An Insider’s Guide to Incident Response Plan Best Practices
Some of the best advice I’ve seen to apply to incident response came to me in the form of a poster created by Fiachra Murphy, age 9. The message on the poster says, “Don’t panic when the crisis is happaning (sic) or you won’t enjoy it!” I keep it hanging directly in my line of sight in my office, so that I’ll remember it. In fact, I like it so much, my co-authors and I chose it for the quote at the beginning of Chapter 4 of our book, Ransomware and Cyber Extortion: Response and Prevention. But you may be wondering why I mention this when writing this blog on incident response plan best practices.
A cybersecurity incident is, no question, a crisis. However, a panicked, unprepared response leads to a second, more long-lasting crisis that could have repercussions for the business for years to come. The best way to avoid panic and respond effectively to a security incident is through – you guessed it – proper planning and preparation.
Let’s get started.
Incident Response Plan Best Practices
The following incident response plan best practices should be a foundation of any organizations plan:
Inventory Your Assets
Ha! You probably thought I was going to tell you to create and maintain an incident response plan first. We’ll get to that, but first you need to know exactly what you have that you’ve been protecting and may be compromised.
Your inventory should include a list of physical, virtual, AND data assets. Obviously, it’s important to know what physical servers, workstations, laptops, and so on you have. However, if you run virtual servers, it’s incredibly important to know which virtual servers reside on which physical host. In the event of an incident, you need to quickly understand what may be impacted.
Likewise, it’s an incident response plan best practice to understand not only where your data lives, but it’s criticality and sensitivity. What data sets include personally identifiable information (PII)? Does any of your data include electronic protected health information (ePHI)? Trying to remember what data is stored where is a necessity for day-to-day business, and it’s critical to know where confidential or protected information is stored before an incident happens. Otherwise, you could find your whole response and recovery derailed before it can even start.
An inventory can be as simple as a spreadsheet, or a full asset management system like Snipe-IT. Whatever form it takes, one of the foundational incident response plan best practices is to ensure a copy of the plan is stored or available off-network in case you are unable to access your files during the incident. Finally, someone must be assigned and responsible for keeping it up to date. Out-of-date information is as bad, if not worse than, no information.
Create and Maintain Your Incident Response Plan
Here is where the rubber starts to meet the road, because now you prepare your roadmap of response. Well ahead of an incident, you need to have a documented plan that everyone on your team has reviewed.
An incident response plan can be as simple or as complex as you like – and I could write a whole blog series on how to create one. (Makes note to self.) However, regardless of level of detail, every plan should include these basics:
- Who are the members of the team? This is not just Information Technology and Information Security people, but should identify people from finance, legal, public relations, communications, executives, human resources, and so on. Not every incident may require every team member, but they should be identified ahead of time.
- What are the responsibilities of each team member? Each should not only know their own duties but understand how their role fits in with the rest of the team.
- Who are the third-party vendors ready to help with response? See the next section for more detail.
- Who is responsible for different types of communication and how should those happen? For example, who provides status updates to the incident response team, and who passes those on to others who need them? Who is approved to speak to the media? How much are you willing to share internally and externally? What will you say? (This last question should be addressed with assistance from legal counsel and public relations / communications experts whenever possible.)
- How will you respond, and how will the business continue with day-to-day operations while you do? This may be a generic section that is later supplemented by playbooks for different types of incidents, but it’s important to include at least a framework.
- What will be your response? Once you have identified those responsible for speaking to the media, clients or vendors, and internal staff about the incident, it’s a good idea to create templated statements so that those don’t have to be drafted in the heat of the moment.
- How will you follow up, update, and learn from the incident? Your plan should always include a lessons-learned plan for post-incident wrap up.
If all of this seems overwhelming, contact us and we can help you develop a plan that will work for you.
Line Up Third-Party Partners
It’s unlikely that you will have all the expertise that is required to effectively respond to your incident in-house. At a minimum, the members of your incident response team should know whether you have cybersecurity insurance, what it covers, how to open a claim, and who is responsible for doing so. However, you may also want to reach out and create relationships with data breach legal counsel, containment and recovery specialists, forensics firms, and more. Often, your insurance company can help you find partners in these areas.
Don’t forget to document contact information for any vendors that may be crucial during your incident response, whether hardware, software, or otherwise.
Decisions
Part of our incident response plan best practices includes making a few key decisions ahead of time. Your incident response team should consider the following:
- Law Enforcement – Will you report your incident to law enforcement, and if so, who is responsible for doing so? If you do plan to (I encourage it), then document how that will be reported, whether to direct contacts or through the Internet Crime Complaint Center (IC3).
- Extortion – In case your team ever faces ransomware or cyberextortion, it’s a good idea to have the conversation ahead of time as to whether or not you would ever consider communicating with the adversary who attacked you. Keep in mind that reaching out to them does not necessarily mean you are willing to pay a ransom – you may use it for information gathering – but decide if you would ever consider a ransom before you are in the chaos of an incident.
Technical Preparation
Set your team up for success. Ensure that your team members have the skills that they need to respond to an incident. Consider specialized training like our Cyber First Responder class, or for more advanced team members, our Ransomware Response class. At a bare minimum, ensure that team members know how to force enterprise-wide passwords resets in your environment, and reset multi-factor authentication tokens if needed. (Or set it up quickly if it’s not – do that now!)
TEST YOUR BACKUPS regularly!! If you are reading this, and don’t know the last time backups were tested in your organization, take a moment right now and find out. You need to know that your backups are working, reliable, viable, and reachable. In the middle of an incident is not the time to determine that your backups haven’t been working properly for months.
Practice
Finally, practice, practice, practice. You may not be going to Carnegie Hall, but responding to your incident may well be just as big of a milestone in your life. The best way to practice is to get your team together and do a tabletop exercise. We’d love to lead one for you. If you’re looking for scenario ideas, read my blog on that topic here:
In the end, yes, responding to an incident is hard work, but with the appropriate planning you can face it head-on, and confident in your actions and without the panic that comes from poor planning. So, like my friend Fiachra says, you can enjoy your crisis.
We hope these incident response plan best practices were helpful! Please contact us if you need help developing or testing your plans.
About the Author
Karen Sprenger
Karen Sprenger is the COO and chief ransomware negotiator at LMG Security. She has more than 25 years of experience in cybersecurity and information technology, and she is a noted cybersecurity industry expert, speaker, and trainer. Karen is also the co-author of a new book, Ransomware and Cyber Extortion: Response and Prevention. She speaks at many events, including those held by Wall Street Journal Cyber Pro, Fortinet, the Internal Legal Tech Association, and the Volunteer Leadership Council. Karen is a GIAC Certified Forensics Examiner (GCFE) and Certified Information Systems Security Professional (CISSP) and holds her bachelor’s degree in music performance (yes, really). In her spare time, Karen considers “digital forensics” a perfectly acceptable answer to the question, “But what do you do for fun?” A lifelong Montanan, she lives in Missoula with oodles of poodles.
