Many security teams are operating with incident response plans that haven’t been updated — or even looked at — in months or years. That’s a big mistake. While revising documentation is nobody’s idea of a good time, an outdated plan is rarely useful to anyone. IT security professionals should revisit their plans regularly to ensure that they’re ready to meet their organizations’ needs based upon their current operating environment and the modern threat landscape.
Incident response plans are often first created to check a box — perhaps there’s an upcoming technology audit, or you’re certifying against a new security standard or seeking to comply with a new regulation. Whatever the impetus, technology leaders often pull together the first version of an incident response plan in a hurry to meet a deadline, then put it back on the shelf to gather dust.
That approach might fulfill an immediate need, but the plan certainly isn’t a useful tool to help guide an organization when an incident occurs. A well-designed incident response plan serves a much more important purpose: It brings the calm, collected environment of the planning room into the chaos of a security incident. Here are five things organizations can look for as they seek to revitalize their organizations’ incident response plans.
1. Identify Critical Systems and Information
One of the most important components of an incident response plan is a listing of the systems and information that are critical to business operations. This asset list serves as an important tool to prioritize incident response efforts by strengthening protections around those systems and restoring them first in the event of a service disruption.
Business circumstances change over time, and the critical asset inventory will too. It isn’t reasonable to assume that the list of vital assets developed when the response plan was first written is still valid today. Security pros should take the time to validate this asset list and determine whether the organization’s current business environment warrants adding or removing items from the inventory.
2. Update Threat-Specific Responses
Just as a business evolves over time, so does the threat landscape. Researchers discover new vulnerabilities, attackers develop new tactics and security controls mitigate risks in different ways. An incident response plan update should include some thought into how changes in the external threat environment might impact the plan.
Consider how effective the plan would be in covering the types of incidents that are occurring at other organizations. For example, ransomware attacks have increased dramatically over the past year. While it might make sense to treat this threat as similar to other malware threats from a prevention standpoint, ransomware raises new questions from an incident response perspective: If such an attack occurs, will the organization consider paying the ransom? If so, under what circumstances? The process of creating and updating an incident response plan is an opportunity to guide those future decisions.
3. Consider an Incident Response Retainer
Responding to a security incident requires skill and expertise in the discipline of incident response as well as in the specific technical domains impacted by the incident. Some organizations have at least one IT team member dedicated to incident response, but many smaller businesses can’t do that.
Even those that can may benefit from outside expertise. And it’s best to have that help on retainer long before an incident occurs, as it’s very difficult to bring an incident response consultant into an ongoing attack when no prior relationship exists.
A response plan revision is a good time to consider entering into a retainer agreement with a consultant. This allows the business to get the contractual arrangements out of the way and establish technical and management contacts to facilitate the rapid deployment of expertise should it become necessary during an incident.
4. Keep the Contact List Current
Incident response efforts involve contacting a lot of people. Responders will need to activate internal escalation procedures to call in team members and notify management. They may need to contact vendors specializing in incident response or certain critical business applications. It may be necessary to call in law enforcement to assist with a criminal investigation. A response plan revision should include an update of the organization’s contact list: Make sure that all the contact information for critical vendors is current. The last thing anyone wants to discover during a crisis is that a key contact left their position six months ago and someone new must be brought up to speed.
5. Incorporate Lessons Learned into New Plan Iterations
There’s an old adage among military tacticians: “No plan survives first contact with the enemy.” That sentiment certainly holds true when it comes to cybersecurity incident response. No matter how robust the plan seems when first designed, surprises are inevitable, as are situations where the plan, as written, doesn’t seem like the best course of action.
That’s when incident response teams must exercise their professional judgment — and there’s great wisdom in that judgment. In the days after every incident response, the security team should take some time to walk through the response effort and identify places where they were forced to deviate from the plan. Were those events shortcomings in the plan or one-off abnormalities? Does it make sense to modify the plan based upon recent experiences? This iterative process will make the plan stronger each time it is executed.
Incident response plans play a vital role in helping organizations through the chaos and confusion of a security breach. Small, periodic investments of time in plan maintenance ensure that a plan is battle-ready when the unexpected strikes.