The last few years have thrown everything (and several kitchen sinks) at IT and security teams. Massive cloud adoption, increasingly advanced attacks, a shift to work from home, and other contributing factors mean that your incident response (IR) plan<\/a> from just a few years ago won't cut it in 2022. No organization wants to be reactionary when a security incident occurs. A proactive approach with a solid IR plan helps you respond rapidly and effectively, with the ability to help your organization resume normal operations as quickly as possible.<\/p>\n Many enterprises already have an IR plan, but no matter how thorough it is, the evolving cyber threat landscape \u2013 not to mention other shifting circumstances in your organization \u2013 necessitates periodic changes and improvements.<\/p>\n For example, our latest 2022 Unit 42 Incident Response Report<\/a> found that business email compromise and ransomware attacks are rampant, collectively making up 70% of cases handled by the Unit 42 team. While threat actors have flocked to these types of money-making schemes for years, the specifics evolve. Ransomware groups, for example, are more often engaging in additional layers of extortion to pressure organizations to pay. And, they\u2019re creating easily accessible versions of their malware to make it possible for threat actors with fewer technical skills to participate in their malicious activities. By revising existing IR plans, you make it possible for your organization to stay ahead as threat actors shift their tactics.<\/p>\n Moreover, the top three access vectors for threat actors are phishing, software vulnerability exploitation and brute-force credential attacks, so it\u2019s vital that existing IR plans are revised to focus on the most prevalent types of attacks.<\/p>\n Below, we share seven foundational best practices that will improve your IR plan while strengthening your overall security posture.<\/p>\n When a cybersecurity incident happens, you\u2019re likely be facing the worst day of your career \u2013 in a data breach or ransomware attack, scrambling to understand what\u2019s being harmed or stolen, stopping the threat actors and maintaining your organization\u2019s normal operations. However, not knowing where to start can exacerbate the damage. When it comes time to enact or initiate the plan, each individual involved must know precisely what to do.<\/p>\n To ensure everyone is on the same page, it\u2019s crucial to use clear communication and promote awareness of the roles and responsibilities of each IR team member. During an incident, it\u2019s a case of all hands on deck, but for things to run smoothly, everyone must know what the other is doing and who is the critical point of contact for each workstream.<\/p>\n It\u2019s also important to keep things positive. Security incident response can become frantic and mistakes will often be made. Positively recognizing team accomplishments along the way will help keep everyone motivated.<\/em><\/p>\n Many organizations happily state that they have an incident response plan, but all too often, they don\u2019t know what to do with it.<\/p>\n A threat-specific incident response playbook is vital to an effective IR plan. This doesn\u2019t have to be formally published, but it should at least consist of a document that is easily accessible and can provide guidance during the chaos of incident response.<\/p>\n A common issue during cyberattacks and other incidents is that groups know what they are responsible for, but are unsure how to carry out those responsibilities. The playbook should provide guidance on what actions to take to remediate certain situations. It can be thought of as a set of IR Standard Operating Procedures (SOPs).<\/p>\n For example, during the containment of a ransomware incident, the IR team will likely recognize that passwords need to be changed, but may be unsure of the scope of that task. The playbook would outline which passwords must be changed \u2013 administrative, individual, service account, global account and so on. It will also provide a checklist of any other required actions and who is responsible for them.<\/p>\n A solid IR plan encourages healthy habits. Regular security hygiene reviews will make the response more efficient and help mitigate the risk of incidents occurring in the first place.<\/p>\n These reviews should include changing passwords, updating and\/or rotating keys, reviewing access levels and checking for old employee accounts or accounts created by a threat actor.<\/p>\n IR plan creation is not a set-it-and-forget-it task, and the plan should be assessed and audited regularly. This is especially important in today\u2019s landscape, where technology and corresponding information systems are quickly advancing and changing. Other changes can happen, too, like a shift in business operations or changes to personnel and roles.<\/p>\n As these shifts happen, the IR plan must be adjusted to keep pace. For example, if you\u2019ve moved some of your data or workloads to the cloud, this opens up your organization to new threats, and you must adapt your IR plan to address cloud-specific threats.<\/p>\n Note that you don\u2019t need to reinvent the wheel by devising an entirely new plan. Instead, make changes to the existing plan, using the latest best practices \u2013 such as those provided by NIST<\/a> Cybersecurity framework and CSIRT<\/a> \u2013 as a guide.<\/p>\n You don\u2019t want to find out about flaws in your plan when it\u2019s too late, so a proactive assessment<\/a> of your IR plan is imperative. What\u2019s more, those responsible for carrying out the plan will do so far more readily if they\u2019ve had ample practice.<\/p>\n Proactive steps might include IR exercises, penetration testing<\/a>, tabletop exercises<\/a> and purple teaming<\/a>. Each key stakeholder should have input into the plan evaluation.<\/p>\n Even the best plan can fail if there\u2019s no budget to execute it. It\u2019s vital that a budget is set aside for costs in a zero-day incident. Your organization may have insurance to cover a cyberattack, but you need capital on the side to cover ancillary or unexpected costs.<\/p>\n It\u2019s also important that key players are aware of how to use that budget. You don\u2019t want to make budget decisions in the middle of an incident or let the budget limit your ability to respond the right way.<\/p>\n For example, in the event of an incident, you may need to purchase new computers or hardware to maintain operations or invest in software to help contain an attack. These conversations should occur during the IR planning stage, so there\u2019s no uncertainty or time lost in a high-pressure situation.<\/p>\n With so many things happening in day-to-day business operations, it can be easy to let incident response training take a backseat. This leads to stale plans and lackluster responses when it matters most.<\/p>\n All organizations, no matter the size, should make IR training a priority. Indeed, training should be incorporated into the IR plan and budgeted accordingly. This should include discussing various scenarios and practicing response actions, so everyone knows what they are responsible for. It should also involve knowledge sharing among IR team members to avoid a single point of failure, where only one person holds specific knowledge about key software, hardware or systems.<\/p>\n Formal training should be ongoing as you incorporate new technologies (i.e. endpoint and detection or response tools) into our environment.<\/p>\n \u201cIt takes 20 years to build a reputation and a few minutes of cyber-incident to ruin it.\u201d With so much on the line, it\u2019s vital that your incident response is prompt and effective. Following these best practices to improve your incident response plan is key to ensuring this.<\/p>\n Having a strong IR plan, including preparation, education and testing, will mean that while the odds of a security incident are high, you and your team will be able to rise to the challenge and guide your business through the incident successfully.<\/p>\n If these steps sound overwhelming, or if you think your IR plan could benefit from expert review<\/a>, Unit 42 can help. We work fast, triage tasks and learn on the fly. Our experienced team can help support IR planning, response and remediation to expedite efficiencies and streamline processes. Learn more about our incident response services<\/a> and how to get started with a review of your existing IR plan.<\/p>\n","protected":false},"excerpt":{"rendered":" Take a proactive approach to improve your existing incident response plan to better respond to and mitigate ever-evolving cyberthreats. <\/p>\n","protected":false},"author":723,"featured_media":170563,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6724,483],"tags":[2233,6669,8854,183,586],"coauthors":[7608],"class_list":["post-170510","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-points-of-view","category-unit42","tag-csirt","tag-incident-response","tag-incident-response-report","tag-nist","tag-unit-42","sec_ops_category-must-read-articles"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2022\/09\/Top-Down-Collaboration.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/170510","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/723"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=170510"}],"version-history":[{"count":4,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/170510\/revisions"}],"predecessor-version":[{"id":170579,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/170510\/revisions\/170579"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/170563"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=170510"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=170510"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=170510"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=170510"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a>1. Establish Regular IR Plan Communication<\/h3>\n
<\/a>2. Don\u2019t Overlook the Value of an IR Playbook<\/h3>\n
<\/a>3. Establish a Regular Cadence to Complete Security Hygiene Reviews<\/h3>\n
<\/a>4. Update Your IR Plan as Your Technology Changes<\/h3>\n
<\/a>5. Proactively Evaluate Your IR Plan<\/h3>\n
<\/a>6. Plan for a Zero-Day Budget<\/h3>\n
<\/a>7. Make Incident Response Training a Priority<\/h3>\n
\n\u2013 Stephane Nappo, Global Head of Information Security for Soci\u00e9t\u00e9 G\u00e9n\u00e9rale International Banking.<\/strong><\/p>\n