Incident Response Planning
Boring topic? Maybe.
But if you believe what Gartner has to say: "Through 2016, 75% of CISO's who experience publicly disclosed security breaches, and lack documented, tested response plans, WILL BE FIRED."
Learn Incident Response
Learn Incident Response
Gartner said that (2012 Gartner Predicts) - CISO's may be fired for not having CIRP's…..
I'm a big believer in Response Planning, but I would have never said something that bold.
Fail PCI without a CIRP? Yes
Fail to follow industry 'best practice' framework like ISO 27K without a CIRP? Yes
I guess if you are a CISO/CSO and HOPE that you won't have an incident, maybe you should be fired.
You're a CISO/CSO who doesn't believe in documented Due Diligence? Maybe you should be fired.
Because Gartner said so and you STILL didn't bother to develop a CIRP, maybe you should be fired.
You're a CISO/CSO whose motto is "What, me worry?" You know the answer….
I don't understand why so many people out there don't have CIRPs. They're pretty simple.
Start with some basic concepts:
Anticipation
Say to yourself: "I am going to have a data breach in three weeks" – believe it; Now what would you do NOW to deal with it? What obligations does my organization have to meet? What resources will I need? How will this adversely affect my organization? What kind of ad-hoc organization will I need to respond to this crisis?
Socialization Who else in the organization will either need to be involved in the response or who has ideas about how we should respond? Suggestions: Legal, public affairs, applicable folks in IT, Forensics, Compliance, Shareholder Communications (if you are publicly traded), Corp Insurance (if you have cyber insurance) – just to name a few. How do they "interpret" an "incident"? Be sure to leverage them in an "advisory committee". Brief them monthly and solicit their feedback. Don't be afraid to look outside of the organization.Research
What information (Network diagrams, Point Of Contact listings, etc.) will I need to have immediately available at the time of crisis? What external resources may I need to call on?(Third party consultants, law enforcement, identity protections services, PFI's, etc.) How do I notify my acquiring bank(s)?
This is just a start. For planning to be an effective mechanism in mitigating risk, it must provide a solid foundation as to its execution, specific information so that participants are empowered with current and relevant knowledge, and yet it must be broad as to not constrict an organization's ability to respond to unforeseen events. Planning will rarely answer all the questions that come up during an incident, but it should provide a repository of thoughtful anticipation, collaboration and research. Furthermore, to assure a plan's continued usefulness, it should be tested and updated on a regular basis. A plan's true value is measured by the relevance of the information and processes it provides at a time of crisis.
Document Your Plan
Leverage the National institute of Standards and Technology (NIST) SP 800-61 document. Open a new Word doc, start with the following "Heading 1"s:
- Plan Introduction – this is where you put the nuances of the plan (ownership, objective, scope, assumptions, limitations, etc.)
- Incident Preparation – all the things you can do NOW to prepare for that day (Contacts, diagrams, third party services, etc.)
- Incident Detection, Analysis & Notification – How do you know when you have an incident? How does your organization (not just IT) define an "incident"? Who are you going to call?
- Incident Response – 'who' does 'what' in a manner that is most efficient (parallel vs. serial efforts)? How are you going to make decisions? How do you keep things 'organized & calm'? Does everyone know their Role & Responsibilities? Have you included everyone you need?
- Plan maintenance and post incident responsibilities – When is it really over? Annual testing? "Lessons Learned", documentation in case of post event litigation.
Embrace the idea of "transparency" – knowing that by doing so you are documenting your professional Due Diligence.
Share your plan with others. Solicit their feedback knowing that it is implicit approval and that there are numerous perspectives on what you may think is just a "computer" incident. Recognize those who have 'contributed' to the plan in the plan itself so that anyone reading your plan (My CEO has read mine) can see the depth of your effort in the document. What a great opportunity to demonstrate business value.
CIRP's aren't just for data breaches. I have CIRP's for malware outbreaks & internal E-mail based attacks (Phishing). We're currently working on one for when our Fortune 100 brand is exploited by others for spam & phishing. I'm sure ADP wishes they had one when their customer service lines started ringing off the hook in mid-August when their BRAND was used by criminals to trick folks into "clicking the link" to a rogue website in the Czech Republic.
This really isn't that hard. And don't pay those big consulting firms to come up with one for you. There are so many benefits to doing it yourself. The relationships you will make outside of IT, with people that are also critical to the organization, will pay dividends beyond simply preparing for a crisis. Leverage your CIRP efforts to introduce yourself to the local law enforcement resources you may need and hopefully develop an ongoing dialog with them. CIRP's can also provide you a mechanism to become more proactive during periods of heightened risk (malware especially).
By all means, don't find out the hard way that Gartner was right.
Learn Incident Response
Learn Incident Response
N. K. McCarthy is the author of The Computer Incident Response Planning Handbook published by McGraw-Hill and available for sale at Amazon.com.
Incident Response
Build your skills responding to each phase of an incident, and get a technical deep dive of the tools and techniques used. What you'll learn:- IR phases and stages
- IR tools and techniques
- Conducting memory, network and host forensics
- And more
In this Series
- Incident Response Planning
- Disaster recovery: What's missing in your cyber emergency response?
- How will zero trust change the incident response process?
- How to build a proactive incident response plan
- Sparrow.ps1: Free Azure/Microsoft 365 incident response tool
- Uncovering and remediating malicious activity: From discovery to incident handling
- DHS Cyber Hunt and Incident Response Teams (HIRT) Act: What you need to know
- When and how to report a breach: Data breach reporting best practices
- Cyber Work Podcast recap: What does a military forensics and incident responder do?
- Top 8 cybersecurity books for incident responders in 2020
- Digital forensics and incident response: Is it the career for you?
- 2020 NIST ransomware recovery guide: What you need to know
- Network traffic analysis for IR: Data exfiltration
- Network traffic analysis for IR: Basic protocols in networking
- Network traffic analysis for IR: Introduction to networking
- Network Traffic Analysis for IR — Discovering RATs
- Network traffic analysis for IR: Analyzing IoT attacks
- Network traffic analysis for IR: TFTP with Wireshark
- Network traffic analysis for IR: SSH protocol with Wireshark
- Network traffic analysis for IR: Analyzing DDoS attacks
- Wireshark for incident response 101
- Network traffic analysis for IR: UDP with Wireshark
- Network traffic analysis for IR: TCP protocol with Wireshark
- Network Traffic Analysis for Incident Response: Internet Protocol with Wireshark
- ICMP protocol with Wireshark
- Cyber Work with Infosec: How to become an incident responder
- Simple Mail Transfer Protocol (SMTP) with Wireshark
- Internet Relay Chat (IRC) protocol with Wireshark
- Hypertext transfer protocol (HTTP) with Wireshark
- Network traffic analysis for IR: FTP protocol with Wireshark
- Infosec skills - Network traffic analysis for IR: DNS protocol with Wireshark
- Network traffic analysis for IR: Data collection and monitoring
- Network traffic analysis for Incident Response (IR): TLS decryption
- Network traffic analysis for IR: Address resolution protocol (ARP) with Wireshark
- Network traffic analysis for IR: Alternatives to Wireshark
- Network traffic analysis for IR: Statistical analysis
- Network traffic analysis for incident response (IR): What incident responders should know about networking
- Network traffic analysis for IR: Event-based analysis
- Network traffic analysis for IR: Connection analysis
- Network traffic analysis for IR: Data analysis for incident response
- Network traffic analysis for IR: Network mapping for incident response
- Network traffic analysis for IR: Analyzing fileless malware
- Network traffic analysis for IR: Credential capture
- Network traffic analysis for IR: Content deobfuscation
- Traffic analysis for incident response (IR): How to use Wireshark for traffic analysis
- Network traffic analysis for IR: Threat intelligence collection and analysis
- Network traffic analysis for incident response
- Creating your personal incident response plan
- Security Orchestration, Automation and Response (SOAR)
- Top six SIEM use cases
- Expert Tips on Incident Response Planning & Communication
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, ISC2, Cisco, Microsoft and more!
Incident response
Disaster recovery: What's missing in your cyber emergency response?
Incident response
Incident response
Incident response
Sparrow.ps1: Free Azure/Microsoft 365 incident response tool