Incident Response Plan

“We are going to have an incident; we need to prepare to respond.”  

This is the attitude your organization should have towards cybersecurity incidents.  Most organizations–no matter the size, no matter the industry–will have some sort of cybersecurity incident over the course of its history.  Despite your best efforts at hardening and a defense-in-depth cybersecurity posture, the adversaries on the attack can move faster than your defenses can keep up. Having an in depth Incident Response Plan will quicken your healing to the inevitable–the cybersecurity incident.   

Incidents come in all forms ranging from benign user negligence, to outright adversarial hacking. 

Here is a definition of a computer security incident and some examples, via the US National Institutes of Standards and Technology (NIST) Computer Security Incident Handling Guide:

A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of incidents are:

An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash.

Users are tricked into opening a “quarterly report” sent via email that is actually malware; running the tool has infected their computers and established connections with an external host.

An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money.

A user provides or exposes sensitive information to others through peer-to-peer file sharing services.

There are myriad other examples of incidents–too many to enumerate, and too many for any organization to prepare for individually.  The key is to have a flexible, adaptable incident response plan. 

Totem can help your organization develop an Incident Response Plan (IRP) that makes sense for your organization.  It’s usually not a good idea to try to copy someone else’s boilerplate Incident Response Plan; it is guaranteed not to address the peculiarities of how your organization operates.  It’s better to develop your own custom Incident Response Plan internally, but don’t let that turn you off.  It’s actually pretty simple if you follow the proper incident response steps. A robust plan describes the policies and actions the organization has developed to address four incident response steps:

Incident Response Steps

Preparation

Detection and Analysis

Containment, Eradication, and Recovery

Post-Incident Follow-up

The goal of addressing these incident response steps is to limited the business impact of any incident.  We’ll start with some best practices, which will be the foundation of your Incident Response Plan.  Then, we’ll help you craft a custom Incident Response Plan by leading your team through a series of exercises, designed to provoke internal conversation on what to do in various real-life incident scenarios.  The output of these exercises fleshes out your plan into a working incident response steps.

No plan is complete until it has been tested.  Once your incident response plan is in place, we’ll guide your organization through tests of the plan, to ensure it is usable, complete, and accurate, and to ensure the incident response team understands their responsibilities.  Don’t have an incident response team?  That’s OK, Totem Tech can fill that role for your organization too.  We and our partners perform incident response for organizations of all sizes, from small businesses to Fortune 500 companies, ensuring the inevitable incident doesn’t evolve into an avoidable data breach or long-term compromise.   

Don’t get caught unprepared!  Call us for more info on our Incident Response services.