Cybersecurity experts have a saying, which I’ll paraphrase: There are two types of organizations — those that have been hacked and those that will be hacked.
Once you’re facing a cybersecurity incident, it’s too late to start considering what you require for a successful response.
Unless you do that planning beforehand, you may suffer cyberattacks that you don’t even notice, and even if/when you do notice, your business will see far greater damage than if you had an incident response plan ready to be immediately implemented.
Creating incident response playbooks
Of course, when you suffer a cyber security incident, it’s critically important to have an incident response plan that describes overarching processes to be applied across your entire organization.
But an incident response plan is only the beginning. In order to minimize negative impacts and restore data, systems, and operations, you also need a collection of incident response playbooks that lay out highly detailed, pre-planned procedures to be followed when particular types of cybersecurity incidents occur.
Because your enterprise is unique, these incident response playbooks will necessarily be tailored to your operations and business goals and should be regularly updated as your enterprise infrastructure, systems, and data evolve.
Each type of cyberthreat your business faces should be addressed with its own playbook, and your collection should include playbooks that address threats specific to your business as well as these usual cyber culprits:
- Unauthorized access
- Data breaches
- DoS attacks
- Insider abuse of privileges/credentials/applications/systems
The seven elements of an incident response playbook
Since a cyberattack puts you in a reactive position, you very quickly need to know what resources are available, who has decision-making authority, and the ramifications of those decisions.
An incident response playbook has all of this documented ahead of time, typically in a seven-part structure:
- Preparation — including only the information relevant to the particular threat addressed by the playbook;
- Detection/identification — describing the mechanisms to detect, identify, and report the threat, usually via monitoring/alert systems such as SIEM, IDS, etc.;
- Analysis — determining the actual and potential effects of the incident on the business;
- Containment — preventing/limiting damage, impacts, and escalation as fast and effectively as possible;
- Eradication/remediation — eliminating the cause of the damage/impacts, including addressing any underlying issues that enabled the attack;
- Recovery — restoring normal operations, including adjusting monitoring/alerts and logging to detect and prevent the incident from happening again; and
- After care — documenting the incident thoroughly and incorporating this knowledge into a continuous improvement process.
The good news: Developing the playbooks your business needs doesn’t have to be daunting if you get help from a trustworthy, experienced cybersecurity expert that you can also contact for immediate help if your enterprise comes under cyberattack.
Until next time,