Cybersecurity incidents are inevitable, no matter how much importance and budget you give to cybersecurity. To minimize losses, mitigate exploited vulnerabilities, and seamlessly restore services after an incident, organizations establish teams called Incident Response Teams to manage the incident response process. Incident response is a complex process where a single missed or incorrect step can derail the entire process, so it requires proper planning and resources.
The Preparation step in the NIST Incident Handling Guide includes various activities to ensure effective incident response, such as creating plans, policies, and procedures; establishing an incident response team; providing training; deploying security solutions; and preparing necessary hardware and software. Proper preparation is critical to successful incident handling.
During an incident, incident responders are in constant communication with various teams and individuals. It is critical to have a list of contact information for teams/individuals that may be needed during an incident, along with documentation of who will communicate with them and how. Since the internal communications network may be compromised during an incident, separate phones and lines should be provided for incident responders to use throughout the response process. Creating separate contact lists for internal and external parties can facilitate incident response processes.
Maintaining an up-to-date asset inventory list can directly facilitate incident response processes. The inventory should include critical servers (Web, FTP, Exchange, SWIFT, etc.) and their details. Outdated inventories can cause critical assets to be overlooked during incident response, leading to complications.
Incident response plans, policies and procedures should be documented and familiar to the incident response team. Separate documentation should be prepared for key activities such as incident handling, containment, and communication with internal and external teams. Report templates can streamline the post-incident reporting process.
Understanding network topologies can aid in the analysis and understanding of incident response activities. While network topologies may change less frequently than asset inventories, their accuracy should be verified on a regular basis.
Hardware and software tools that may be needed during incident response should be prepared in advance, such as digital forensics workstations, laptops, blank removable media, hard drives, and forensics and incident handling software.
The preparation step also includes measures to prevent incidents from occurring, such as deploying security solutions such as EDR, IPS/IDS, antivirus, WAF, firewalls, and DLP. Regular social engineering tests should be conducted to raise employee awareness of such attacks.
Proper preparation is critical to effective incident response. By following NIST's recommendations, organizations can establish a robust incident response capability, including creating policies and plans, developing procedures, establishing communication policies, selecting a team structure, establishing relationships with internal and external groups, determining services to be provided, and staffing and training the incident response team. Conducting tabletop exercises can help assess readiness and identify areas for improvement before facing a real incident.
