October 12, 2017 By Scott Koegler 3 min read

Chief information security officers (CISOs) understand that their enterprises will be subject to a breach, or at least an attempted attack, at some point. While they can’t predict the future, they can learn a lot about would-be attackers’ motivations and methods just by developing a thorough incident response strategy. This plan is crucial because it informs your actions, helps you create a positive outcome, and minimizes data loss and operational disruption in the event of a breach.

Five Key Questions to Consider When Developing Your Incident Response Plan

An effective incident response strategy requires intimate knowledge of the IT environment, thorough and regular testing, strong detection tools and comprehensive historical analysis. Security leaders should take the time to answer the following questions when devising an incident response plan.

1. How Would You Attack Your Own Enterprise?

CISOs know the security of their own enterprises inside and out, so they are in a good position to plan an intrusion. Use this detailed understanding to identify weaknesses that cybercriminals could exploit. For example, know whether all your operating systems are patched with current security updates, whether your Internet of Things (IoT) devices have appropriate safeguards in place and whether your user identity systems are properly encrypted. Build out a list of likely intrusion areas and establish checkpoints and protocols to monitor them.

2. When Did You Last Test Your Incident Response Plan?

Your incident response plan is just like your data backup plan: Even if it’s perfect on paper, it’s unproven until it’s been tested. If your company held its own red on blue exercises to simulate an attack, you may have an idea of how such a scenario might play out. A simulated attack can uncover areas of potential intrusion and lead you to develop procedures to deal with them.

But until you’ve fully tested your incident response plan, it’s only a plan. Use simulation exercises to measure the effectiveness of your response plan in real time, then revise the plan and get ready for the real thing.

3. How Would You Detect an Attack?

The most effective breaches go unnoticed for months or even years. After-the-fact detection doesn’t allow time to restrict or mitigate the effects of a breach, so it’s important to identify attacks as they happen. This task is complicated, however, because sophisticated thefts are often executed over long periods of time and only discovered when the target company is notified by an outside source such as law enforcement.

4. How Fast Can You Detect an Intrusion?

Network traffic analysis is the key to identifying intrusions, but if that analysis is delayed by days or even hours, it may be useless when it comes to stopping an attack in process. Network forensics solutions need to be optimized and separated from the networks they are monitoring so that both the network and the data being analyzed can operate at peak efficiency. Build your network analysis to operate in real time and filter false notifications so that only real suspected intrusions are announced.

5. Can You Identify Attack Origins?

History can be a great predictor of the future. This is particularly true when it comes to predicting cyberattacks, but it’s only possible to analyze history if you’ve been collecting and storing your network traffic data.

Just as analyzing network traffic in real time is critical to detecting an intrusion, looking at data patterns over time can help you detect changes in what and how data is coming across your network. The historical view is important for those long-term, delayed execution intrusions that can exist across the network and launch weeks or months after they’ve been planted. Historical analysis of network data patterns can alert you to the possibility of future attacks and give you and opportunity to eliminate the problem before it executes.

See Through the Eyes of a Cybercriminal

An effective incident response plan requires both solid planning and flawless execution. Take steps well ahead of time to see your environment through the eyes of a cybercriminal and implement the advanced processes your team needs to keep your enterprise safe. While it is certainly no crystal ball, a thorough incident response strategy can help your security team stay one step ahead of fraudsters trying to break into your network.

More from Incident Response

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.¬† Disconnected teams accelerate the need for an open and connected platform approach to security¬†. Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today