Best Incident Response Practices for Your Organization

As cyber threats are lurking upon us like any other common natural phenomenon with increasing sophistication, organizations are compelled to look for the best strategy to protect their sensitive data and complex networks. Security experts are now handling more domains than ever before with protection of cloud services and operations, applications, and wireless and mobile endpoints which pose as vulnerable entry points to potential cyber threats. One of these cyber threats includes data breaches. According to the 2018 Q3 Data Breach QuickView Report, there were 3676 breaches that impacted 3.6 billion records from January to September of the same year. [1] This is one of the many public data reports that prove that a data breach is bound to occur at some point, bringing in the need to develop a strategic incident response plan (IRP).

An IRP makes it easy for an organization to act when under a cyberattack. It is a detailed document containing every detail that an incident handler should follow if the business should fall victim to a cyber threat. Generally, an IRP remains unique to its individual organization, but they all follow the same six-phase process involving preparation, identification, containment, eradication, recovery, and lessons learned.

Do Organizations Really Need an IRP?

When your organization’s sensitive data, reputation, revenue, and customer trust are at risk, it’s a must that you respond to the situation at its earliest. Any kind of cyberattack ranging from a tiny one to a massive attack, once noticed, should be attended to with a proper guideline to avoid any negligence in the process. An IRP carries the definition of an incident, the roles and responsibilities of all the individuals belonging to the IR team, tools for managing the issue at hand, steps to follow to address the incident, the procedure to investigate the incident, the procedure to communicate, the alert system required after a breach occurred, and reporting and documenting the whole incident. In real terms, it deals with the security incident (or breach), ongoing cyberattacks, and advanced persistent threats (APT).

As a security incident occurs without warning, it is highly recommended to have an IRP and team on board. This team will proactively protect the data, credibility, customer trust, and revenue of the organization. Apart from this, a security attack can also impact your business’ stock price in the market. The Ponemon Institute stated in one of its 2017’s studies that the average cost of a data breach estimated at $3.62 million. This research was based on the data provided by 419 companies from 11 countries and 2 regional samples. [2] And with the mandatory compliance of GDPR’s draconian privacy laws, there’s a lot more at stake.

A well-conceived IRP can actually save an organization from all this trouble.

The Impact of an IRP

An excellent IRP allows you to examine the complete system/network and then helps you determine the extent of the attack. These collected data then lead you to information like

  • Scope and seriousness of the attack
  • Starting an appropriate remediation process
  • Auditing of the complete process during the incident

To simplify your understanding, consider an example where the investigator is looking for the list of people who executed a particular hash in their complex technology environment. In such a scenario, the IRP will lead the investigator to use SHA256 hash and find the list of people who have executed the investigating hash. This hash is retrieved from the software repository (if there’s an existing one) of the organization. The acquired data will help the investigator narrow down people who may be the reason behind the breach.

The IRP should also be capable of determining the targets of the threat such as a firewall can help the investigator learn about the people accessing the specific IP address or domain. That’s what summarizes the impact of an IRP.

Best Practices to Include in Your Organization’s IRP

In the contemporary world, just having an IRP won’t do any good to your organization’s security. Instead, it’s high time to integrate the best practices in your organization’s IRP. The below-listed practices will let your IRP to achieve a sense of maturity and raise the level of their pre- and post-incident procedures.

1. Automation

An efficient tool that can alert you based on the type of incident and lets you respond to more complex cyberattacks would be the best one for your organization. In today’s time, it is very possible to automate your repetitive steps. This automation makes it easy for the IR team to focus on complex incidents and bringing innovative strategies to the table. With the help of automated tools, analysts can eliminate the manual task of going back to the same process for a similar type of incident. Instead, automate your IRP and half of your repetitive work will be taken care of.

For instance, one can automatically sort phishing emails from a lot of emails using an IR tool which will search for phishing emails received by the sender.

2. Leverage Templates and Playbooks

Templates used for phishing or for APT and Agile playbooks can now be customized to automate your multistep processes. The customization should be in accordance with the real-time incident response details. It will guide the IR team through the incident response process and clearly specify the roles, responsibilities, and deadlines.

In a single day, security teams receive tons of queries from users about suspicious looking mail. The team often works to address many negative and positive alarms. This response needs the same investigating process on the team’s end. This process will include examining the header information, reviewing the sender’s details, and determining if it’s a spoofed one, detonating any malicious attachments or links, and responding to the concerned user. But to the relief of the team, this whole process can be automated using a playbook. Leveraging templates and playbooks can help analysts save their valuable time for complex issues at hand.

3. A Centralized IR Approach

A centralized approach helps you gather information from all the required IR tools and display it on a single timeline. This simplifies your investigation process. Generally, investigators are required to analyze a targeted system with the help of a tool and look for malicious messages or flagged emails on another tool. And then to gauge the scope of the potential attack, investigators log in to the EDR tool to examine if anyone accessed any of the suspicious attachments.

A centralized IR approach, when implemented with automation, makes it easy to accumulate the data from various IR tools, apply analytics, and make other systems (such as firewalls and email servers) perform the required actions.

Another benefit of the centralized approach is that you can understand which tool can provide you with high-fidelity data and which is the most reliable one.

4. Testing of IRP, Regularly

The IR team reviews all its best practices, tests them on various real-time scenarios, and reviews the performance afterward. This will give you an idea if your IRP is ready to face real-world threats. Avoid standpoint practices as it will lead you to lose the battle in the physical world. Instead, prepare yourself for anything and everything unexpected. It is important that the IH&R team detects threats as quickly as possible and testing an IRP regularly will help in the same.

5. Minimize the Skills Gap

With too much workload, it is natural to not be able to focus on the issue at hand. It is difficult for the IR team to prioritize critical incidents over basic ones. This is possible if the IR team has new members, possibly entry-level, which will help senior IH&R members dedicate their time to more critical incidents than working on regular phishing attacks.

Learn to Build an Effective and Efficient IRP for Your Organization

For an effective and efficient IRP, you must be aware of the complete flow. And, to your convenience, EC-Council offers a specialized Certified Incident Handler (E|CIH) program dedicated to remediating the present-day cyber threats. You will learn everything an IR team should be aware of. With that, the E|CIH program is in compliance with CREST and NICE frameworks, paving the way for you to cybersecurity. This industry-recognized program will help you to get ready to combat different cyber threats in a real-world scenario.


[1] https://pages.riskbasedsecurity.com/2018-q3-breach-quickview-report
[2] https://www.ibm.com/downloads/cas/ZYKLN2E3

Editor's Note:
Reviewed by JoAnne Genevieve Green, Adjunct Professor – Cyber Crimes at the University of Pittsburgh and Don Cox, Chief Information Security Officer at MEDNAX
get certified from ec-council
Write for Us