Don't Be Caught Off Guard: 7 Tweaks to Your Incident Response Plan

An incident response plan documents how your organization responds to IT security incidents or breaches. The instructions contained in any good incident response plan will equip IT staff with the knowledge to detect, respond to, and swiftly recover from the range of network security threats they face daily, should one of those threats become reality.

The incident response plan covers everything from data breaches to buffer overflows to ransomware attacks. The main aim is to manage serious network incidents in an orderly manner to minimize both the damage inflicted and the cost of recovery. Shockingly, up to 77% of organizations don’t have any response plan in place at all, so the first step is to actually draw up a documented plan.

However, cybersecurity attack vectors evolve all the time and business IT infrastructure continues to change with the increased adoption of cloud computing. Both of these factors combine to create the need for an incident response plan that needs updating over time. This article provides you with seven tweaks you should consider making to improve your company’s incident response plan.

1. Set up a CSIRT

A CSIRT (Computer Security Incident Response Team) is a dedicated group of employees that focuses its attention on putting the incident response plan into action when adverse network events occur.  

Each CSIRT member should know precisely what their roles and responsibilities are on the team, and the team as a whole should be made aware that following the approved response plan is imperative to proper management of and recovery from network security incidents.

2. Keep tabs on the external threat landscape

Threats that were relevant two or three years ago might not be relevant now. Similarly, new threats emerge all the time. It is for these reasons that keeping tabs on the external threat landscape can provide important insights for updating your incident response plan.

For example, it was reported in 2018 that cryptojacking displaced ransomware as the most prevalent cyber threat. A few years ago, cryptojacking would’ve been an extremely low likelihood and low priority threat to the point that most incident response plans wouldn’t have even referenced these types of threats. Keeping updated on cyberattacks faced by other organizations is a prudent way to ensure your incident response plan evolves to deal with contemporary threats.

3. Properly define and categorize incidents

One of the most basic steps - the definition and categorization of incents - can make or break an incident response plan. While defining incidents sounds straightforward, in practice, categories and definitions can overlap, causing the plan to become muddled, with nobody quite sure how to respond to incidents that do occur.

Proper definition and categorization provide the basis for properly escalating and managing incidents. You need to precisely define specific incidents, avoid overlapping in definitions, and rank the severity of each incident to match it with an appropriate response.

4. Simulated attacks provide valuable information

It is not recommended that organizations rely on the robustness of their incident response plans as a given. Testing your plan with simulated attacks can provide valuable insights that improve the way in which your organization responds to adverse cybersecurity incidents.

Conducting simulated attacks can unearth inefficiencies in the plan such as confusion over roles and responsibilities during specific types of attacks. Twice yearly testing should be more than enough to strengthen your plan on an ongoing basis.

5. Tweak your tests

Another useful tip is to tweak the type of tests you run. For example, you might try different types of simulated attacks such as social engineering attempts. Or, you might consider extending testing so that the attack vector you choose is exploited fully during the simulated test, which gives you an opportunity to see how well the plan works under extreme circumstances.

6. Regularly update contact details

It sounds like a basic detail to update regularly, but overlooking these basics is often what causes issues during real-world attacks on your IT systems. Because most incident response plans will contain contact details for a diverse range of people both internal and external to the company, it’s a good idea to make sure these details don’t become obsolete.

7. Learn from data

Each time a network security incident arises, your organization gathers data on the type of incident and the processes enacted to deal with it. Put this data to use and improve your incident response plan. You can use this information on the types of attacks frequently faced, response times, escalation times, and more, all to improve the plan going forward.

In conclusion

Robust incident response plans rarely stand the test of time without changing, and a set and forget approach will almost certainly cause major headaches. Consider adopting these seven tweaks to improve your organization’s incident response plan and ensure you are prepared to deal with events that will compromise your IT security.