8 Crucial Items to Add to Your Incident Response Plan
Cybersecurity is always evolving. However, the last two years have ushered in exceptionally fast rates of change in cyberattack techniques, and incident response teams need to quickly pivot to counter changing tactics. Effective preparation can dramatically reduce your losses. Make sure your incident response plan is up-to-date and addresses the latest high-risk scenarios and attacker tactics so you can reduce your risk of a financially crippling data breach. Without further ado, here’s a checklist of critical items to add to your response plan in 2023.
8 Crucial Incident Response Plan Activities that Reduce Risk & Damages
- Plan your zero day response strategy. Zero-day exploits are trending—and they’re not going away. Instead of scrambling each time they pop up, document and practice your approach. Make sure your incident response plan includes zero-day vulnerabilities as an incident type, and include a playbook that tackles that scenario. (Think back to how your team handled Log4j, the recent Microsoft Exchange vulns, or more specialized zero-day exploits like GoAnywhere or MOVEit.) Your response is always more effective when you uncover zero-day exploits and vulnerabilities early, so make sure you use an attack surface monitoring solution to scan your internet-facing and cloud systems routinely, and that your incident response team quickly receives information about any issues. (See our Zero Day Exploit Prevention and Response Checklist for detailed tips.)
- Set up out-of-band communications that are air gapped from your environment before you have an incident. All too often, hackers monitor email and chat communications after they break into victim environments. Don’t expect to use your regular Teams, Slack, or communications channels. If you suffer a ransomware attack, your systems may be encrypted and therefore unavailable. Make sure you have alternate communications channels ready to go, and that everyone knows when to use them. You can set up anything from a simple Signal channel to a full cloud-based platform designed for alternate communications. Note that some cyber insurance companies are rolling out new platforms for exactly this purpose. Your team may also switch to personal cell phones or communications systems, in which case it’s important to gather numbers or details in advance and add the list to your incident response plan. Watch our out-of-band communications video for more details.
- Set up alternative storage and documentation repositories BEFORE an attack. Store your incident response and crisis communications plans, as well as other documents in an air gapped location you can still reach if your network is inaccessible or compromised. Make sure to include all technical documentation such as network maps that can enable responders to rebuild the network if needed. It’s crucial that your incident response team has access to your response plan and knows the dependencies and required order for system restoration. Having this information and any recovery tools readily available will increase your incident response speed, which can dramatically reduce your losses. What documentation specifically should you have in this air gapped storage?
- Incident response plan
- Crisis communications plans with templates for communications/response
- Any specific procedures for evidence collection, restoration of data/systems, etc.
- Contact information for the response and leadership teams. Include after-hours contact numbers, as well as key vendors such as cyber insurance notification hotlines, incident response teams, etc.
- Any necessary technology to support response efforts.
- Reference materials such as network documentation and an asset inventory
- Current list of obligations (required compliance, customer, partner, vendor notification requirements, etc.)
- Incident tracking documentation and notes since your normal ticketing and tracking systems may be down or compromised.
- Remember, you should have all of these in place BEFORE an attack. If this seems overwhelming, you can use incident response plan development services and an experienced team will help you develop or revise your plan and even create a playbook for specific types of incident.
- Integrate suppliers into your incident response planning. All too often, cybersecurity incidents occur because a supplier was compromised. Make sure you understand how to report suspicious activity to your providers and that you provide your supplier with clear, accurate contact information and timing requirements for reporting incidents to your team. (Ideally, these should be built into your contracts by default, so take the time to coordinate between the legal and incident response teams.) Include high-priority suppliers in tabletop exercises. Proactively reach out to each of these organizations when major vulnerabilities are announced to see if they, or any of their suppliers, are impacted. This will help you assess your risk. Please read our blog on supply chain security best practices for detailed trends and remediation advice.
- Align with your cyber insurance policy. Many cyber insurance policies provide a treasure trove of resources to help you in the event of a cyber incident, but few incident response teams are aware of these. Take the time to carefully review your cyber insurance policy and integrate it into your incident response plan. For example, your cyber insurance coverage may include a 24/7 hotline where you can reach an experienced cyber attorney, or procure the services of a dedicated ransom negotiator. On the flip side, your policy may include specific requirements for reporting and notification to the insurer that you must handle in order to have a claim covered. Conduct a thorough review of your cyber insurance policy upon each renewal to ensure your incident response plan fully integrates the available resources and requirements.
- Include mobile devices in your response plan. Whether it’s a contractor’s personal phone or an employee’s corporate-owned laptop, cybersecurity incidents may involve a mobile device. Make sure your incident response plan takes into account the different models for mobile devices in your organization so responders understand whether they have access to logs, how to acquire a device for analysis, etc. Ensure you use a good MDM solution so you can analyze, wipe, restrict, or remove access when a mobile device is compromised. Read our blog on mobile security best practices for more detail and advice.
- Conduct threat hunting in both on-premises and cloud systems. Many of the initial payload drops from an attack are not malicious software, they are designed to gather information and expand access. Attackers can easily leave malware in seemingly innocuous PDF files that are not caught by your antivirus systems. You should conduct both on-premises and cloud threat hunting after any incident to identify and root out any hackers with persistent access, fully understand the extent of compromise (this can be very important for notification obligations), and/or prevent a new malware detonation.
- Conduct proactive training. You should regularly update your incident response plan and practice it in advance with tabletop exercises. When you select a tabletop scenario, consider choosing one that is high-risk—such as a zero-day vulnerability tabletop. This gives your team the opportunity to test your plan, processes, and communications to find any gaps before you face a real-life attack. You should also have your cyber first responders take ransomware or incident response training classes. If your first responders can quickly recognize and contain an incident, it can dramatically reduce the financial damages and the amount of data that is compromised.
We hope you found this information on crucial items to add to your incident response plan helpful! Please contact us with any questions or if your organization could benefit from cybersecurity advice or services.