Information Security

Incident Response: What do you Need to Know?

What is an incident response plan? How can they work within your organisation? What should they cover and include? and how can we help?

What Defines an Incident? 

An incident is an event that could lead to a loss of, or disruption to an organisation’s operations, services, or functions. 

What is an Incident Response Plan?

An Incident response plan is your organisations documented process of response in the event of an incident or data breach. The plan should cover the roles and responsibilities detailing exactly who and what should be carried out, the steps that need to be taken once a breach has been identified, along with who needs to be informed and when. An effective incident response plan will leave all questions answered and will ensure that an incident is handled correctly. 

The purpose of your incident response plan should be to ensure that the correct steps are taken if an incident does occur, however the plan also provides an opportunity for your organisation to identify, analyse and correct potential risks to prevent future occurrence and minimise the fall out of an incident. 

Key stakeholders within your organisation should be aware of the response plan, how to access it and what each step requires them to do. The incident response plan should be the best-case scenario following the worst case. 

One of the common challenges we see within organisations that we work with is making staff aware of an incident, the steps that should be followed as well as notifying staff following an incident. 

One customer used our tabletop exercise to figure out the best solution to this, going into the exercise they believed that posters would be the best way to notify staff of an incident however working through this exercise they quickly realised that staff become blind to notices on boards or in hallways and discovered a more effective way to carry this out. 

What Should your Incident Response Plan look like?

Your incident response plan should be a simple checklist that describes exactly what each stage should look like, and the access required in each stage to ensure that your response mitigates the risks following an incident.

Your plan should also include roles, responsibilities, and success factors. An incident response plan should be lightweight and easy to follow, however this should not take away from the formal processes outlined within it.  

A KISS (Keep It Simple Stupid) approach is best approach when dealing with high pressured situations, this is the perfect approach when dealing with high pressured situations such as an incident response. 

Your plan should detail the overarching plan, you should also consider playbooks detailing the types of potential incidents and how each will be handled. For example, DDOS, Active Intrusion, Virus, Malware. Defining each incident type by policy will enable you to establish procedures that best describe its response.

Documented procedures will provide more depth of knowledge and provide assurance to senior management that the most important areas are covered across the organisation as well as demonstrating due diligence to regulators.

Checklist of inclusions for your incident response plan:

  • An Introduction and scope
  • What is an information security breach?
  • Reporting of a breach 
  • Investigating and Responding to a breach
  • Containment and Recovery 
  • Escalation and Notification 
  • Review, in this stage you should also make recommendations to review and amend the incident response policy if necessary. 

Important to Remember

Training and awareness for staff is integral to the success of your organisation, you are only as strong as the weakest member of your team; therefore it is important to ensure that your team are aware of the risks, how to mitigate them and the best next steps. 

Your training and awareness programme should be ongoing, provided in accessible language and tailored to job descriptions where appropriate. Training should cover how to identify a suspected incident as well as covering common social engineering and identifying phishing campaigns. 

All staff should have an awareness of incident response and information around how to identify an incident as well as what to do in case of incident however staff that will have direct involvement with the execution of an incident response plan should have a higher level of awareness and training.

How can CyberCrowd Help?

CyberCrowds experts as a service provide the perfect solution to your organisation’s requirements. Policies and procedures can seem overwhelming especially when you apply them to the context of cyber security, but they do not have to be. 

We offer three main types of incident response exercises as well as writing incident response plans and playbooks. Testing your policies and working through the kinks before a real-world scenario helps to ensure efficiency and fluidity within your policies and procedures.

The three main exercises can be found below:

1. Tabletop

Paper driven exercise with injects scripted by one of our experts, delivered through discussion, this type of exercise can be planned and executed quickly depending on the number of people and organisation involved. There are limited resources required. This exercise is particularly useful for organisations new to exercising and for organisations looking to validate processes and train personnel. Typically we look at 1-2 months of planning and 1-3 days for the execution of the exercise. 

2. Hybrid 

A hybrid exercise includes both paper inject with some live scenarios, this type of exercise takes longer to plan and requires more time to execute typically between 3 and 6 months and 3-5 days for execution. This type of exercise requires more people for a longer timeframe as well as planning to ensure availability of contacts. 

This exercise is effective for organisations familiar with exercises and a strong knowledge of their own objectives. 

3. Full Test 

A full test exercise plan incorporates real scenarios and injects into exercise, paper injects are inly used to stimulate, if necessary, this type of exercise require detailed coordinating and planning taking between 6 and 12 months to plan, 2-3 month build up and 7-14 days to execute. A larger number of organisational participants, IT resources, travel budget and availability of contacts is required.

This type of exercise matches well with organisations familiar with exercise, red team activities and their own organisational objective. 

If you would like to hear more about how our service offerings can help you or are looking for some advice to build your incident response plan, please contact us we are always happy to answer any queries that you may have.