How To Build An Incident Response Plan

Businesses often get service-level agreements with managed security services providers (MSSPs) to monitor system logs for threats and maintain detection systems that trigger alerts, but they often lack an incident response plan, said Rob Kraus, director of engineering research team at Solutionary, an NTT Group subsidiary. When an organization seeks outside help to address an immediate threat, it results in expensive incident response costs, Kraus said.

A security incident begins with detection, but also needs capable hands to investigate the extent of the problem and an effective response to reduce the scope of an incident and get systems running normally. An NTT Group study found that 43 percent of its engagements were related to the detection of suspicious activity that turned out to be malware. The company also was called in to mitigate distributed denial-of-service attacks, Kraus said. Its annual study on security threats sheds light on how solution providers can help their clients develop an incident response plan to avoid costly mistakes.

[Related: True Detectives: VARs On The Case As The Need For Incident Response Strategies Gets More Evident Every Day]


Sponsored post

The Computer Security Incident Handling Guide, a document created and maintained by The National Institute of Standards and Technology, contains detailed instructions on how to create and build out an effective incident response plan or dust off and update one that is already in place. It provides step-by-step instructions on how to plan for all issues associated with a security incident, from detecting and investigating a potential security breach to establishing media communications procedures and when to contact law enforcement.

The document recommends that companies that don't have knowledgeable IT teams should consider MSSPs. While technical staff members in a business may know the organization's environment better than outside help, MSSPs may be able to correlate events among customers so that they can identify new threats more quickly than any individual customer could, according to the NIST document.


Security appliances need to be properly configured, tuned, updated and maintained regularly to detect threats. The alerts generated from the device need to go to the proper handler. System logs should be reviewed regularly to spot suspicious activity. In many cases, basic monitoring can detect threats, but it needs to be done regularly, said Christopher Porter, a managing principal at Verizon.

"The key with monitoring isn't necessarily investing in technology to detect faster, it is investing in technology or practices to configure these things in a more secure manner," Porter said. "A lot of these attacks are on small and medium businesses; they don't have the expertise in place typically to carry this out effectively themselves."


Investigative controls take the information identified from incident detection and verify whether the organization has the information required to conduct a meaningful response, according to the NTT Group study. The organization needs to first determine if an alert is a false positive, then define the scope of the incident and what systems and data is potentially impacted, Kraus said. The activity requires a skilled professional and the right tools to analyze the incident indicators, he said.


An organization that has the skilled staffing and thorough incident response plan in place can quickly assess and reduce the scope of an incident. Following an initial infection, an attacker will attempt to move laterally through an organization, said Raj Shah, CEO of Morta Security, which was recently acquired by Palo Alto Networks. Shah said that there are stages of an attack that cybercriminals always need to conduct when they seek out and attempt to get into more sensitive systems. The goal of the incident response team is to surround and cut off the attacker to minimize the loss or exposure of data.

NEXT: Test Incident Response Capabilities


Forward-thinking organizations not only dust off their incident response plans annually, they conduct a drill to ensure that it can be followed properly, said Solutionary's Kraus. One of the chief recommendations of the 2014 Verizon Data Breach Investigations Report is to log system, network and application activity to provide a necessary foundation for incident response. It is especially important in containing a sophisticated threat and addressing denial-of-service attacks to minimize impact on system availability, according to the report. A test should go through a scenario to ensure jobs and duties are appropriately assigned and address any issues, such as a breakdown in communication.


The NTT Group study highlighted an incident it got involved with following a worm infection released by a system administrator at an organization. The company had not tested its incident response and had no tools or processes in place to minimize the impact of the worm. After four months of problems and troubleshooting, the incident cost the firm $109,000. The expenses included the price paid for forensics investigators, legal support, public relations help and remediation of the issues that enabled the worm infection. The worm was a member of the Dorkbot family, malware that attempts to steal account credentials and spreads through instant messaging or a USB flash drive. A simple problem caused the incident to grow out of control, according to the study. The organization had systems with no antivirus or with antivirus that didn't have the latest signatures to detect the known worm.


Poor detection capabilities caused one organization to fail to detect an ongoing distributed denial-of-service attack against its systems for 2.5 hours. The company ultimately was alerted to the problem by clients who could not access a client portal. The organization was focused on its PCI compliance activities and didn't have detection for its network that wasn't in-scope, according to the NTT Group study. Once detected, the investigation took a half-hour and the company took steps to filter out the flood of bad traffic. It took 10.5 hours to mitigate the attack and ultimately a costly call to the organization's upstream Internet service provider, which took hours to implement effective filtering. The total time to mitigate the incident was 13.5 hours at a cost of $5,000 an hour, bringing the total loss to $67,500, according to the study.
An incident response plan that is firing on all cylinders compresses the threat mitigation timeline, according to the NTT Group report. Organizations need to focus not only on reducing the response timeline, but also on reducing the detection and investigation times of security incidents. Solution providers need to help clients look at risks using a formal risk assessment, said Solutionary's Kraus. It will help businesses identify the areas that are at the greatest risk of an attack and could produce the largest financial costs, he said.