Cyber Incident Response Planning

A Cyber Incident Response Plan (or IR Plan) is a set of instructions designed to assist companies in preparation for possible cyber attacks. The plan will highlight how to detect, respond and recover from network security incidents. There are six stages of dealing with any incident and creating a response plan; these steps will define the set of actions to be carried out from the occurrence of the incident until it is resolved. Your organisation's cyber security personnel should include an incident response team, a group of professionals who will be able to handle the situation should an attack take place.   

Step 1: Preparation 

This first stage of the process focuses on preparing your organisation, more specifically the incident response team, to be ready to counter an attack at any moment. This stage involves planning for every type of incident ranging from a simple virus to a ransomware attack. It includes defining practices, setting out guidelines and rules as well as response strategy on how to handle any and each incident. This stage will define the severity of incidents and recommend corresponding actions. Practice drills should be conducted to make sure the team has hands-on experience with incident handling. 

Step 2: Identification 

At this stage any abnormalities found in a system will be inspected for suspicious activity in order for it to qualify as an incident. The IR team will look at past events from sources like error messages and log files to check if a malfunction can be labelled an incident. If an incident is identified, it is immediately reported to the team and the process is documented as evidence. Documentation is a necessary procedure as sometimes it is needed to mitigate or recover from the incident at hand or to be presented in court. 

Step 3: Containment 

Controlling the impact and preventing the incident from affecting your systems further is the goal in this stage. There are three steps, the first being short term containment in which the affected component is isolated to control the magnitude of the damage and substituted with backup components. Second, system backup - the data from the isolated component is backed up for use immediately or in the future. Lastly comes the long term containment plan which means studying the root cause of the incident and investing in components and systems that can withstand any future outages. 

Step 4: Eradication 

During this stage it is time to deal with the eradication of the incident. The root cause of the incident is analysed and the cost of eradicating it is calculated.  All necessary steps are taken to remove the malicious content from the affected systems; this could include replacing vulnerable software or hardware, training current employees on specific cyber defence tactics or taking the appropriate action regarding a team member if they were the reason behind the incident 

Step 5: Recovery 

This stage is typically where the affected system would be brought back into use after the resolution of the incident. Testing the components before putting them back into use is very important. It’s also important to ensure the restored component is clean and to keep it in observation for a period of time to make sure that no more breaches happen. Sometimes third party resources are hired to monitor the system to ensure that there are no more vulnerabilities.  

Step 6: What Was Learned? 

This last step is a reflection of what lessons were learned from the incident. After the matter is resolved, your organisation should have a document that clearly outlines the cause of the incident, the actions taken and every last detail pertaining to the previous stages of the response plan. The main objective of this stage is to prevent a similar occurrence of incidents. 

How can Securiwiser help your organisation? 

Securiwiser will monitor your devices, network and website twenty-four hours a day to ensure that no malicious content is infecting your systems. If anything suspicious is found you will get a detailed report on any vulnerabilities, and given advice on what to do to resolve the issue. You could even add the report to an incident response if need be as extra evidence.