October 12, 2017 By Scott Koegler 3 min read

Chief information security officers (CISOs) understand that their enterprises will be subject to a breach, or at least an attempted attack, at some point. While they can’t predict the future, they can learn a lot about would-be attackers’ motivations and methods just by developing a thorough incident response strategy. This plan is crucial because it informs your actions, helps you create a positive outcome, and minimizes data loss and operational disruption in the event of a breach.

Five Key Questions to Consider When Developing Your Incident Response Plan

An effective incident response strategy requires intimate knowledge of the IT environment, thorough and regular testing, strong detection tools and comprehensive historical analysis. Security leaders should take the time to answer the following questions when devising an incident response plan.

1. How Would You Attack Your Own Enterprise?

CISOs know the security of their own enterprises inside and out, so they are in a good position to plan an intrusion. Use this detailed understanding to identify weaknesses that cybercriminals could exploit. For example, know whether all your operating systems are patched with current security updates, whether your Internet of Things (IoT) devices have appropriate safeguards in place and whether your user identity systems are properly encrypted. Build out a list of likely intrusion areas and establish checkpoints and protocols to monitor them.

2. When Did You Last Test Your Incident Response Plan?

Your incident response plan is just like your data backup plan: Even if it’s perfect on paper, it’s unproven until it’s been tested. If your company held its own red on blue exercises to simulate an attack, you may have an idea of how such a scenario might play out. A simulated attack can uncover areas of potential intrusion and lead you to develop procedures to deal with them.

But until you’ve fully tested your incident response plan, it’s only a plan. Use simulation exercises to measure the effectiveness of your response plan in real time, then revise the plan and get ready for the real thing.

3. How Would You Detect an Attack?

The most effective breaches go unnoticed for months or even years. After-the-fact detection doesn’t allow time to restrict or mitigate the effects of a breach, so it’s important to identify attacks as they happen. This task is complicated, however, because sophisticated thefts are often executed over long periods of time and only discovered when the target company is notified by an outside source such as law enforcement.

4. How Fast Can You Detect an Intrusion?

Network traffic analysis is the key to identifying intrusions, but if that analysis is delayed by days or even hours, it may be useless when it comes to stopping an attack in process. Network forensics solutions need to be optimized and separated from the networks they are monitoring so that both the network and the data being analyzed can operate at peak efficiency. Build your network analysis to operate in real time and filter false notifications so that only real suspected intrusions are announced.

5. Can You Identify Attack Origins?

History can be a great predictor of the future. This is particularly true when it comes to predicting cyberattacks, but it’s only possible to analyze history if you’ve been collecting and storing your network traffic data.

Just as analyzing network traffic in real time is critical to detecting an intrusion, looking at data patterns over time can help you detect changes in what and how data is coming across your network. The historical view is important for those long-term, delayed execution intrusions that can exist across the network and launch weeks or months after they’ve been planted. Historical analysis of network data patterns can alert you to the possibility of future attacks and give you and opportunity to eliminate the problem before it executes.

See Through the Eyes of a Cybercriminal

An effective incident response plan requires both solid planning and flawless execution. Take steps well ahead of time to see your environment through the eyes of a cybercriminal and implement the advanced processes your team needs to keep your enterprise safe. While it is certainly no crystal ball, a thorough incident response strategy can help your security team stay one step ahead of fraudsters trying to break into your network.

More from Incident Response

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today