The adage among information security professionals is that everyone will get breached eventually, unless you already have been. As with all business risks, it is best to plan for the inevitable. When you have an information security incident, time is of the essence, so you should prepare your plan in advanced. Incident Response Plans are common in large enterprises, but small to mid-sized organizations — especially those without dedicated personnel — need something simpler. In this post we’ll outline a few resources with advice about Incident Response Plans, and then provide a simple template for you to create your own.
First off, NIST has their Small Business Cybersecurity Corner with a couple resources, such as the FTC’s guide to breach response and a presentation on recovering from an incident. McAfee has their own blog post with advice on how to respond to an incident. If you do a web search for “Incident Response Plan Template”, you’ll find countless examples, but as noted above, most are long and geared to large organizations. For a SMB, simpler is better. Let’s take a crack at a simple template:
Incident Response Plan Template
In order for everyone in the organization to speak the same language, we need to define core terminology:
Incident: Any violation of an organization’s security policy potentially affecting the confidentiality, integrity, or availability of its information.
This section should describe:
- How incidents are identified, (could be reported by a customer or third party, or someone internally identifying that something is “just not right”)
- Who they are reported to once they are identified,
- How they are reported to that person or team, and
- How that person will confirm that an incident occurred?
Keep in mind that during some types of incidents, common methods of communication such as email or instant messenger may not be reliable.
As soon as an incident has been identified (confirmed), the next step is to “stop the bleeding”: contain it. This section should outline any technical steps that are taken to contain the incident. The specifics will vary depending on the type of incident, but measures to consider include:
- Shutting down systems / virtual machines (note that doing so will destroy data of forensic interest, so consider when this must be done versus other forms of containment — for something like ransomware pulling the plug within 60 seconds of it starting can save most of your data)
- Network blocks (or simply unplugging the network cable)
- Disabling accounts
- Freezing assets
- Shutting down applications / services
- Removing any data leaked on your website or other websites
Typically a company will want to minimize what gets shutdown, but one should err on the side of caution because while a botnet infection on your desktop isn’t something you would want to shut down your e-commerce website for, if that infection is actually a skilled attacker who has made their way to your e-commerce system, they could cause severe damage. In containment, speed is of the essence: a skilled attacker can go from a compromised account to wire transferring out millions of dollars in 15 minutes.
Concurrently with Containment, the incident responders need to have a communications plan: who needs to be notified of what and when. This includes:
- Internal notifications (heads up to management and affected business units, staff to help implement containment actions)
- Service providers (such as IT services and cloud providers, to help implement containment actions)
- Financial institutions (to help implement containment actions)
- Attorney on retainer
- Public Relations firm on retainer
- Incident Response firm on retainer
- Cyber Insurance Policy Issuer
- Vendors (particularly if they might be involved in the incident either as a source or destination of the attack)
- Customers (who will likely notice any downtime) and other individuals
- Government organizations (such as FTC or HHS)
- Law Enforcement
- Media (for public notifications)
Some of these you will need to contact early, before you even begin an investigation. Others will be later in the process. Don’t make misleading statements, but also don’t speculate, and pull in your Attorney and PR firm to help manage the communications process for most of the other entities on the list. Early in the process it is fair to explain any IT outage as, “We are experiencing technical difficulties and are currently investigating.”
Note that you may not have access to normal communications methods like email, instant messages, and contact lists due to the incident, so make sure you have all contact info including phone numbers for the important people on the list like your management, service providers, financial institutions, attorney, PR firm, and IR firm.
Keep in mind that the notification time under some breach notification and privacy laws can be on the order of hours, so make sure you loop in your attorney as soon as possible.
You may also want to create templates or scripts, especially for the communications you have early in the process, so that you aren’t spending valuable time crafting emails or stumbling over your words on the phone. It can be as simple as, “This is <name> from <organization>. We suspect that our routing and account numbers have been compromised, so we would like to request that activity on our accounts be frozen until we contain the situation and can work with you on the best way to proceed.”
Once you have prevented the attacker from causing any further damage (and if you see any at any time, return to Containment), you need to figure out what actually happened. In a larger organization, this section would be filled with technical details around things like network and host forensics. Most small to mid-sized organizations do not have the staff with such skills, so we recommend keeping someone on retainer who can do it for you. Many organizations perform this through their attorney so that investigations are protected by attorney-client privilege. As you move into the investigations phase, consider if your Business Continuity Plan should be executed. It is during the investigation phase that an organization should determine if law enforcement is contacted and in what capacity.
The investigation should identify how the attackers got in and what damage they caused — in particular what data and systems had their confidentiality, integrity, or availability compromised? The remediation step addresses how to block that root cause and fix the damage. Blocking the root cause will typically be specific to the incident that occurred, such as applying a missing patch, telling a user not to click on suspicious links, or changing a weak password, and can be kept general in a plan like this. Fixing the damage may have common fixes such as wiping a system and restoring from the last known good backup or re-deploying an application. As with containment, any contact info you need for outsourced providers should be included in the plan. When remediation is complete, the business should be operating normally again. Your attorney should be able to advise you on what remediations you need to make with your customers, such as offering free credit monitoring if their private identifying information was compromised.
Finally, be sure to take some time to reflect on the lessons learned:
- What would have prevented this incident in the first place? Are there technical, administrative, or operational controls we can put in place that will prevent from occurring again?
- What can we do better in our Incident Response Plan to improve our response next time.
That’s it: seven sections — one of them is already written for you. Remember that shorter is better: if it’s long people won’t read it, and you don’t want your data burning as someone is reading this plan for the first time. Similarly, don’t just write it and put it on a shelf: test it out annually. Conduct a “tabletop exercise”: bring in donuts and coffee or such, present a scenario like, “Kendra just discovered some sent emails in her sent email folder that she didn’t send. What do you do?” and let the team talk through what each person would do at each step. Of course, if you need help with any of this, please contact us and we’ll be happy to have a chat about your needs!