Incident Response (IR) Planning for SMEs

Given sufficient time, resources, and motivation, a cyber threat group can breach any organization. While prevention is important, companies should treat data breaches as inevitable and ensure that they are prepared to handle them and minimize their impact.

According to the 2021 Cost of a Data Breach Report developed by Ponemon and IBM, the average cost of a data breach is $4.24 million. However, having an incident response (IR) plan in place is one of the best ways to drive down the cost.

Organizations with an IR team and a developed and tested IR strategy have an average data breach cost of $3.25 million. Failing to do so increases data breach costs by an average of 54.9% to $5.71 million. Given how much a data breach costs, it’s important for organizations to have an incident response plan in place and tested to minimize cost, damage, and impact.

What is “incident response”?

Incident response is the process of detecting, investigating, and remediating a security incident. Having an incident response plan and team in place is important because a rapid response to an incident reduces the overall cost and impact of the event.

A company may structure its incident response teams in various ways, including:

• Centralized within the organization (often in IT)
• Distributed across multiple departments (with specific responsibilities)
• Hybrid with a central team supported by distributed teams

An organization may have an in-house security team, outsource these capabilities to a third-party provider, or pursue a hybrid model. Often, this decision is based on an organization’s resources and ability to retain the necessary expertise for incident response in-house. Whatever option an organization chooses for their IR purposes, what’s most important is that they have a plan for dealing with security incidents. Here’s a helpful framework based on NIST guidelines.

Step #1 – Preparation

An organization’s incident response plan should start before an incident occurs. Preparation is essential to ensuring that an organization can rapidly detect and respond to an attack. Some key steps that an organization should take to prepare for future security incidents include:

• Implement Monitoring: You can’t protect what you can’t see and don’t know exists. Deploy monitoring solutions and perform an asset inventory so that you can see what is going on within your entire network.
• Identify Critical Assets: Some networks, servers, and endpoints are critical to your organization’s operations and have a significant impact if compromised. Know what these assets are and what impact an attack on them could have on your business.
• Make a Plan: You shouldn’t be trying to figure out how to secure your systems and restore normal operations while you’re experiencing a data breach or security incident. Make a plan that details the actions you and other departments and stakeholders need to take to address different types of attacks (ransomware, data breach, Denial of Service, etc.).
• Identify Disclosure Requirements: You may need to disclose a data breach or other incident within a certain period due to regulatory requirements, contractual obligations, or other factors. Identify your potential reporting requirements in advance to ensure that you meet any required deadlines if an incident does occur.

Step #2 – Detection and analysis

Before you can respond to an incident, you need to know that it is happening. This is why implementing detection and monitoring solutions is such a critical part of the preparation process. The faster that you identify that an incident is occurring, the lower the cost to the organization. Catching an attack early can help mitigate the cost and impact of major attacks. 

Some major contributors to the cost of a cybersecurity incident include:

• Data breaches
• Risk to data due to ransomware
• Investigation and forensic analysis
• Threat actors establishing backdoors to enable future attacks
• Lost productivity during incident remediation
• Brand reputation damage and customer churn
• Potential legal issues

In addition to detection, forensic analysis is a critical component of the incident response process because it provides important data about the incident that can prevent future incidents. Via forensic analysis, you can:

• Find the attacker
• Determine the full scope and impact of the incident
• Identify the initial attack vector and vulnerabilities exploited by the attack
• Learn how to prevent similar attacks from occurring in the future

Types of detection and analysis

Detecting security incidents requires visibility across an organization’s infrastructure and the ability to collect and analyze security data. Many detection tools can also support forensic analysis, to learn more about the actions taken by an attacker. Solutions that an organization should have in place to help with detecting a potential compromise or other anomalous events while also providing key forensic analysis capabilities include:

• Endpoint Detection and Response (EDR): An EDR solution monitors endpoints for threats and automatically remediates them based on predefined rules.
• User Behavior Monitoring: Cybercriminals commonly use compromised accounts in their attacks. User behavior monitoring can help identify suspicious actions that might indicate an ongoing attack.
• Traffic Anomaly Detection: Some attacks result in unusual network traffic flows, such as massive downloads of data from a database. Traffic anomaly detection can catch those attacks.
• Security Information and Events Management (SIEM): A SIEM collects data from multiple security systems and analyzes it to find indications of an attack.

Putting these solutions in place before an incident occurs is a proactive move that can help you to more quickly and effectively respond to an incident, driving down the cost and impact to the organization.

Step #3 – Containment, eradication, and recovery

The details of containment, eradication, and recovery can vary differently from one attack to another. For example, restoring data encrypted by an attacker requires different actions than addressing a data breach (even if it’s by the same attacker).

However, some steps remain the same across different types of attacks. For example, incident response should begin with containing and isolating the infected host, and removing the attacker’s access by deleting malware, cleaning an infected device, or removing access to and from a user’s account.

Containment and eradication

Containment is an important step in the incident response process. Containment limits the damage that an attacker can do by restricting their access to an organization’s systems.

However, containment must be done carefully to avoid tipping off the attacker. If an attacker detects containment efforts, they may attempt to install a backdoor or move laterally to avoid containment, making the incident more difficult to remediate.

Depending on the types of tools and resources you have access to, you can remove the attacker’s access to your systems and ensure that any malware they’ve installed is completely removed from all devices and systems. This will typically involve removing network access by:

• Enabling firewall policies
• Setting up host containment via the EDR
• Unplugging the machine from the network
• Disconnecting removable media
• Disabling other wireless communications protocols (Bluetooth, NFC, etc.)

Recovery and business continuity

After the threat has been contained, you can turn your focus to eradicating it and restoring affected systems to normal operations. The actions taken at this stage depend on the incident and might include:

• Decryption in the case of a ransomware attack
• Eliminating malware from infected devices
• Restoring lost or modified data from backups
• Rebuilding machines if backups are unavailable/damaged/outdated
• Changing passwords for compromised user accounts
• Removing backdoors and persistence mechanisms

Step #4 – Post Incident Activity

Incident response doesn’t end with removing the attacker and restoring systems. After the threat has been handled, incident response teams should take action to help prevent incidents and improve incident response in the future.

Over half of companies suffer repeat attacks from the same attackers. If you’ve performed a forensic investigation and know what caused the issue, this is the time to close that security gap. Common post-incident remediation actions include:

• Updating software to patch a vulnerability that the attacker exploited for access
• Launching or re-working your security training in case of a phishing attack
• Implementing additional controls, such as multi-factor authentication (MFA), to address the identified security gaps

This is a crucial step – attackers are always looking for low-hanging fruit and easy targets. If they can regain access to your organization with the same techniques they used before, they definitely will.

Communication

A security incident can affect stakeholders across and outside of the organization. Depending on the severity of the incident, multiple parties may need to be notified, including descriptions of:

• What happened
• How the company responded
• Who was impacted
• What the company is doing

Preparing and sending these reports will likely require collaboration across multiple departments in the organization, including legal, IT, public relations and communications, finance, executives, and more.

These disclosures are especially important if required under law or regulations. Any such reporting requirements should be identified during the preparation stage.

Assessing the response

There is always room for improvement in an incident response plan. After the response is complete, the team should perform a retrospective to identify:

• How well did it work
• Where could it have improved
• What could assist or improve certain processes

This is an iterative process that should be considered after every incident to further improve your incident response. This will enable faster, smoother responses that limit the cost and impact of a breach on the organization in the future.

Every company needs an incident response plan

SMEs need to know what to do in case of a compromise. This will help speed up reactions and responses and ultimately minimize damage.

For many of these steps, a company may want to enlist the services of vendors or key cybersecurity partners like a modern MSSP, who can help with investigation, remediation, and recovery. Talk to SolCyber to find out how we can help!