-
Featured services
-
Services
View all services and productsLeverage our capabilities to accelerate your business transformation.
-
Services
Network as a Service
Popular Products
-
Private 5G
Our turnkey private 5G network enables custom-built solutions that are designed around unique use cases and strategies, and deployed, run and optimized through a full network-as-a-service model.
-
Managed Campus Networks
Our Managed Campus Networks services transform campus networks, corporate area networks and interconnected local area networks, and connect smart places and industries.
-
-
Services
Cloud Services
Popular Products
-
Cloud Migration and Transformation Services
Access the people, processes and technologies you need to deliver cloud migration projects that improve your return on investments.
-
Site Reliability Engineering Services
Get the most from your cloud investments when you harness our Site Reliability Engineering Services to support app development and lifecycle management.
-
-
Services
Edge as a Service
Client stories
-
Penske Entertainment and the NTT INDYCAR SERIES
Together with Penske Entertainment, we’re delivering digital innovations for their businesses – including INDYCAR, the sanctioning body of the NTT INDYCAR SERIES – and venues such as the iconic Indianapolis Motor Speedway, home to the Indianapolis 500.
-
Using private wireless networks to power IoT environments with Schneider Electric
Our combined capabilities enable a secure, end-to-end digital on-premises platform that supports different industries with the benefits of private 5G.
-
-
Services
Technology Solutions
Client stories
-
Services
Global Data Centers
-
Services
Digital Collaboration and CX
-
-
-
Insights
Recent Insights
-
The Future of Networking in 2025 and Beyond
-
Using the cloud to cut costs needs the right approach
When organizations focus on transformation, a move to the cloud can deliver cost savings – but they often need expert advice to help them along their journey
-
Make zero trust security work for your organization
Make zero trust security work for your organization across hybrid work environments.
-
-
-
-
-
Discover how we accelerate your business transformation
-
About us
CLIENT STORIES
-
Liantis
Over time, Liantis – an established HR company in Belgium – had built up data islands and isolated solutions as part of their legacy system.
-
Randstad
We ensured that Randstad’s migration to Genesys Cloud CX had no impact on availability, ensuring an exceptional user experience for clients and talent.
-
-
CLIENT STORIES
-
Liantis
Over time, Liantis – an established HR company in Belgium – had built up data islands and isolated solutions as part of their legacy system.
-
Randstad
We ensured that Randstad’s migration to Genesys Cloud CX had no impact on availability, ensuring an exceptional user experience for clients and talent.
-
-
CLIENT STORIES
-
Liantis
Over time, Liantis – an established HR company in Belgium – had built up data islands and isolated solutions as part of their legacy system.
-
Randstad
We ensured that Randstad’s migration to Genesys Cloud CX had no impact on availability, ensuring an exceptional user experience for clients and talent.
-
-
- Careers
Incident Response Planning: it’s not optional!
28 September 2020
Topics in this article
Understanding and developing an Incident Response plan is critical for an effective resolution to security breaches
An effective IR plan is the best way to ensure an incident is handled quickly. To use an old military term ‘prior preparation prevents poor performance’ - if a plan is made ahead of time, when an incident occurs, you can react quickly, saving time and money. This is borne out in the Ponemon Institute’s 2020 Cost of a Data Breach Report which highlighted the average cost of a breach for organizations with a regularly-tested IR plan was USD 3.29 million, compared to USD 5.29 million for organizations that did not.Understanding what to do when an incident occurs and who to talk to is critical for an effective response. So, how best to set up an IR plan?
1. Gap assessment
Ensure all the appropriate questions have been asked and the information to identify systems, services, business owners, etc. has been reviewed. If an IR plan is already in place, the gap assessment will establish if the plan is fit for purpose, identify gaps and benchmark results. This is something we manage for our clients with our Cybersecurity Advisory Service.
2. Design IR plan
This is based on the evidence gathered from the gap assessment. The business requirements drive the mission statement and objectives for the IR plan, as they would for a Disaster Recovery plan, and the IR plan should have similar executive ownership.
An Incident Response plan creator – or creators – designing a plan, either on a computer, or creating a board of ideas. Image caption: The Incident Response plan is driven by business requirements and gathered data.
3. Write IR plan
Write the IR plan in line with business objectives, with an overarching methodology for incident response. Two key ones are:
NIST (Computer Security Incident Handling Guide SP 800-61) |
SANS Incident Handling Framework |
| Preparation |
Preparation |
| Detection & Analysis |
Identification |
|
Containment, Eradication & Recovery |
Containment |
|
|
Eradication |
|
|
Recovery |
|
Post-Incident Activity |
Lessons Learnt |
Table 1: IR Frameworks
These frameworks are broken down differently but ultimately deal with incidents in the same procedural fashion. The vast majority of the elements for an IR plan will be defined in the preparation phase:
- Team structure
- Breakdown of the team responsible for day-to-day incident handling processes, including external teams.
- Roles and responsibilities
- Must be very clearly stated so all members of the team are aware of where they fit into the overall plan and what’s expected.
- Definitions
- States what an incident is, when the organization will trigger a major incident, as well as the other key terms associated with the IR plan.
- Priority matrix
- What constitutes a low to critical incident? Broken down into specific areas, e.g. users, criticality, device, attack type and systems affected. Scoring is conducted against each area, helping calculate the incident’s severity.
- Incident workflows
- Define activities to be undertaken by each team during an incident. Align the workflow against a general IR plan, with bespoke elements added in the form of runbooks for specific threats. Details the escalation paths and breakout to external procedures.
- Escalations
- Define escalation paths against set criteria. There are many reasons for escalation, such as additional skills or external assistance required and these should all be detailed so that staff working the incident know who to call on when required.
- Communication
- Ensures team members are aware of how they should be communicating. If the organization’s network has been compromised, a separate communications channel should be invoked i.e. not email! Other elements of the communication plan should align with the Traffic Light Protocol so the incident can be classified accordingly and only authorized staff are briefed.
- Evidence controls
- All evidence should be stored and processed as if it were to go to court. Any security information and event management systems (SIEMs) used should be designed with this in mind, and any additional information captured must follow the correct chain of evidence as defined.
- Key documentation
- This includes all other information pertinent to the IR plan:
- Organizational chart
- Critical assets, data and services list
- Network diagrams
- Data flow diagrams
- Ingress/egress points
- Business Continuity Plan
- Disaster Recovery Plan
- IR playbooks for common attack types
- Chain of custody form
- Incident questionnaire
- Contact information for law enforcement
- On-call/handover roster
- Compliance/regulatory body requirements
- Standard Operating Procedures
- This includes all other information pertinent to the IR plan:
Future elements of the plan will follow a similar workflow, but more granular, so to assist analysts with their investigations and offer guidance. Example:
Step No. |
Actions |
| Step 3 |
Does the mitigation strategy involve disconnecting operational resources? YES – Work with the affected area department head, or designee to determine risk to the business. NO – Go to Step 5. |
| Step 4 |
Did the decision-maker approve of disconnecting or shutting down the resource? YES – Go to Step 5. NO – Use alternative containment strategy: • Live response activities • Firewall filters • Kill suspicious services • Apply patches |
| Step 5 |
Secure critical information, before shutting the system down including: • Volatile memory data • Packet capture • Live collection of relevant artefacts |
Table 2: Workflow Charts
The IR plan should detail the actions which must be conducted on resolution of an incident, such as analysis, lessons learned, and reporting. Further details on this can be found in my earlier blog, The Calm After the Storm.
Your incident response plan must be tested and reviewed to ensure all team members are responding appropriately.
Testing is critical
Most critically: test your plan. Why do all this work if your team isn’t aware of how to respond in an emergency?
We test fire evacuation plans and incident response shouldn’t be any different. Ideally, the tests would be hosted by external organizations that create test scenarios and review the plan to ensure all team members are responding appropriately. This external team can then identify any gaps and provide additional assistance and training where required. Our Digital Forensics and Incident Response Service can support you in this, providing you with a prioritized, actionable security roadmap to optimize your existing controls and determine if new ones are needed.
There are free resources available to create your IR plan, but it is a very specialist area. It’s critical to review the organizations that are out there to guarantee your IR plan is effective and aligned to your business needs. If you don’t currently have an incident response plan in place, don’t delay – your future self will appreciate it.
