How To Build An Incident Response Plan


TEST INCIDENT RESPONSE CAPABILITIES

Forward-thinking organizations not only dust off their incident response plans annually, they conduct a drill to ensure that it can be followed properly, said Solutionary's Kraus. One of the chief recommendations of the 2014 Verizon Data Breach Investigations Report is to log system, network and application activity to provide a necessary foundation for incident response. It is especially important in containing a sophisticated threat and addressing denial-of-service attacks to minimize impact on system availability, according to the report. A test should go through a scenario to ensure jobs and duties are appropriately assigned and address any issues, such as a breakdown in communication.

INEFFECTIVE INCIDENT RESPONSE IS COSTLY

The NTT Group study highlighted an incident it got involved with following a worm infection released by a system administrator at an organization. The company had not tested its incident response and had no tools or processes in place to minimize the impact of the worm. After four months of problems and troubleshooting, the incident cost the firm $109,000. The expenses included the price paid for forensics investigators, legal support, public relations help and remediation of the issues that enabled the worm infection. The worm was a member of the Dorkbot family, malware that attempts to steal account credentials and spreads through instant messaging or a USB flash drive. A simple problem caused the incident to grow out of control, according to the study. The organization had systems with no antivirus or with antivirus that didn't have the latest signatures to detect the known worm.

BAD DDOS INCIDENT RESPONSE, MITIGATION TIMELINE

Poor detection capabilities caused one organization to fail to detect an ongoing distributed denial-of-service attack against its systems for 2.5 hours. The company ultimately was alerted to the problem by clients who could not access a client portal. The organization was focused on its PCI compliance activities and didn't have detection for its network that wasn't in-scope, according to the NTT Group study. Once detected, the investigation took a half-hour and the company took steps to filter out the flood of bad traffic. It took 10.5 hours to mitigate the attack and ultimately a costly call to the organization's upstream Internet service provider, which took hours to implement effective filtering. The total time to mitigate the incident was 13.5 hours at a cost of $5,000 an hour, bringing the total loss to $67,500, according to the study.
An incident response plan that is firing on all cylinders compresses the threat mitigation timeline, according to the NTT Group report. Organizations need to focus not only on reducing the response timeline, but also on reducing the detection and investigation times of security incidents. Solution providers need to help clients look at risks using a formal risk assessment, said Solutionary's Kraus. It will help businesses identify the areas that are at the greatest risk of an attack and could produce the largest financial costs, he said.