Incident response plan (IRP) is a document called to “detect, respond to, and limit
consequences of malicious cyber attacks”, according to NIST definition. Ideally, a
comprehensive IRP fully protects an organization from insider threats. In real life, the
document needs constant improvements and reviews.
In this article, we discuss 9 ways to make sure your IRP is up to date. These tips help to
improve your procedures and stay focused when you face an attack.
- Appoint specific employees responsible for IRP implementation
Every official document designates those responsible for its implementation. But
often it’s not specific enough. For example, a cybersecurity incident response plan
may refer to a particular department or team.
Shared responsibility isn’t that effective when you need your response team to act
fast and efficient. It’s best to appoint a specific person or job title. Such accuracy will
save time during insider attack mitigation.
- Keep an eye on compliance recommendations
Following cybersecurity standards and regulations is a must. Fines for non-complying
with GDPR, for example, can reach $20 million or 4% of annual turnover.
NIST, HIPAA, NISPOM, and other standards consist of mandatory requirements and
recommendations too. The easiest way to ensure compliance is to implement only
“must” rules. But you should take a closer look at recommendations as well. They are
based on cybersecurity best practices and can make your security incident response
plan more reliable.
- Analyze all insider-related incidents
To defeat an enemy, you must know them. You have two major information sources:
● Known incidents. A thorough study of insider threat cases will save you from
making the same mistakes. Analyze reasons and threat sources relevant to
your industry using materials from the media, expert interviews, and reports
on the subject.
● Incidents inside your company. Incident investigations help to improve your
IRP. If you detect a suspicious pattern of actions, look at it closely. It may
indicate an upcoming attack, or show how you can make cybersecurity
policies more comfortable for employees.
- Establish procedures for continuous identification of critical resources
Defining which resources you need to protect is the first step of creating IRP. The
trick is to keep updating this list after the plan is implemented. As time goes by, the
organization’s environment grows, incorporates new services and types of sensitive
data. IRP should reflect those changes.
In order to detect sensitive data, you can employ a data loss prevention (DLP)
system. Such solutions constantly scan a protected perimeter for files with classified
information and detect a possible leakage.
- 5. Monitor as much as you can
Thorough monitoring of both regular and privileged users is essential not only for
timely threat detection but for cybersecurity incident response. Records of user
screen activity allow for pinpointing the cause and scope of an attack. Even better, if
you record audio input and output, or use UEBA to establish a baseline of employee
behavior and detect suspicious changes.
This information will help you determine potential losses and mitigating actions.
- 6. Ensure reliable external and internal communications
Time is one of the key factors of insider threat cost. When you detect an insider
attack, it’s important to clearly communicate a course of actions inside your response
team. It’s also important to create a clear external communication strategy.
For this reason, you should include a PR representative and a lawyer to your incident
response team. Also, include emergency contacts to your IRP in case responsible
specialists are unavailable.
- 7. Fine-tune alerting system
A timely alert on suspicious activity is vital for attack detection and prevention. Any
insider threat software provides you with alerting functionality. It’s important to
personalize this system according to your business processes.
Otherwise, you’ll end up with a lot of false-positive alerts that distract the security
team. Also, security officers turn a blind eye on constant messages about minor
security rules violations. In order to avoid it, employ tools that can automatically react
to minor incidents (e.g. block a session or a user).
- 8. Work out a recovery strategy
No matter how well you are prepared to detect an insider threat, there’s always a
possibility to miss it. For such a scenario, your cyberattack response plan should
include a recovery strategy.
This is a set of actions aimed to:
● Establish a regular back up procedure
● Restore damaged or lost data and resources
● Perform an incident review
● Form long-term communication strategies for clients, partners, investors,
business owners, and press
● Conduct incident investigation
- 9. Conduct red team and blue team training
An effective training is the best way to ensure that your response team will react
properly if a breach occurs. Red team versus blue team is a classic cybersecurity
practice that allows you to find out weaknesses in your security system, and rehearse
action in case of attack.
During this training, incident response specialists are divided into two teams. The red
team has to steal sensitive data in any way, and the blue team has to prevent or
mitigate the attack.
You can also use other tactics and frameworks to train your cybersecurity team.
An incident response plan is often required by obligatory standards but it can be so much
more than a simple formality. Creating a clear scheme of incident response steps will save
your company a lot of time and resources when a data breach is detected.
In order to stay effective, this document needs to be constantly updated and reviewed. Pay
attention to security best practices, new approaches, expert recommendations, new tools to
be able to detect an insider attack in time and respond to it.
Author: Adam Edmond