Resiliency In Your Incident Response Plan
By: DefenseStorm
All of us, by now, should be familiar with what an incident response plan is and why one should be established for your organization. If you aren’t familiar, an incident response plan (IR) is a documented process that is in place as a reference to guide you through steps for responding to a major incident(s) in your organization. An IR plan is important because it provides consistency and continuity in your response and allows for rapid and efficient actions to be taken more precisely in an often highly stressful event. While IR plans can be used for really any type of incident, we are going to focus on cybersecurity IR plans for this blog.
Most financial institutions will usually have some type of IR plan in place and stored for when it’s needed. However, quite often, IR plans are created without much resiliency built into them or none at all. Resiliency is important because it allows plans to stay relevant and makes them adaptable to the ever-changing threat landscape that defenders are dealing with. It allows them to remain useful and applicable each time they are put in play without fear of “breaking” or making on the fly adjustments or compensations. This reduces undue stress during high-stress events and helps individuals remain focused on the incident. In the next few paragraphs, we’ll explore a few ways to add resiliency to your IR plan. The best part is these recommendations work for new and existing plans. While not all-inclusive, these are great places to start.
The first recommendation is a simple step for building or adding resiliency to your IR plan: Ensure everyone who is assigned roles in the IR plan is aware of where it is located and always has the most up-to-date copy of the plan. It might sound like an obvious step, but I have seen this issue too many times to count. It’s actually quite common to hear responses regarding IR plans such as, “We have one somewhere,” “We have one - Dave, or whoever knows where it’s at,” or “We have one, but I can’t remember where we put it,” and so on. If all members who have roles in the plan do not have a copy or know where the plan is housed, responders will panic during times of crisis trying to find it, and stress only increases. The potential for on-the-fly decisions and mistakes increases due to the methodology of the response not being at the forefront immediately. It’s also challenging to keep a plan up to date and reviewed, if no one can find the darn thing! If it’s kept as a shared file, have everyone bookmark it and make sure there are no access issues. If it’s a hard copy, email it out when updates are made or even schedule it to be sent out quarterly, whether or not it’s been modified. Whatever you must do, just make sure those individuals who have active roles know where it’s at and can access it.
Now that everyone can find your IR plan, make sure that it is reviewed. This will ensure that roles and responsibilities are residing with the right individuals (old members leaving, etc.) and that responses are still applicable to the original plan. Attacks and threats change constantly, and your IR plan may need to be adjusted slightly to address any new tactics and techniques used by bad actors. Review any tools that are being used to ensure they are still relevant and new and existing members know how to use them. Check for any updates in compliance, such as changes to mandatory reporting requirements. IR plans should be reviewed at least quarterly or when a major change in regulations occurs. And finally, after any incident where your plan is used, always complete another review of your IR plan.
To help add resiliency to your IR plan, test it and test it regularly. You play like you practice. If you only test your IR plan once a year and everyone fumbled through the response during that testing, you are going to fumble through a real response. Military, law enforcement, and first responders train constantly to be prepared for anything that they may face during their careers, so when those particular situations arise, they are confident, efficient, and knowledgeable about how to deal with and resolve the incident. Incident response in cybersecurity is no different. With rapid innovation in technology, threat actors are poised to attack, so preparation and practice are key components to success in thwarting these attempts.
There are several ways to test your IR plan. Tabletop exercises and simulated attacks are a great place to start. In IBM’s “2023 Cost of a Data Breach Report,” there were 3 factors that rank most effective as cost mitigators: IR planning and testing made it in the top 3. In the report, IBM listed the average cost of a breach currently at $4.45 million. According to their reporting, “There was a difference of USD $1.49 million or 34.1% between high levels and little to no IR planning and testing.” As a bonus, organizations with a functioning and tested IR plan reduced dwell time by 54 days!
Building or adding resiliency into your IR plan is critical to ensure an effective response when a major incident occurs. It allows you to have a plan that will be applicable when needed, and responders are well trained and prepared to act when needed. In addition, it will potentially help reduce dwell time and overall cost should a major cyber incident occur. While what’s been outlined is not all inclusive, putting these recommendations in place and in action is great start to immediately make those new and old IR plans more resilient.