Ultimate Guide to Incident Response (IR) for Businesses

[Music]
Ben Franklin once said that nothing is
certain but death and taxes if he were
around today though he'd probably add
something else to that list cyber
attacks because a security incident is
all but inevitable for nearly every
organization
a Cyber attack puts the finances
operations and reputation of an
organization at risk a major breach can
even drive a company out of business to
fight back every organization needs a
cohesive incident response strategy
backed up by a well-trained team to
implement it here we'll get into
incident response Basics and strategies
but to dig deeper explore our complete
collection on all things incident
response by clicking the link above or
in the description below
[Music]
first of all what is incident response
IR is an organization's planned approach
to detecting and managing cyber attacks
the goal of ir is to minimize risk and
to limit the damage recovery time and
cost of any security incident
a few other terms you should know before
developing an IR strategy
vulnerability threat incident and data
breach
a vulnerability is a weakness in the I.T
or business environment a threat refers
to whomever exploits that vulnerability
that could be a cyber criminal or it
might be a company Insider an incident
is a Cyber attack that successfully
accesses Enterprise resources or somehow
puts them at risk and a data breach is a
type of incident where an attacker
compromises sensitive data like
personally identifiable information or
intellectual property
finding and fixing vulnerabilities will
reduce the odds of a successful attack
on your systems or data but when an
attack succeeds that's where incident
response strategy comes into play
[Music]
your IR strategy begins with an incident
response plan
that plan is your organization's go-to
set of documentation that Details four
essential things
what who when and how let's break those
four down
What refers to what threats exploits and
situations qualify as actionable
security incidents and what the
organization will do in response who
specifies who is responsible for tests
if a security incident occurs when means
when exactly and under what
circumstances your incident response
team members perform specified tasks
and finally Howe describes how team
members should complete those specified
tasks an incident response plan in other
words is a detailed authoritative map to
guide your incident Response Team
through the steps they need to take from
initial detection of a security incident
to assessment and triage and finally to
containment and resolution it's
essential that your organization drafts
bets and tests its incident response
Plan before a crisis strikes
here are four steps to get you started
step one establish policy by policy I
mean the Evergreen document that gives
the overall high-level priorities for
when a security incident occurs a good
policy empowers incident responders and
guides them in making sound decisions
when things go wrong Step 2 build your
incident Response Team an IR plan is
only as strong as the people carrying it
out so put in writing who handles which
tasks then get those people trained step
3 create playbooks playbooks are the
lifeblood of incident response an IR
policy offers the high level view but
the playbooks get into the weeds by
standardizing step by step the actions
the IR team takes in specific scenarios
having playbooks to reference means
greater consistency efficiency and
Effectiveness in real life incident
response situations
step 4 Create a communication plan good
communication is essential so work out
in advance how all Executives
communication Specialists legal counsel
and HR will communicate with one another
and with the rest of the organization
these four steps are just the beginning
your IR plan should also include a plan
overview a list of roles and
responsibilities a list of incidents
requiring action
the current state of network
infrastructure and security controls
detection investigation and containment
procedures eradication procedures
recovery procedures a breach
notification process a list of
post-incident follow-up tasks a contact
list an IR plan testing process and last
but not least a process for revising all
the above as needed
[Music]
don't wait until there's a security
incident unfolding to find out if there
are holes in your IR plan test that plan
hold regular simulations that feature
various attack scenarios such as
ransomware malicious insiders and Brute
Force attacks
you can hold an IR tabletop exercise to
vet the IR plan and talk through the
specifics of an attack and how the team
will respond you could even try an
operational tabletop exercise which
includes Hands-On tasks with enactments
of relevant processes after any
simulation the IR team should study what
happened and take the time to outline
any needed additional controls by
brainstorming ways to improve processes
then update the IR plan accordingly
creating an IR plan is not a set it and
forget it proposition it must evolve
because the threat landscape is
continually changing so is your it
infrastructure and business environment
experts recommend formal comprehensive
reassessments and revisions annually at
the very least
[Music]
IR plan takes a lot of effort but there
are established Frameworks that can give
high-level guidance and Direction they
are available from nist the Sans
Institute ISO and isaka each of these
organizations Frameworks differ slightly
in approach but all describe six phases
of incident response the preparation
phase when you build your IR team and
create policies processes and playbooks
the detection and identification stage
when you employ it monitoring to detect
evaluate validate and triage security
incidents the containment phase when you
take steps to stop an incident from
worsening and regain control of your it
resources
the eradication phase which focuses on
eliminating threat activity including
malware and malicious user accounts the
recovery phase where you'll focus on
restoring normal operations and
mitigating vulnerabilities and finally
the Lessons Learned phase when you
review the incident to established what
happened when it happened and how it
happened
this is when you flag security controls
policies and procedures that function
sub-optimally and identify how to
improve them this phase concludes when
you've updated your organization's IR
plan accordingly
[Music]
the technical team is the core of the IR
team including I.T and security
personnel with technical expertise
across company systems it might include
an incident response manager and IR
coordinator security analysts threat
researchers and forensics analysts among
others
the IRT might also have an executive
sponsor that is a senior executive or
board member there should also be
communication Specialists on your IR
team like PR representatives and others
who manage internal and external
Communications
an IR team might also draw from
different departments such as legal HR
business continuity and Disaster
Recovery as well as the physical
security and Facilities departments
and finally you might consider adding
some external players like cyber
security or IR Consultants external
legal representation msps and managed
security service providers cloud service
providers or even vendors
[Music]
good IR team needs good tools to work
with and there are many out there
including anti-malware tools backup and
Recovery tools Cloud access security
Brokers data classification tools data
loss prevention technology endpoint
detection and response tools firewalls
intrusion prevention and detection
systems security information and event
management
and finally security orchestration
Automation and response tools most
organizations require a mix of tools and
Technologies to build an effective
defense it's likely organization already
has tools deployed managing them plus
adding new ones the IR team decides are
needed can be too much for an in-house
security team to handle but automation
can help by monitoring alerts and by
investigating and responding to possible
threats this can serve staff energy so
it can focus on more high value
activities
for organizations facing serious threats
or those that have multiple locations
Outsourcing may be the key to cyber
security
IR service providers can take over many
aspects of ir work from managing
Regulatory Compliance to carrying out
threat hunting and penetration testing
to managing a security crisis situation
[Music]
incident response is a Cornerstone of
any Enterprise cyber security program
being able to quickly respond to the
unavoidable security incidents will
minimize damage improve recovery time
restore business operations and avoid
high costs it might just save the
company
so to quote Ben Franklin one last time
look before or you'll find yourself
behind in other words foresight and
preventative action is key having a
well-thought-out IR plan and top-notch
IR team in place will soften the blow
for the day when that Cyber attack
happens
foreign
[Music]