The Necessity of Incident Response Planning

Michael Salihoglu
| 7/25/2019
Not “If,” But “When”

Cybersecurity professionals abide by some variant of this oft-used adage: “There are two types of companies in the world: those that have been breached, and those that don’t know it yet.” The origin of this maxim aside, a recent alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as well as reports of elevated cyberattack activity have helped illuminate the reality that capable threat actors continue to add organizations to their successfully breached lists.

Incident response planning

One answer to these growing threats is shifting focus from solely attempting to prevent threats to planning how to respond to incidents. Incident response (IR) planning encompasses several areas and programs within an organization. The goal of IR planning is to better prepare an organization to respond quickly, efficiently, and effectively to a potentially adverse event and to reduce the impact and overall risk of the event. IR planning is no longer a luxury reserved for mature and well-funded organizations to keep on the shelf. Instead, it is a necessary and useful exercise for most organizations.

Creating a playbook

A core function of IR planning is to create a playbook to guide personnel in the event of a breach. Such a playbook helps to remove doubt, quash indecision, avoid delays in response, and prevent critical decisions from being made under duress. The playbook, also known as an incident response program, comprises policies and procedures outlining exactly what steps should be taken during an incident. This guidance prevents confusion, and it can point personnel to a clear strategy to follow, thereby avoiding errors caused by misinterpretation or misunderstanding.

The program should also detail explicit responsibilities for all parties involved and include a communication plan for internal employees, customers, law enforcement, and regulators, as applicable. For more information on building an IR program, refer to the SANS Institute, the FFIEC, the NIST, and the ISO/IEC.

Practice makes perfect

No IR program is complete without testing. Security teams should perform thorough tabletop exercises regularly to simulate realistic threats and to step through every component of the program to verify that it is accurate, specific, and effective. The best way to know an organization is prepared to handle a threat is to emulate the threat as closely as possible beforehand. The more realistic and serious the exercise, the better prepared an organization can be.

Beyond a planned walk-through, though, organizations can take additional steps to test their preparedness. Consider assessments such as social engineering testing and red team adversary simulations. Will the program hold up when a user is actively being phished or when a penetration tester has compromised a workstation and is attempting to move laterally throughout an environment to access more data? Continually finding new ways to poke at an environment using adversarial tactics before the real threat shows up can shore up defenses, test responses more accurately, and provide personnel with some on-the-job training and experience.

Phoning a friend

A common hurdle facing organizations that want to implement an IR program is that most do not have the expertise in house to effectively perform the technically precise procedures required of a computer security incident response team. These tasks include level one response, triage, identification, eradication, and root cause analysis. The reality is that without proper training, an in-house IT team can miss some steps or even provide false assurance that a persistent threat is gone.

According to a 2015 survey performed by SANS, “37% of respondents said that their teams are unable to distinguish malicious events from nonevents” and “66% cited a skills shortage as an impediment to effective IR.” The solution is to consider outsourcing those niche tasks to trained and experienced professionals. Having a trusted party already under contract to execute these procedures can alleviate some of the risk and provide more assurance that a threat can be dealt with properly.

Beyond the basics

IR planning should go beyond the establishment of an IR program. Preparing for a breach can begin with understanding an organization’s security posture as a whole and determining which areas need to be enhanced. Consider a ransomware attack: Planning for such a traumatic incident starts with evaluating patch management, includes taking the time to understand where critical data lies in the environment, and ends with testing offline or air-gapped backups.

Given that patch management, data governance, and backup restore testing as well as controls such as network segmentation are not typically part of an IR program, they are still crucial factors in preventing an incident and in understanding how one might unfold. Performing assessments to evaluate cybersecurity posture and related areas within a network can be the first step in realizing the risk associated with compromise in an environment.

Managing risk

A fundamental reality of IR planning is that although it aims to reduce risk, it cannot remediate all the risk of an adverse event within an organization, nor should it be expected to do so. The most crucial step for an organization to take is to dedicate time and resources to start that planning and to shift its mentality from “if” an adverse event might occur to “when.”

Any organization that suspects it has been compromised should follow an incident response plan. In addition, in terms of its recent alert, CISA is asking that attacks and breach activity be reported using this email: NCCICCUSTOMERSERVICE@hq.dhs.gov.

Please contact Troy La Huis, digital security services leader at Crowe, at +1 616 233 5571 or troy.lahuis@crowe.com if you have any questions about how your organization can best respond to the CISA statement.