October 12, 2017 By Scott Koegler 3 min read

Chief information security officers (CISOs) understand that their enterprises will be subject to a breach, or at least an attempted attack, at some point. While they can’t predict the future, they can learn a lot about would-be attackers’ motivations and methods just by developing a thorough incident response strategy. This plan is crucial because it informs your actions, helps you create a positive outcome, and minimizes data loss and operational disruption in the event of a breach.

Five Key Questions to Consider When Developing Your Incident Response Plan

An effective incident response strategy requires intimate knowledge of the IT environment, thorough and regular testing, strong detection tools and comprehensive historical analysis. Security leaders should take the time to answer the following questions when devising an incident response plan.

1. How Would You Attack Your Own Enterprise?

CISOs know the security of their own enterprises inside and out, so they are in a good position to plan an intrusion. Use this detailed understanding to identify weaknesses that cybercriminals could exploit. For example, know whether all your operating systems are patched with current security updates, whether your Internet of Things (IoT) devices have appropriate safeguards in place and whether your user identity systems are properly encrypted. Build out a list of likely intrusion areas and establish checkpoints and protocols to monitor them.

2. When Did You Last Test Your Incident Response Plan?

Your incident response plan is just like your data backup plan: Even if it’s perfect on paper, it’s unproven until it’s been tested. If your company held its own red on blue exercises to simulate an attack, you may have an idea of how such a scenario might play out. A simulated attack can uncover areas of potential intrusion and lead you to develop procedures to deal with them.

But until you’ve fully tested your incident response plan, it’s only a plan. Use simulation exercises to measure the effectiveness of your response plan in real time, then revise the plan and get ready for the real thing.

3. How Would You Detect an Attack?

The most effective breaches go unnoticed for months or even years. After-the-fact detection doesn’t allow time to restrict or mitigate the effects of a breach, so it’s important to identify attacks as they happen. This task is complicated, however, because sophisticated thefts are often executed over long periods of time and only discovered when the target company is notified by an outside source such as law enforcement.

4. How Fast Can You Detect an Intrusion?

Network traffic analysis is the key to identifying intrusions, but if that analysis is delayed by days or even hours, it may be useless when it comes to stopping an attack in process. Network forensics solutions need to be optimized and separated from the networks they are monitoring so that both the network and the data being analyzed can operate at peak efficiency. Build your network analysis to operate in real time and filter false notifications so that only real suspected intrusions are announced.

5. Can You Identify Attack Origins?

History can be a great predictor of the future. This is particularly true when it comes to predicting cyberattacks, but it’s only possible to analyze history if you’ve been collecting and storing your network traffic data.

Just as analyzing network traffic in real time is critical to detecting an intrusion, looking at data patterns over time can help you detect changes in what and how data is coming across your network. The historical view is important for those long-term, delayed execution intrusions that can exist across the network and launch weeks or months after they’ve been planted. Historical analysis of network data patterns can alert you to the possibility of future attacks and give you and opportunity to eliminate the problem before it executes.

See Through the Eyes of a Cybercriminal

An effective incident response plan requires both solid planning and flawless execution. Take steps well ahead of time to see your environment through the eyes of a cybercriminal and implement the advanced processes your team needs to keep your enterprise safe. While it is certainly no crystal ball, a thorough incident response strategy can help your security team stay one step ahead of fraudsters trying to break into your network.

More from Incident Response

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today