Breach Defense Playbook: Incident Response Readiness (Part 1)Will your incident response plan work when a real-world situation occurs?
Cyberattacks can strike at any time, without warning, and when they do, time is of the essence. Organizations need to be prepared to respond quickly when their defenses are breached. During an attack, it is critical to have a plan in place so that your security team can spring into action, contain the situation, and minimize the damage. In order to create an effective plan, organizations should first perform an incident response readiness assessment, or IRRA.
The goal of an IRRA is to dig deep into your attack response policies, plans, and procedures so that you can ensure a sound IR capability. This will help avoid costly remediation in the event of a breach by proactively strengthening your defense posture in advance; minimizing the risk of business disruption and damage to your brand; reducing costs through streamlined preparations for IR events; and ensuring compliance with governmental and non-governmental regulations.
Your assessment should have three primary goals:
- Assess your organization’s capabilities to detect, respond to, and contain external and internal attacks.
- Identify potential gaps in your company’s security controls.
- Provide guidance on improving your organization’s ability to identify and stop attackers more efficiently and effectively.
To accomplish these three goals, you should scope your assessment to review your existing event monitoring, threat intelligence, and IR capabilities, focusing on documentation, network security, your incident response team, internal response capabilities, and external response capabilities. From a high level, you should begin by assessing your current capabilities, then identify gaps, and lastly put together a plan for remediation of these gaps.
Generally, it will require anywhere from three to four weeks to fully assess your IR capability and develop a set of comprehensive recommendations. Your assessment process should be divided into two primary workstreams: data gathering and analysis, and then further analysis and report writing. Analysis bridges both data gathering and report writing because you will continuously be analyzing the data from the first moment you begin the assessment until the report is finalized.
Detect And Respond
At its core, the purpose of incident response is to detect and respond to any cybersecurity event. The goal of your assessment is to identify potential gaps in your implementation and provide guidance to stakeholders in filling those gaps so that your organization as a whole is better prepared to successfully address cybersecurity incidents. The scope of your assessment should cover monitoring, staffing, non-personnel resources, previous incidents, and documentation that you have implemented to detect and respond to breaches and/or any other cybersecurity incidents.
As with most assessments, you should have an understanding of your organization’s cyber infrastructure that includes network architecture design, systems and software used, and how and what data is stored and manipulated. While many internal assessors believe that they already know the inner workings of their cyber infrastructure, it is always recommended to take a step back and perform the exercise of obtaining this information through a questionnaire or series of interviews with your personnel as well to identify potential weaknesses you may have overlooked.
When preparing for your assessment, you should leverage guideline resources such as the National Institute of Standards and Technology’s Computer Incident Handling Guide and Carnegie Mellon University’s Handbook for Computer Security Incident Response Teams.
Once your preparations are complete, you can begin the full assessment. Stay tuned for my next post, “Breach Defense Playbook: Incident Response Readiness (Part Two)” for more specifics on how to properly assess your documentation process, network security, incident response team, and internal and external response capabilities, as well as how to implement final stages of conducting a practice exercise and providing an assessment report.
Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio