IR Plan Best Practices for 2022
The last few years have thrown everything (and several kitchen sinks) at IT and security teams. Massive cloud adoption, increasingly advanced attacks, a shift to work from home, and other contributing factors mean that your incident response (IR) plan from just a few years ago won't cut it in 2022. No organization wants to be reactionary when a security incident occurs. A proactive approach with a solid IR plan helps you respond rapidly and effectively, with the ability to help your organization resume normal operations as quickly as possible.
Many enterprises already have an IR plan, but no matter how thorough it is, the evolving cyber threat landscape – not to mention other shifting circumstances in your organization – necessitates periodic changes and improvements.
For example, our latest 2022 Unit 42 Incident Response Report found that business email compromise and ransomware attacks are rampant, collectively making up 70% of cases handled by the Unit 42 team. While threat actors have flocked to these types of money-making schemes for years, the specifics evolve. Ransomware groups, for example, are more often engaging in additional layers of extortion to pressure organizations to pay. And, they’re creating easily accessible versions of their malware to make it possible for threat actors with fewer technical skills to participate in their malicious activities. By revising existing IR plans, you make it possible for your organization to stay ahead as threat actors shift their tactics.
Moreover, the top three access vectors for threat actors are phishing, software vulnerability exploitation and brute-force credential attacks, so it’s vital that existing IR plans are revised to focus on the most prevalent types of attacks.
Below, we share seven foundational best practices that will improve your IR plan while strengthening your overall security posture.
When a cybersecurity incident happens, you’re likely be facing the worst day of your career – in a data breach or ransomware attack, scrambling to understand what’s being harmed or stolen, stopping the threat actors and maintaining your organization’s normal operations. However, not knowing where to start can exacerbate the damage. When it comes time to enact or initiate the plan, each individual involved must know precisely what to do.
To ensure everyone is on the same page, it’s crucial to use clear communication and promote awareness of the roles and responsibilities of each IR team member. During an incident, it’s a case of all hands on deck, but for things to run smoothly, everyone must know what the other is doing and who is the critical point of contact for each workstream.
It’s also important to keep things positive. Security incident response can become frantic and mistakes will often be made. Positively recognizing team accomplishments along the way will help keep everyone motivated.
Many organizations happily state that they have an incident response plan, but all too often, they don’t know what to do with it.
A threat-specific incident response playbook is vital to an effective IR plan. This doesn’t have to be formally published, but it should at least consist of a document that is easily accessible and can provide guidance during the chaos of incident response.
A common issue during cyberattacks and other incidents is that groups know what they are responsible for, but are unsure how to carry out those responsibilities. The playbook should provide guidance on what actions to take to remediate certain situations. It can be thought of as a set of IR Standard Operating Procedures (SOPs).
For example, during the containment of a ransomware incident, the IR team will likely recognize that passwords need to be changed, but may be unsure of the scope of that task. The playbook would outline which passwords must be changed – administrative, individual, service account, global account and so on. It will also provide a checklist of any other required actions and who is responsible for them.
A solid IR plan encourages healthy habits. Regular security hygiene reviews will make the response more efficient and help mitigate the risk of incidents occurring in the first place.
These reviews should include changing passwords, updating and/or rotating keys, reviewing access levels and checking for old employee accounts or accounts created by a threat actor.
IR plan creation is not a set-it-and-forget-it task, and the plan should be assessed and audited regularly. This is especially important in today’s landscape, where technology and corresponding information systems are quickly advancing and changing. Other changes can happen, too, like a shift in business operations or changes to personnel and roles.
As these shifts happen, the IR plan must be adjusted to keep pace. For example, if you’ve moved some of your data or workloads to the cloud, this opens up your organization to new threats, and you must adapt your IR plan to address cloud-specific threats.
Note that you don’t need to reinvent the wheel by devising an entirely new plan. Instead, make changes to the existing plan, using the latest best practices – such as those provided by NIST Cybersecurity framework and CSIRT – as a guide.
You don’t want to find out about flaws in your plan when it’s too late, so a proactive assessment of your IR plan is imperative. What’s more, those responsible for carrying out the plan will do so far more readily if they’ve had ample practice.
Even the best plan can fail if there’s no budget to execute it. It’s vital that a budget is set aside for costs in a zero-day incident. Your organization may have insurance to cover a cyberattack, but you need capital on the side to cover ancillary or unexpected costs.
It’s also important that key players are aware of how to use that budget. You don’t want to make budget decisions in the middle of an incident or let the budget limit your ability to respond the right way.
For example, in the event of an incident, you may need to purchase new computers or hardware to maintain operations or invest in software to help contain an attack. These conversations should occur during the IR planning stage, so there’s no uncertainty or time lost in a high-pressure situation.
With so many things happening in day-to-day business operations, it can be easy to let incident response training take a backseat. This leads to stale plans and lackluster responses when it matters most.
All organizations, no matter the size, should make IR training a priority. Indeed, training should be incorporated into the IR plan and budgeted accordingly. This should include discussing various scenarios and practicing response actions, so everyone knows what they are responsible for. It should also involve knowledge sharing among IR team members to avoid a single point of failure, where only one person holds specific knowledge about key software, hardware or systems.
Formal training should be ongoing as you incorporate new technologies (i.e. endpoint and detection or response tools) into our environment.
“It takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.”
– Stephane Nappo, Global Head of Information Security for Société Générale International Banking.
With so much on the line, it’s vital that your incident response is prompt and effective. Following these best practices to improve your incident response plan is key to ensuring this.
Having a strong IR plan, including preparation, education and testing, will mean that while the odds of a security incident are high, you and your team will be able to rise to the challenge and guide your business through the incident successfully.
If these steps sound overwhelming, or if you think your IR plan could benefit from expert review, Unit 42 can help. We work fast, triage tasks and learn on the fly. Our experienced team can help support IR planning, response and remediation to expedite efficiencies and streamline processes. Learn more about our incident response services and how to get started with a review of your existing IR plan.