Despite the fact that a cyberattack can have devastating effects, the majority of companies are not prepared to deal with such problems. And even though a company may have a good prevention plan and a solid security team, breaches do occur. That’s why a good incident response plan needs to be in place.
What is a SIRP?
A Security Incident Response Plan (SIRP) is, as its name indicates, a guide to applying measures in case of a breach in security. Its objective is to minimize the amount and severity of cybersecurity incidents. According to experts, many companies learn to deal with the damage caused by a security problem after an attack. But this can be very costly.
A SIRP allows companies to deal with an incident as soon as possible, making sure no damage is extended and solutions are applied almost immediately. Therefore, in addition to a SIRP, it is advisable to have a Computer Security Incident Response Team, or CSIRT. However, preparing a plan requires a seasoned and experienced IT team, which does not preclude the need to be prepared from the outset.
Preparing an incident response plan
Every SIRP consists of a series of steps, which are not always necessary but establish a general action plan. A SIRP can be divided into three stages.
- Initial course of action
This stage begins by evaluating the situation, paying special attention to all activity. Steps should be taken to make sure a false positive has not been given. The seriousness of a possible attack should be assessed a priori. From here on out, all information is meticulously logged. The next step is to assure proper communication of the incident to the rest of the CSIRT to ensure coordination. Containing the damage is essential, so it is necessary to decide which data is most important and to protect it according to its priority. To minimize any risk, one must keep in mind that it is always better to interrupt an IT process than to try to repair any damage afterwards.
- Classifying the attack
From here on, the SIRP identifies the type of and severity of the attack. This is essential in order to correctly repair the system. It is necessary to identify the nature of the attack, its origin, its intent and what systems and files are exposed. The next step is to identify unexpected physical access points and examine key groups to find any unauthorized entry. Special attention must be paid to any gaps which show losses in the system’s log.
Log files and unusual connections should be examined, as should the security audit, any failed login attempts and any other indication of unusual activity to give a clue as to how the incident occurred. This is the most meticulous part of the process. Once the attack has been correctly identified, the entire team may proceed to secure the logs, tests and all relevant information. This should not be neglected due to the significant legal implications.
- Notification, documentation and review
In the last stage, information is organized, the incident is documented, and everyone involved is notified. Informing everyone involved is necessary to prevent future damage and to contain any possible future attacks. Furthermore, from May 2018, notifying those involved of incidents will be even more important. The entry into force of GDPR will require companies to report to authorities any personal data breaches within 72 hours. Once the notification has been made, the systems and documentation will need to be recovered. The recovery will depend on the motives of the breach, its targets and the amount of damage caused to the system. Having backup files is crucial, and backups should be reviewed for any weak points to prevent security problems.
Lastly, a detailed report should be included in the documentation. Since all processes have been logged during the incident, this information should be saved and organized accurately and chronologically. A cost assessment of the incident should also be included as it could be used as further evidence. The last step consists of reviewing the response and action guidelines to improve the incident response plan, evaluating the errors committed and proposing improvements.
Advanced cybersecurity solutions, such as Adaptive Defense 360, allow IT teams to have complete visibility of a corporate network and perform detailed forensic reports on infections.