Chief information security officers (CISOs) understand that their enterprises will be subject to a breach, or at least an attempted attack, at some point. While they can’t predict the future, they can learn a lot about would-be attackers’ motivations and methods just by developing a thorough incident response strategy. This plan is crucial because it informs your actions, helps you create a positive outcome, and minimizes data loss and operational disruption in the event of a breach.
Five Key Questions to Consider When Developing Your Incident Response Plan
An effective incident response strategy requires intimate knowledge of the IT environment, thorough and regular testing, strong detection tools and comprehensive historical analysis. Security leaders should take the time to answer the following questions when devising an incident response plan.
1. How Would You Attack Your Own Enterprise?
CISOs know the security of their own enterprises inside and out, so they are in a good position to plan an intrusion. Use this detailed understanding to identify weaknesses that cybercriminals could exploit. For example, know whether all your operating systems are patched with current security updates, whether your Internet of Things (IoT) devices have appropriate safeguards in place and whether your user identity systems are properly encrypted. Build out a list of likely intrusion areas and establish checkpoints and protocols to monitor them.
2. When Did You Last Test Your Incident Response Plan?
Your incident response plan is just like your data backup plan: Even if it’s perfect on paper, it’s unproven until it’s been tested. If your company held its own red on blue exercises to simulate an attack, you may have an idea of how such a scenario might play out. A simulated attack can uncover areas of potential intrusion and lead you to develop procedures to deal with them.
But until you’ve fully tested your incident response plan, it’s only a plan. Use simulation exercises to measure the effectiveness of your response plan in real time, then revise the plan and get ready for the real thing.
3. How Would You Detect an Attack?
The most effective breaches go unnoticed for months or even years. After-the-fact detection doesn’t allow time to restrict or mitigate the effects of a breach, so it’s important to identify attacks as they happen. This task is complicated, however, because sophisticated thefts are often executed over long periods of time and only discovered when the target company is notified by an outside source such as law enforcement.
4. How Fast Can You Detect an Intrusion?
Network traffic analysis is the key to identifying intrusions, but if that analysis is delayed by days or even hours, it may be useless when it comes to stopping an attack in process. Network forensics solutions need to be optimized and separated from the networks they are monitoring so that both the network and the data being analyzed can operate at peak efficiency. Build your network analysis to operate in real time and filter false notifications so that only real suspected intrusions are announced.
5. Can You Identify Attack Origins?
History can be a great predictor of the future. This is particularly true when it comes to predicting cyberattacks, but it’s only possible to analyze history if you’ve been collecting and storing your network traffic data.
Just as analyzing network traffic in real time is critical to detecting an intrusion, looking at data patterns over time can help you detect changes in what and how data is coming across your network. The historical view is important for those long-term, delayed execution intrusions that can exist across the network and launch weeks or months after they’ve been planted. Historical analysis of network data patterns can alert you to the possibility of future attacks and give you and opportunity to eliminate the problem before it executes.
See Through the Eyes of a Cybercriminal
An effective incident response plan requires both solid planning and flawless execution. Take steps well ahead of time to see your environment through the eyes of a cybercriminal and implement the advanced processes your team needs to keep your enterprise safe. While it is certainly no crystal ball, a thorough incident response strategy can help your security team stay one step ahead of fraudsters trying to break into your network.
Freelance Writer and Former CIO