
If creating an incident response plan still looks like more work than you have time for, remember that cyber attackers spend all of their time looking for your network’s weak spots. Like any good game plan, your IRP will create a stronger, more nimble team with the skills to respond to those attacks and beat your opponents.
After you make you plan with your Information Security Team (even if it’s your regular IT guys who have a dual role doing InfoSec), you need to practice it. Not every day, but once a quarter. Then again, depending on your environment, you might end up practicing it every day because you have a lot of incidents. I hope that’s not the case, and I hope this helps you and your organization on the road to a safer and more secure work environment.
Need more help with your cyber defense? Contact the CBTS cybersecurity team today.
More tools for your cybersecurity toolbox from CBTS Consulting CISO John Bruggeman:
What is Cyber Insurance and do I need it?
Can you be ransomware-proof? Is that even possible?
Getting ransomware-proof, continued: CIS controls for medium-size organizations
Improve your cybersecurity defense with centralized logging
Improve your cybersecurity defense with centralized logging, continued: A deeper dive!
Zero Trust Networks (ZTN): what are they and how do I implement one?