Incident Response Planning
Incident response planning is more than just developing a list of steps to take in response to general cyber threats. It is an ongoing, robust management process that seeks to reduce reputational harm and business downtime in the event of a cyberattack.
What Does Incident Response Mean?
Incident response (IR) refers to the collective crisis management steps that are triggered in response to a cybersecurity incident. The full incident response life cycle includes steps to take before a cyberattack occurs. Incident response goes beyond the technical programs used to detect and respond to malicious code. Incident response might also be referred to as cyber incident response, cybersecurity incident response or simply IR.
Incident Response vs. Cybersecurity
Incident response is a subset of cybersecurity. It usually describes a company’s strategies around technical tasks, processes and workstreams such as detecting, preventing, stopping and remediating cybersecurity incidents involving devices, networks, systems and applications. But it also includes important strategic and managerial tasks such as planning, risk assessment, training and improvement.
Cybersecurity is a very broad term that covers many different areas, including network security, cloud security, intrusion detection and protection systems (IDS/IPS), encryption and application security. Incident response may be applied to any of these, depending on the type of cyberattack that has occurred.
What is Incident Response Planning?
Incident response planning refers to outlining an organization’s procedures, steps and responsibilities for its incident response program—almost like a playbook. It involves developing business processes that reduce recovery time and costs, minimize collateral damage like brand reputation and ensure the smooth functioning of normal business operations. Equally important, it also involves debating choices in critical decisions that commonly arise during incident responses to avoid making mission-critical decisions in a race against the clock when important information or stakeholders may be unavailable.
Proper cyber incident response planning can not only minimize damage to the reputation of the organization, but also to that of key stakeholders such as the CTO, CISO and CIO. After all, developing mission-critical business continuity plans on the fly often yields poor results.
What is Incident Response Management?
Incident response management refers to the overall systematic strategy used to tackle cybersecurity incidents. There are four main components to incident response management: technical, legal, business risk management and compliance.
How Do Incident Response Services Differ?
There are some fundamental differences among the various types of incident response services. Depending where you are in the IR process may dictate the type of incident response services you require. When you break down the incident response management landscape, there are:
- Pre-incident
- Technical tools and services used by IT professionals to help detect malicious activity on devices, networks, in systems or applications, monitor networks for anomalous Internet traffic, configure logs to record important information that may be necessary in an investigation, and many others.
- Services totally separate from technical tools that help prepare the rest of the company/organization for the myriad of business and legal issues that can arise during the fallout from a cybersecurity incident, like IR planning, assessments and audits, tabletop exercises, and planning and development.
- Post-incident
- On the other hand, post-incident technical services may include breach investigation, forensic services, discovery and remediation, and advanced threat hunting.
- Separate from technical services, post-incident often requires services such as legal counsel to direct an investigation and establish privilege where appropriate; legal advice on protocols to follow during the investigation to comply with specific regulations (e.g., HIPAA); notifications to regulators (e.g., GDPR, NYDFS 500) or individuals (e.g., under U.S. state laws); contractual obligations to inform certain customers, partners or other third-parties; or devising strategies for communicating with insurers, executives, media, board directors or other stakeholders.
But what do they all have in common?
They require an incident response plan that drives cyber security initiatives and how to respond in the event of a cyber threat.
How Do You Determine the Right IR Services For Your Organization?
Start by identifying where you are and where you want to go with your IR planning goals.
Ideally, organizations have a streamlined incident response process in place, managed internally or by a single third party. However, this is rarely the case, and incident response strategies are often patched together with a mixture of internal and external resources.
While the IT department typically uses incident response tools and services like threat detection, malware analysis and forensic investigations, there are many other incident response services critical to developing an organization’s overall incident response management capability. Some products or services may be utilized by teams outside the IT or IS department. Indeed, it’s common to see non-IT groups scramble to triage damage to various parts of the organization after a significant cyber incident.
Incident response management services that include technical and non-technical expertise is the key.
Incident response operations and business processes need to be adapted to include key organizational stakeholders, from IT to HR, and should be based on an understanding of compliance, privacy and cyber law to provide a balanced response to cyber incidents.
Why is Incident Response Planning Important?
The risk of cyber threats is more pronounced than ever before. Ransomware-related data leakage is up 82% according to the recent 2022 Global Threat Report: Insights from the Threat Landscape. For middle-market companies alone, the risk of a cybersecurity incident is 490% higher than it was two years ago.
Incident response planning aligns all parts of the organization on how to respond to attacks, avoid common pitfalls and meet critical obligations. It enables an organization to quickly identify and prioritize important courses of action and ensures that no important areas are forgotten. Incident response planning is also an opportunity to identify organizational goals and agree on who makes decisions, obtain and allocate outside resources and decide who might be part of an IR team.
Some aspects of incident response planning are required from a legal standpoint. For example, GDPR and similar laws mandate the protection of consumer data, which includes having a documented incident response plan. Incident response planning has also become an expectation from management and executives, consumers, regulators and acquiring companies. In some cases, it’s a requirement of customers or partner organizations.
Senior leadership teams don't want to be victims of the next breach, but they also have an organization to run with limited resources. According to a 2017 study by the SANS Institute, "Senior leadership wants to know that they have a trustworthy team that is effectively defending their information systems." They want to reduce costs and diverted work hours, and realize that proper incident response planning can save months of time and millions of dollars.
What’s Wrong with a Generic, Off-the-Shelf IR Plan?
Would you use a fire escape route map made for “all buildings with floors, exits, elevators, stairs and doors”? Probably not.
Using a generic IR Plan is about as helpful as a generic fire escape route map instead of one drawn according to your building floor plans. In a fire, sure, you know you should find the nearest exit and avoid dead-ends and elevators, but you’d be on your own to find a safe route to the exit.
Why Should a Lawyer Prepare Your IR Plan?
While there are technical and forensic components to incident response, the legal implications of a breach are extremely important as well. For example, determining impact, breach notification, regulatory reporting, risk assessment and steps required for privacy law compliance are some areas where a legal team will play an important role.
Oftentimes, the legal team is not involved in incident response preparation or they are involved too late. Having a lawyer prepare your incident response plan is a strategic advantage; they help craft the incident response plan with a detailed understanding of the legal side of cybersecurity and cyber law. This results in a more coordinated, organized and effective incident response plan.
During the aftermath of an incident, when forensic teams are investigating, sometimes there are several different avenues the investigation could follow. Here the expertise of a lawyer is invaluable. A lawyer can help advise the company about which is the most important avenue to address from a legal perspective. This prioritizes investigations needed for legal reasons, and wastes less time investigating irrelevant items.
A lawyer can also help identify your organization’s blind spots from a legal perspective and some of the communications supporting the lawyer’s legal analysis may be able to be shielded from discovery if they are subject to one or more types of legal privilege. An experienced cyber lawyer can help review an existing incident response plan to ensure it complies with all applicable rules and obligations. They can advise on the appropriate notification and reporting requirements in the event of a breach and the most suitable methods for communications.
Note that not every lawyer will be able to effectively advise on incident response matters, and it’s important to seek the expertise of a legal professional with technical experience. They should be able to effectively bridge the divide between different knowledge sectors and translate among legal professionals, technical staff and others. The best advice comes from a lawyer who knows the law, the variety of interpretations that exist and enough other organizations to help benchmark yours so you can create reasonable practices. In addition, it is valuable to have insight from a lawyer who knows how incident responses look in hindsight, case in point—knowing what regulators may ask or what they really care about during a regulatory investigation following an incident.
A key part of incident response planning is ensuring stakeholders across the whole organization are aware of the array of steps within their purview that might arise in the event of an incident. The stakeholders should be trained enough to be able to make game-time decisions about which tasks are warranted in a given incident response effort. An understanding of compliance, privacy and cyber law in addition to technical incident response provides the optimal balance for robust incident response planning.
Who is Responsible for Incident Response Besides the Information Security Team?
Although information security teams are the logical responders to cyber incidents, many other departments are involved too.
- Technical members of incident response teams include developers, forensic investigators, IT operations managers, site reliability engineers and other IT-focused personnel who deal with technical components of detection, incident discovery, investigation and remediation.
- Non-technical members of incident response teams include a customer service team, human resources, legal, marketing and public relations, to name a few. Service teams may be dealing with a flood of tickets, emails and phone calls, while marketing and PR teams are busy communicating with partners and customers.
Who are the Key Stakeholders in IR Planning?
No individual person holds responsibility for incident response planning. Instead, it falls to a group of stakeholders, including the information security, IT and legal departments, along with members of the executive team.
Here are some of the key players in incident response planning and their roles:
- Business Leaders
- Organization leaders in external-facing departments are not often directly involved in incident response, but they can be a valuable point of contact during the IR planning process and for the IR team.
- Leaders can be interviewed to discover high-level information about customers, clients and partners and can help determine which legal requirements apply. They can also inform the general types of information collected and handled and how each is stored, and identify which systems are most critical to the company’s operations.
- Leaders can provide an overview of past incidents and highlight their main cybersecurity concerns. Moreover, leaders will often be involved in the reporting of cyber incidents. The IR team must be aware of who to contact to identify who may have been impacted in a particular attack and relay urgent information to those affected.
- Human Resources
- The human resources department can be helpful in the IR planning process in several ways. They can identify which employee information is stored and who can access information. They can provide details such as which staff have the authority to approve creating and deleting accounts to HR systems.
- Additionally, human resource employees know where all data on employees and former employees is stored. They will have knowledge of any recent contentious departures or volatile employees and can often identify any employee issues related to a cyberattack.
- What’s more, the HR team is often responsible for conveying important IR-related messages to employees, for example, cybersecurity guidelines to follow or employee breach notifications. They are responsible for tracking employee training on privacy and cyber topics, pinpointing employees’ rights from policies and handbooks, and confirming whether employees’ consent to monitor or search devices was obtained.
- Physical Security
- Physical security staff can work closely with digital security teams to provide valuable information in the IR planning process. They can advise on whether any on-premise devices and systems could have been accessed or stolen, provide critical information about where biometric information may be stored, provide times of entry of employees and contractors and pull CCTV footage relevant to an investigation.
- Finance / Accounting
- As financial systems are prime targets for cyber attacks, it makes sense that financial teams should be involved in incident response planning. They can provide information about who has access to financial systems, such as the general ledger, expense reimbursement and bank accounts. Personnel involved in accounts payable and receivable can offer insight into vendor relationships that may help determine sources of compromise.
- Risk Management and Compliance
- If an organization has staff specifically involved in risk management and compliance, they should certainly be consulted on IR planning and kept up-to-date on matters involving incident response.
- Legal (Internal and/or External Counsel)
- The internal legal team is responsible for deciding when to bring in specialized outside cyber counsel to help manage aspects of the incident response planning process, directing the investigation in an actual response effort, if necessary, and collaborating closely with decision-makers and forensic investigators.
- Your existing legal team or outside counsel will require access to information that details contractual obligations to customers. For example, if you find you are unable to provide goods or services as a result of ransomware, what legal implications does your organization face? Planning the steps to follow and outlining all contractual obligations before a breach can improve responsiveness and efficiency when an incident does occur.
- Additionally, legal experts can provide sound advice when it comes to carefully crafting an organization's external response to any type of cyber threat. Drafting crisis communication statements and organizing protocols around external response is a critical step in IR planning. Moreover, when the IR Team needs to enlist help from outside vendors during an incident response, a lawyer can determine whether to engage the vendors under privilege and, if so, a legal team can help devise the appropriate steps to follow.
What is an IR Team Pool?
Ideally, an organization will have an IR team pool with representatives from relevant departments who are trained on the company’s IR procedures. Not all roles are needed on a team in response to every incident. The nature of a specific incident will determine which members of the pool should be tapped to join the IR team for that incident. While this sounds straightforward, the list of departments and roles is not always intuitive to compile.
The IR team pool should include stakeholders from the following departments:
- Information Security (IS)
- Legal
- Information Technology (IT)
- HR
- Finance
- Compliance/Risk Management
- Physical Security
- Communications/PR
- Investor Relations
- Business Units
For multinational companies, an organization might also include representatives from each of the above departments from multiple countries.
Additionally, external parties may be involved, including:
- Outside counsel
- Forensics firm
- Communications/PR
- External auditors
IR Planning is Not ‘One and Done’
Incident response planning is far from a set-it-and-forget-it process. Regular reviews are required to stay up to date with the changing threat landscape and shifts within the organization. Ideally, the incident response plan should be reviewed and tabletop exercises conducted at least annually, although some organizations now carry out quarterly tabletop exercises and update specific parts of the plan if needed.
If your organization is looking to create a robust incident response plan or have an incident response plan reviewed, updated or challenged with a tabletop exercise, ZeroDay Law can help. Learn more about our services and contact us with any questions.