<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

5 Things All The Best Incident Response Plans Include

Topics: Data Breach, Hacking, Cyber Security, Cyber Attack, Cybercrime, Incident Response

Posted: 26 June 2019

5 Things All The Best Incident Response Plans Include

We are often told that security is a game of when, not if - data breaches and cyber attacks for a long time have not been a roll of the dice but instead, a ticking clock. Cybercrime is such a lucrative and somewhat untraceable activity that the cross-hairs do not discriminate.

With this in mind, the best advice that security practitioners can give is not to solely focus on defence, but to also prepare for the worst. Plan for a successful attack, a data breach or the exploitation of a vulnerability; and know what to do next.

[You might also be interested to read "Data Breaches and the GDPR - 1 Year Later"]

This is commonly known as incident response planning; something which has become very prominent in the past five or so years, particularly with large organisations who have a SOC (Security Operations Centre) or those who comply with the various regulations and security standards in existence.

In this blog post we will look at some of the areas which any good incident response plan should include, so that you can ensure you are best prepared for the inevitable.


1. Clear Roles of Responsibility

During a cyber incident, time is critical; and the worst possible scenario is the inefficient bedlam of your IT team running around with no clear direction. When an incident begins, each member of the responding team should know what their role is and what they are expected to do.

Executing your response in the correct order, by the correct person and at the right time will shorten your response time and deliver the outcome which you have planned for.

This might seem simple but often incident response is poorly understood and therefore only executed by the author of the plan and other well-meaning members of the team.


2. Threat Classification

How you deal with an incident is very much dependant on the type of incident being encountered. Your response team will need to know how to prioritise and which stages to fulfil in order to contain and eradicate the threat based on this classification.

You should risk assess your IT security posture and classify those attacks which you think are most likely to be encountered or succeed.

[Have you checked out "SMB's: Cybercrime's Number 1 Target" yet?]


3. Stages of Response

The SANS Institute recommends that all incident response plans detail and follow six key steps for dealing with any incident:

  • i. Preparation
  • ii. Identification
  • iii. Containment
  • iv. Eradication
  • v. Recovery
  • vi. Lesson Learned


4. Escalation and Feedback Times

We all hate working under pressure, let alone adding a clock to mix.

In any incident, there should be a response team leader who is responsible for keeping track of progress and updating key stakeholders regularly. It is tempting to only update management once the incident is dealt with, but this is a simplistic view of what this incident means to the organisation as a whole.

Depending on the nature of the incident, the board or other senior leaders might be legally culpable; or they might have mandates to inform and communicate with third-parties. For this reason, communication is absolutely critical, even when there is no update to give.


5. The Collection of Evidence

Depending on the nature of the incident, it may be that human resources, law enforcement or a government agency are to be involved.

When proving a case against someone, the proper collection and documentation of evidence is of high importance, so that it may be scrutinised in the defence of the accused.

Good incident response plans should include not just how to stop or recover from an incident, but also how to record: the evidence, key stages and actions taken.

8 Ways to Cloud Managed Security Services

Infinigate UK
Posted by: Infinigate UK
Share via:

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts