How to Create an Incident Response Plan?
Every organization that is the target of cyber threat actors, that is, every organization that steps into digitalization today, should be prepared for a possible attack and have an incident response plan. It would be nice to be 100% protected from cyber attacks, but this is not possible. In fact, every organization has been exposed to a cyber attack, is not yet aware of it, or will be exposed in the near future. There is an Incident Response plan determined by organizations that are aware of this and have reached a certain maturity.
To understand the incident response plan, it is important to know what incident response is. Incident response is a set of actions aimed at detecting and eliminating a cybersecurity breach and recovering it from the attack. In order to be successful in incident response, it is necessary to approach the incident in a systematic way.
The purpose of organizations that make incident response plans is to minimize the impact of the attack from the moment it is exposed to a cyber attack and to respond to the incident as quickly as possible. In other words, in an inevitable cyber attack, it is desired to minimize the negative effects on the organization. It is not the incident response team's job to report or monitor an incident, but it is the incident response team's job to ensure that relevant alerts are properly reviewed and analyzed. Whether monitoring the system is internal, external or in a hybrid structure, incident handling, review and analysis processes should be defined to enable the incident response team leader to act accurately and quickly in line with the incident response plan. In an incident response (IR) plan, concise, methodical actions that are well communicated and coordinated are key to reducing the impact.
It is important for the organization to have an incident response plan because it enables it to take the right decisions and actions by taking the situation under control under stress and pressure.
What needs to be done to design the Cyber Incident Response Plan
Preparation phase: This is the most important first step in a cyber incident response plan. It would be a more accurate approach to separate this step into sub-steps.
- To establish quality communication within the team, a planned communication channel must be established: An IR plan needs a process flow outline that must carry out both its planned communication and the steps required to respond to an incident. The flow is an increase in the initial monitoring team and from the official incident reporting process. If an event is reported, the flow outlines steps to contain and recover from the threat.
- Checklists and necessary guidance should be created that can answer who, what, when, where, where and how questions.
- It should be checked that the team that will respond to the cyber incident has previously given the necessary permissions on the system.
- Incident response team should have tested the tools they will use within themselves beforehand.
- One person should take charge of an incident: The IR team leader is responsible for incident reporting, in collaboration with the wider cybersecurity team. The plan will outline the process required for the IR team to do this. First, the IR must further verify the incident by reviewing data collected from the monitoring team and obtaining new information as needed. The leader can then hold a meeting with identified stakeholders to publicize an event. If a virtual or physical war room and primary methods are not available for this meeting, return communication methods are determined.
- A list of key stakeholders should be established for each type of incident so that the IR team can quickly identify who is involved, when they are involved, and what actions need to be taken. Listing real names and current contacts, not just roles, is a best practice to ensure accountability and keep the IR plan up to date. The IR team is responsible for owning and maintaining the plan document.
Detecting the event: This is the stage where anomaly detection is detected by collecting all relevant data from various sources. If an incident is determined to have actually occurred, the incident response team should report the incident to gather evidence and prepare for next steps. Once an incident is declared, it is time for the IR leader and team to act. Scope should take precedence as the team tries to isolate affected users, systems, applications or other resources. The IR plan should consider the stage and severity of the attack to determine the containment strategy and define how the containment strategy will be implemented and who has the authority.
Preserving the collected evidence: At this stage, the evidence obtained by various methods should be presented to the necessary authorities without being damaged, destroyed and without losing its authenticity.
Do not expel the attackers who own the system: At this stage, all affected systems are cleaned, for example, if they are infected with malware, the root cause of the attack is determined and the detected vulnerabilities are closed.
Restoring the system: May also be called the recovery phase. At this stage, damaged systems are restored carefully and in a controlled manner. It is important to test, monitor and verify systems to verify that they are not re-infected by other means.
Learning a lesson about the event: This is the last step taken after the event has been intervened. The purpose of this critical phase is to plan and implement any action that could not be taken at the time of the event and that may be beneficial for future events.
- It is important to comprehensively update the documentation. Issuing an incident report: The document should be written in the form of a report that can answer questions that may arise during the lessons learned meeting.
- A lessons learned meeting should be established: Regular meetings should be held with the incident response team and other stakeholders to discuss the incident and lessons learned that can be applied immediately.
- A broad IR plan should include a formal post-event learning process aimed at reducing the likelihood of recurrence. In addition to trying to avoid experiencing the same event twice, learning provides oversight for team preparation that allows you to fine-tune coordination and decision-making to report an event or take action. Ensure that any changes in the IR process are updated in the plan document.
Recommendations of CyberArts Cyber Security Team
- Test the cyber incident response plan you have created.
- Organize cyber drills at regular intervals.
- Instead of collecting evidence manually, invest in Automatic Incident Response technology that collects 24X7 and remote evidence quickly and allows you to start incident response automatically.
- Explore assets in your organization.
- Perform asset inventories and data classification.
- Guide SOC analysts on how to prioritize various incidents and gather relevant evidence.
- After a cyber incident, look for answers to these questions:
– Mevcut olmayan veya etkinleştirilmesi atlanmış bir günlük var mı?
– Is there a gap in the skills of the security team?
– Does the company's patch policy need to be reviewed? - Test how accurate your intrusion prevention and file integrity monitoring systems are.
- Take backups periodically.
- Train the incident response team on their responsibilities appropriately and regularly.
- Test new measures taken after the cyber incident occurred.
- Review the following: Plan, Team, and Tools.
KVKK, ISO 27001, Bilgi ve İletişim Güvenliği Rehberi, ISO 27701, Bilgi Güvenliği, Siber Güvenlik ve Bilgi Teknolojileri konularında destek ve teklif almak için lütfen