SIGN IN YOUR ACCOUNT TO HAVE ACCESS TO DIFFERENT FEATURES

FORGOT YOUR PASSWORD?

FORGOT YOUR DETAILS?

AAH, WAIT, I REMEMBER NOW!
[email protected]
  • My Binalyze

Binalyze

  • HOME
  • PRODUCTS
    • AIR
    • IREC TACTICAL
    • IREC for Linux
  • DOWNLOADS
  • BLOG
  • FAQ
  • COMPANY
    • ABOUT US
    • OUR TEAM
    • CAREERS
  • CONTACT US
BUYNOW

Incident Response Plan

IR Plan
Emre TINAZTEPE
Monday, 11 May 2020 / Published in Incident Response

Incident Response Plan

Incident Response Plan is a set of actions aiming to detect and eliminate a cybersecurity breach and recover from it. Like all other Cyber Operations, it requires a systematic approach to be efficient and successful. For this purpose, every organization should have an Incident Response Plan which is the most important element of incident response for approaching cybersecurity incidents systematically to overcome it even before they cause damage to organizations’ reputation, finance, and data.

Every minute of downtime by caused a successful cyberattack can cost a business $427.

The issue is not whether there will be a cybersecurity incident, but when it will happen and no organization is exempt from cyber threats as long as they depend on IT. So every organization, regardless of its size, needs a plan to respond to a cyber incident in order to protect itself. Because if the necessary measures are not taken, cybersecurity breaches may damage organizations in various aspects. First of all, it causes great financial damage. By one estimate, every minute of downtime caused by a successful cyberattack can cost a business $427. According to IBM Security’s “2019 Cost of a Data Breach Report”, the average total cost of a data breach is $3,92 million. And the total cost of cybercrimes to the world keeps increasing dramatically. Cybersecurity Ventures estimates that it will cost $6 trillion annually by 2021, while it was $3 trillion in 2015.

Cybersecurity breaches do not cause damage only in financial aspect. According to Ponemon Institute’s Study, 61 percent of marketing executives believe the biggest cost of a cybersecurity incident is the loss of brand value and stock prices drop an average of 5 percent immediately after a data breach disclosure which also means customer losses. Besides all these financial and reputational losses, organizations may also face legal issues and penalties due to not complying with the regulations.

Breaches may also have long-tail costs. Although the majority of breach costs show up in the first year after a cyber incident, almost one-third of costs appear after the first year. So cybersecurity incidents that are not handled properly can cause huge damage that will take a very long time to recover.

Incident Response Plan is one of the most effective factors which help organizations mitigate the cybersecurity breach costs. Companies that self-reported their security posture as superior and quickly responded to the breach recovered their lost stock value after an average of 7 days. In Incident Handler’s Handbook, SANS Institute proposes a 6-phase plan framework that is admitted as a standard for Incident Response Plan.

Preparation

This phase is the most crucial phase and it is about preparing the team to be ready to handle any incident. The preparation phase includes:

  • Preparing a policy which consists of a written set of principle, rules, or practices.
  • Preparing a response plan/strategy to handle incidents.
  • Preparing a communication plan which shows to contact with whom and when (including law enforcement units).
  • Documentation which is able to answer Who, What, When, Where, Why, and How questions should they ever arise to be sure every necessary action to be taken (like checklists).
  • Creating a team, Computer Incident Response Team (CIRT), is made up of several people that consist of different disciplines (like attorneys, PR consultants) to handle any kind of problem that is related to an incident.
  • Adjusting access control to be sure that CIRT has the permissions to step in at the moment of an incident.
  • Providing tools that means preparing a “jump bag” containing all necessary hardware and software can be utilized during an incident.
  • Training the team to be able to handle the incident properly and conducting some drills to ensure that each individual within the CIRT is able or knows how to perform their duties during an incident.

Identification

This phase deals with the detection of whether an extra-ordinary activity is a cybersecurity incident by gathering much data from various sources. If a particular event is determined to be an incident, and then it should be reported as soon as possible in order to allow the CIRT enough time to collect evidence and prepare for the preceding steps.

Containment

The purpose of this stage is to limit and mitigate the damage and prevent the destruction of any evidence which may be needed for judicial processes. There are three steps in this phase:

  • Short-term Containment: The average time between detection and containment is 69 days and such a long time may cause the incident to turn into a disaster for the organization. In this step, the network segment of infected workstations is isolated to limit the incident before it gets worse.
  • System Back-Up: In this step forensic image of affected system(s) is taken with digital forensic tools such as IREC Tactical, Binalyze AIR etc. Evidence collected from infected system(s) can be used for legal processes and useful for lessons learned phase.
  • Long-term Containment: In this step the affected systems can be temporarily fixed in order to return them to production without the accounts and backdoors that allowed for the intrusion.

Eradication

This phase deals with removing malware from all affected systems, identifying the root cause to prevent similar attacks, and updating the defense system by taking necessary precautions and installing patches to fix vulnerabilities.

Recovery

This phase deals with bringing all infected systems back into production carefully and ensuring that it will not lead another incident. It is important to test, monitor, and validate the systems to verify that they are not being reinfected by some other means.

Lessons Learned

The purpose of this critical phase is to complete any kind of documentation that could not be done during the incident which may be beneficial in future incidents. The SANS lessons learned process includes:

  • Completing documentation: It may not be possible to document all aspects of an incident while it is going on, and achieving comprehensive documentation is very important to identify lessons for the future.
  • Publishing an incident report: The document should be written in a form of report which is able to answer the Who, What, Where, Why, and How questions that may come up during the lessons learned meeting.
  • Identify ways to improve CIRT performance: Extract items from the incident report that were not handled correctly and can be improved for next time.
  • Establish a benchmark for comparison: Derive metrics that can be useful in future incidents from the report.
  • Lessons learned meeting: Conduct a meeting within two weeks with the CIRT and other stakeholders to discuss the incident and lessons learned that can be implemented immediately.
Tagged under: dfir, digital forensics, Incident Response, incident response plan

What you can read next

5 Measures to Work Remotely in Secure
Meet TimelineIR
SHIELDing DFIR against CryptoLockers!

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

17 − thirteen =

Categories

  • Incident Response

Recent Posts

  • Start triage with already set YARA rules for SUNBURST

    3 weeks ago, one of the biggest breaches happen...
    0 comments
  • SUNBURST Back Door knocking on the World’s Front Door

    FireEye has uncovered a malicious campaign that...
    0 comments
  • Meet TimelineIR

    Some History ”Digital forensics is 40 years old...
    0 comments
  • New SOC Approach: Automated Incident Response

    Flood of Alerts Hits SOCs Cyber-attacks are on ...
    0 comments
  • SHIELDing DFIR against CryptoLockers!

    Some History It was around 7 years ago when I a...
    0 comments

NAVIGATION

  • About Us
  • FAQ
  • Contact Us

US OFFICE

Phone: +1 (516) 986-0830
Email: [email protected]

Address: 575 Underhill Blvd. Suite 208 Syosset, NY 11791 USA

Open in Google Maps

EUROPE OFFICE

Phone: +372 712 1345
Email: [email protected]

Address: Narva mnt 5, 10117 Tallinn, Estonia

Open in Google Maps

Binalyze Twitter

yesterday@binalyze updated its AIR product containing as well the YARA Rules for SUNBURST thanks to our colleagues at… https://t.co/c6VDYOk1Nc
Follow @binalyze

Payments by Paddle

Our order process is conducted by our online reseller Paddle.com. Paddle.com is the Merchant of Record for all our orders. Paddle provides all customer service inquiries and handles returns.

  • GET SOCIAL
Binalyze

TOP
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok