9 Ways to Improve Your Cybersecurity Incident Response Plan

Incident response plan (IRP) is a document called to “detect, respond to, and limit
consequences of malicious cyber attacks”, according to NIST definition. Ideally, a
comprehensive IRP fully protects an organization from insider threats. In real life, the
document needs constant improvements and reviews.
In this article, we discuss 9 ways to make sure your IRP is up to date. These tips help to
improve your procedures and stay focused when you face an attack.

  1. Appoint specific employees responsible for IRP implementation
    Every official document designates those responsible for its implementation. But
    often it’s not specific enough. For example, a cybersecurity incident response plan
    may refer to a particular department or team.
    Shared responsibility isn’t that effective when you need your response team to act
    fast and efficient. It’s best to appoint a specific person or job title. Such accuracy will
    save time during insider attack mitigation.
  2. Keep an eye on compliance recommendations
    Following cybersecurity standards and regulations is a must. Fines for non-complying
    with GDPR
    , for example, can reach $20 million or 4% of annual turnover.
    NIST, HIPAA, NISPOM, and other standards consist of mandatory requirements and
    recommendations too. The easiest way to ensure compliance is to implement only
    “must” rules. But you should take a closer look at recommendations as well. They are
    based on cybersecurity best practices and can make your security incident response
    plan more reliable.
  3. Analyze all insider-related incidents
    To defeat an enemy, you must know them. You have two major information sources:
    ● Known incidents. A thorough study of insider threat cases will save you from
    making the same mistakes. Analyze reasons and threat sources relevant to
    your industry using materials from the media, expert interviews, and reports
    on the subject.
    ● Incidents inside your company. Incident investigations help to improve your
    IRP. If you detect a suspicious pattern of actions, look at it closely. It may
    indicate an upcoming attack, or show how you can make cybersecurity
    policies more comfortable for employees.
  4. Establish procedures for continuous identification of critical resources
    Defining which resources you need to protect is the first step of creating IRP. The
    trick is to keep updating this list after the plan is implemented. As time goes by, the
    organization’s environment grows, incorporates new services and types of sensitive
    data. IRP should reflect those changes.

In order to detect sensitive data, you can employ a data loss prevention (DLP)
system. Such solutions constantly scan a protected perimeter for files with classified
information and detect a possible leakage.

  • 5. Monitor as much as you can
    Thorough monitoring of both regular and privileged users is essential not only for
    timely threat detection but for cybersecurity incident response. Records of user
    screen activity allow for pinpointing the cause and scope of an attack. Even better, if
    you record audio input and output, or use UEBA to establish a baseline of employee
    behavior and detect suspicious changes.
    This information will help you determine potential losses and mitigating actions.
  • 6. Ensure reliable external and internal communications
    Time is one of the key factors of insider threat cost. When you detect an insider
    attack, it’s important to clearly communicate a course of actions inside your response
    team. It’s also important to create a clear external communication strategy.
    For this reason, you should include a PR representative and a lawyer to your incident
    response team. Also, include emergency contacts to your IRP in case responsible
    specialists are unavailable.
  • 7. Fine-tune alerting system
    A timely alert on suspicious activity is vital for attack detection and prevention. Any
    insider threat software provides you with alerting functionality. It’s important to
    personalize this system according to your business processes.
    Otherwise, you’ll end up with a lot of false-positive alerts that distract the security
    team. Also, security officers turn a blind eye on constant messages about minor
    security rules violations. In order to avoid it, employ tools that can automatically react
    to minor incidents (e.g. block a session or a user).
  • 8. Work out a recovery strategy
    No matter how well you are prepared to detect an insider threat, there’s always a
    possibility to miss it. For such a scenario, your cyberattack response plan should
    include a recovery strategy.
    This is a set of actions aimed to:
    ● Establish a regular back up procedure
    ● Restore damaged or lost data and resources
    ● Perform an incident review
    ● Form long-term communication strategies for clients, partners, investors,
    business owners, and press
    ● Conduct incident investigation
  • 9. Conduct red team and blue team training
    An effective training is the best way to ensure that your response team will react
    properly if a breach occurs. Red team versus blue team is a classic cybersecurity
    practice that allows you to find out weaknesses in your security system, and rehearse
    action in case of attack.

During this training, incident response specialists are divided into two teams. The red
team has to steal sensitive data in any way, and the blue team has to prevent or
mitigate the attack.
You can also use other tactics and frameworks to train your cybersecurity team.
An incident response plan is often required by obligatory standards but it can be so much
more than a simple formality. Creating a clear scheme of incident response steps will save
your company a lot of time and resources when a data breach is detected.
In order to stay effective, this document needs to be constantly updated and reviewed. Pay
attention to security best practices, new approaches, expert recommendations, new tools to
be able to detect an insider attack in time and respond to it.

Author: Adam Edmond

Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Malware analyst || Malware Investigator || Reverse Engineering

SC ProDefence SRL - Cyber Security Services