6 Phases in the Incident Response Plan

What is an incident response plan for cyber security?

Learn how to manage a data breach with the 6 phases in the incident response plan. 

An incident response plan is a documented, written plan with 6 distinct phases that helps IT professionals and staff recognize and deal with a cybersecurity incident like a data breach or cyber attack. Properly creating and managing an incident response plan involves regular updates and training. 

Is an incident response plan a PCI DSS requirement?

Yes, Requirement 12 of the PCI DSS specifies the steps businesses must take relating to their incident response plan.

The requirements set forth by the PCI SSC are both operational and technical, and the core focus of these rules is always to protect cardholder data.

The 12 requirements of PCI DSS are:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

How to create an incident response plan 

An incident response plan should be set up to address a suspected data breach in a series of phases. Within each phase, there are specific areas of need that should be considered.

The incident response phases are:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

Let’s look at each phase in more depth and point out the items that you need to address.

1. Preparation

This phase will be the work horse of your incident response planning, and in the end, the most crucial phase to protect your business.

Your response plan should be well documented, thoroughly explaining everyone’s roles and responsibilities. Then the plan must be tested in order to assure that your employees will perform as they were trained. The more prepared your employees are, the less likely they’ll make critical mistakes.

 Questions to address 

• Has everyone been trained on security policies?
• Have your security policies and incident response plan been approved by appropriate management?
• Does the Incident Response Team know their roles and the required notifications to make?
• Have all Incident Response Team members participated in mock drills?

2. Identification

This is the process where you determine whether you’ve been breached. A breach, or incident, could originate from many different areas.

 Questions to address 

• When did the event happen?
• How was it discovered?
• Who discovered it?
• Have any other areas been impacted?
• What is the scope of the compromise?
• Does it affect operations?
• Has the source (point of entry) of the event been discovered?

3. Containment

When a breach is first discovered, your initial instinct may be to securely delete everything so you can just get rid of it. However, that will likely hurt you in the long run since you’ll be destroying valuable evidence that you need to determine where the breach started and devise a plan to prevent it from happening again.

Instead, contain the breach so it doesn’t spread and cause further damage to your business. If you can, disconnect affected devices from the Internet. Have short-term and long-term containment strategies ready. It’s also good to have a redundant system back-up to help restore business operations. That way, any compromised data isn’t lost forever.

This is also a good time to update and patch your systems, review your remote access protocols (requiring mandatory multi-factor authentication), change all user and administrative access credentials and harden all passwords.

Questions to address 

• What’s been done to contain the breach short term?
• What’s been done to contain the breach long term?
• Has any discovered malware been quarantined from the rest of the environment?
• What sort of backups are in place?
• Does your remote access require true multi-factor authentication?
• Have all access credentials been reviewed for legitimacy, hardened and changed?
• Have you applied all recent security patches and updates?

4. Eradication

Once you’ve contained the issue, you need to find and eliminate the root cause of the breach. This means all malware should be securely removed, systems should again be hardened and patched, and updates should be applied.

If any trace of malware or security issues remain in your systems, you may still be losing valuable data, and your liability could increase.

 Questions to address 

• Have artifacts/malware from the attacker been securely removed?
• Has the system be hardened, patched, and updates applied?
• Can the system be re-imaged?

5. Recovery

This is the process of restoring and returning affected systems and devices back into your business environment. During this time, it’s important to get your systems and business operations up and running again without the fear of another breach.

 Questions to address 

• When can systems be returned to production?
• Have systems been patched, hardened and tested?
• Can the system be restored from a trusted back-up?
• How long will the affected systems be monitored and what will you look for when monitoring?
• What tools will ensure similar attacks will not reoccur? (File integrity monitoring, intrusion detection/protection, etc)

6. Lessons Learned

Once the investigation is complete, hold an after-action meeting with all Incident Response Team members and discuss what you’ve learned from the data breach.  This is where you will analyze and document everything about the breach.  Determine what worked well in your response plan, and where there were some holes. Lessons learned from both mock and real events will help strengthen your systems against the future attacks.

 Questions to address 

• What changes need to be made to the security?
• How should employee be trained differently?
• What weakness did the breach exploit?
• How will you ensure a similar breach doesn’t happen again?

No one wants to go through a data breach, but Goliath can help to plan and prepare for one, what to do when it happens, and help you learn all that you can afterwards.

See what it’s like to have a partner in the fight.

Experience the difference between a sense of security and actual security.

Goliath Cyber stands ready!!!