Incident Management Focus: Two Approaches to Incident Response Plans
Published: May 25, 2017
Author: Hayden Williams
In my experience with Incident Response (IR), I’ve found that organizations come in two flavors: those that are "reactive" and only refer to IR Plans during a cybersecurity incident, and those that are "proactive" and use IR Plans as a living instrument to manage their IR process before, during and after a cybersecurity incident. The first group tends to be less effective at mitigating and responding to cybersecurity incidents — they often spend more time trying to figure out what to do and who to contact, which can lead to more damage and higher costs per incident. This can be the expensive reactive approach.
The proactive approach tends to be embraced by organizations that treat the IR Plan as a living document, in that it is constantly stress-tested and updated. These organizations are generally better at mitigating the risks of, and dealing with, a cybersecurity incident. Although the word "response" in the IR Plan has a reactive connotation, including proactive activities in the plan can significantly increase an organization’s ability to thwart and deal with incidents.
Here are three examples of proactive activities you should consider:
Identify primary and secondary IR stakeholders from relevant business units (legal, human resources, physical security etc.), and delineate their roles and responsibilities.
Result: This helps an organization to respond effectively to an incident. It also gives stakeholders time to understand what they need to do before, during, and after an incident has occurred.
Establish processes for educating the workforce (e.g. phishing awareness, monthly bulletins, annual training etc.) and train its IR stakeholders (e.g. annual mock incident tabletop exercises, technical training for the tactical incident responders etc.).
Result: This helps you mitigate incidents and efficiently respond to them, and protect your organization’s data and reputation.
Post-incident lessons learned
Perform a “lessons learned” meeting immediately follow the closure of an incident.
Result: This meeting provides an opportunity to identify what went well, what didn't go well, and what can be improved. This information should include actionable items that will be used to update and improve the IR process.
These are just a few examples of proactive IR activities you could take to improve your cybersecurity. The question is what kind of organization do you aspire to be? One that spends valuable time and money trying to identify stakeholders and establish a plan to follow only when it’s already experiencing a cybersecurity incident? Or one that proactively addresses these incidents with a functional IR Plan to manage the IR process?
Remember the quote by Sun Tzu on The Art of War — "Every battle is won or lost before it is fought." It's your choice!
Want to learn more about data breach mitigation and response?
Get the 2017 Data Breach Investigations Report (DBIR). It’s our foremost publication on security, and one of the industry’s most respected sources of information.
Read the Data Breach Digest for the story of Verizon’s most intriguing cybercrime investigations. Learn about the attacker’s tactics, the victim’s mistakes and the scramble to limit the damage.
Hayden Williams is a Team Lead and Senior Security Consultant for the Verizon Threat Research Advisory Center (VTRAC) and has over 20 years IT experience in the federal, public, and private sectors, with over 11 years in Cybersecurity. He currently leads and conducts cyber forensic investigations, provides incident response assessments/guidance, and works with customers, both large and small, to improve their overall security posture. Prior to working for Verizon, Hayden was a Special Agent with the Department of Defense where he investigated cyber and espionage-related investigations that spanned the globe.