October 12, 2017 By Scott Koegler 3 min read

Chief information security officers (CISOs) understand that their enterprises will be subject to a breach, or at least an attempted attack, at some point. While they can’t predict the future, they can learn a lot about would-be attackers’ motivations and methods just by developing a thorough incident response strategy. This plan is crucial because it informs your actions, helps you create a positive outcome, and minimizes data loss and operational disruption in the event of a breach.

Five Key Questions to Consider When Developing Your Incident Response Plan

An effective incident response strategy requires intimate knowledge of the IT environment, thorough and regular testing, strong detection tools and comprehensive historical analysis. Security leaders should take the time to answer the following questions when devising an incident response plan.

1. How Would You Attack Your Own Enterprise?

CISOs know the security of their own enterprises inside and out, so they are in a good position to plan an intrusion. Use this detailed understanding to identify weaknesses that cybercriminals could exploit. For example, know whether all your operating systems are patched with current security updates, whether your Internet of Things (IoT) devices have appropriate safeguards in place and whether your user identity systems are properly encrypted. Build out a list of likely intrusion areas and establish checkpoints and protocols to monitor them.

2. When Did You Last Test Your Incident Response Plan?

Your incident response plan is just like your data backup plan: Even if it’s perfect on paper, it’s unproven until it’s been tested. If your company held its own red on blue exercises to simulate an attack, you may have an idea of how such a scenario might play out. A simulated attack can uncover areas of potential intrusion and lead you to develop procedures to deal with them.

But until you’ve fully tested your incident response plan, it’s only a plan. Use simulation exercises to measure the effectiveness of your response plan in real time, then revise the plan and get ready for the real thing.

3. How Would You Detect an Attack?

The most effective breaches go unnoticed for months or even years. After-the-fact detection doesn’t allow time to restrict or mitigate the effects of a breach, so it’s important to identify attacks as they happen. This task is complicated, however, because sophisticated thefts are often executed over long periods of time and only discovered when the target company is notified by an outside source such as law enforcement.

4. How Fast Can You Detect an Intrusion?

Network traffic analysis is the key to identifying intrusions, but if that analysis is delayed by days or even hours, it may be useless when it comes to stopping an attack in process. Network forensics solutions need to be optimized and separated from the networks they are monitoring so that both the network and the data being analyzed can operate at peak efficiency. Build your network analysis to operate in real time and filter false notifications so that only real suspected intrusions are announced.

5. Can You Identify Attack Origins?

History can be a great predictor of the future. This is particularly true when it comes to predicting cyberattacks, but it’s only possible to analyze history if you’ve been collecting and storing your network traffic data.

Just as analyzing network traffic in real time is critical to detecting an intrusion, looking at data patterns over time can help you detect changes in what and how data is coming across your network. The historical view is important for those long-term, delayed execution intrusions that can exist across the network and launch weeks or months after they’ve been planted. Historical analysis of network data patterns can alert you to the possibility of future attacks and give you and opportunity to eliminate the problem before it executes.

See Through the Eyes of a Cybercriminal

An effective incident response plan requires both solid planning and flawless execution. Take steps well ahead of time to see your environment through the eyes of a cybercriminal and implement the advanced processes your team needs to keep your enterprise safe. While it is certainly no crystal ball, a thorough incident response strategy can help your security team stay one step ahead of fraudsters trying to break into your network.

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today