An incident response plan (IRP) is a plan you can use to identify vulnerabilities and detect and respond to security incidents
The purpose of an IRP is to standardize and facilitate effective incident response and minimize damage caused by incidents. In this article, you’ll learn what are the key considerations when creating an IRP, and what components to include in the plan.
Considerations for Incident Response Planning
Creating an effective incident response plan requires significant time and effort but can greatly improve the security of your systems and data.
When developing and refining your IRP, make sure to consider the following elements:
- Management buy-in—buy-in from management provides support for organizing the best possible team and resources. If you do not have management support, you are unlikely to have the resources or time needed to create a viable plan.
- Detailed but flexible guidelines—your plan should contain enough detail that any team member can pick it up and follow it. However, it should also allow for dynamic actions that adapt to the specific situation at hand. You want to cover as many incident situations as possible without making your plan unusable or creating blockades for your responders.
- Clear roles and responsibilities—you should clearly outline who your responders are and what they are responsible for in an incident. This includes what actions they should take, who they should report to, and how they should interact with non-responders, such as customers.
- Periodic testing—once you have a plan developed, you need to test it to make sure it functions as expected. You can accomplish this testing with planned or unplanned drills. After the drill is over, you can use any feedback to make improvements to the plan or clarify its contents.
Bolster Your Incident Response Plan
Threats are constantly evolving as attackers attempt to find new ways to bypass security measures and infiltrate systems. This evolution requires organizations to consistently and reliably update their IRPs. Below are three ways you can update your current plan to ensure you remain ready for any attack.
1. Use Playbooks
Playbooks are documents that fully outline steps to be taken to perform a process. These tools can be created for any process but are particularly helpful for standardizing IRPs. With playbooks, you can design exact response strategies for a wide variety of situations. These playbooks can then be applied by responders when an incident occurs.
Since the playbook fully outlines the actions to be taken, responders are less likely to forget steps or make mistakes due to the stress of responding. Additionally, playbooks enable you to easily pass on information and expertise to any responder. For example, you can provide a playbook that outlines how to disable and redeploy compromised containers. Any team member using the playbooks should be able to perform the procedure competently regardless of their background.
Additionally, you can benefit from experience outside your organization by adopting playbooks written by external experts. These playbooks can help you ensure that you are employing best practices regardless of who is available to serve as part of your incident response team.
2. Incorporate Threat Intelligence
You should incorporate threat intelligence feeds into your incident response tooling. Threat intelligence enables you to better correlate events and can improve your detection rates and increase your response effectiveness. Additionally, threat intelligence can help you perform threat hunting for threats that have bypassed your detection tools. Threat hunting is a process in which threats are proactively searched for as opposed to passively identified.
3. Automate Investigation
Automation of repetitive or tedious processes can free your security teams to perform more specialized and demanding work. It can provide you with more consistent and continuous monitoring and response. Automation can also enable you to be more proactive in your incident responses, triggering actions as soon as a suspicious event is detected.
When used correctly, automation can help you avoid overlooking alerts and notifications by prioritizing alerts according to predefined thresholds. Automation tools can more quickly process and analyze data and can provide analysts with valuable context for incidents. This enables security analysts to focus their time on the most relevant threats and improves your ability to mitigate damage.
Automation tools can also help you evaluate system vulnerabilities in the preparation stage of your IRP. For example, you can use automated scanners to inventory system components and check for out of date versions. Or, you can use automated penetration testing tools to simulate attacks and verify the functionality of your existing security systems.
4. Flexible Response Plans
Each security incident is unique; even if it shares characteristics with other threats there are some aspects that differ. To account for this, you need to ensure that your detection and response tools can account for these differences. Make sure you include both specific responses in your plan as well as information that can help responders adapt to attack specifics.
One way to accomplish this is to create multiple response levels for each threat type or severity. For example, you can include one response for when ransomware is found that had not yet been activated and another for when ransomware has been triggered and is affecting multiple data stores.
5. Adopt User and Entity Behavior Analytics (UEBA)
UEBA is a process that uses machine learning to collect and analyze data. UEBA solutions use analyses to develop baselines of “normal” behavior in a system. Solutions then monitor event data in real-time and compare it to these baselines. When an anomaly is detected, an alert is sent to security teams or automatic responses are triggered.
UEBA’s method of baseline comparison allows security teams to detect and address incidents that might otherwise be missed by traditional tools or manual searches. For example, UEBA can detect incidents caused by malicious insiders despite their use of valid credentials. Traditional tools overlook these threats because credentials pass authentication checks. UEBA solutions, however, enable you to dynamically assess system conditions and respond intelligently according to the most recent data.
UEBA is often integrated with System Information and Event Management (SIEM) solutions for greater impact. By combining these tools, you can gain visibility across your systems and respond from a centralized console. This is particularly useful for incident response since it enables teams to respond more quickly and effectively.
Conclusion
The cyber criminals of 2020 use advanced technology and social engineering to hack networks, systems, and devices. They deploy bots, use AI to mimic human patterns and behavior, and trick users into revealing information.
As machines get better at mimicking human behavior and authentic resources, it becomes increasingly difficult to differentiate between normal user behavior and malicious activity. To ensure the continual safety of networks, incident response plans and tooling must be continually updated. Automated playbooks, threat intelligence, UEBA, and response actions can help keep the network secure even during zero-day events and new attack techniques.
About the Author
Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Samsung NEXT, NetApp and Imperva, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership.
Featured image: ©Skozewiak
