How to improve your incident response plan for 2023

You may already have an IR plan but regardless of how thorough you might feel it is at this moment, the evolving cyber threat landscape and shifting circumstances within your organization demand regular changes and improvements.

What are the attack vectors most popular with threat actors today? The 2022 Unit 42 Incident Response Report found that business email compromise (BEC) and ransomware attacks are widespread, collectively making up 70% of cases handled by the Unit 42 Incident Response team. Specifically, the top three access vectors for threat actors are phishing, software vulnerability exploitation, and brute-force credential attacks.

It’s crucial that we regularly revise our IR plans with the most prevalent types of attacks in mind. Here are five best practices that can improve your IR plan and strengthen your overall security posture.

Promote awareness of your IR plan and playbook

Many organizations are confident in the existence of their incident response plan (IRP), but they are often not entirely sure what to do with it. A threat-specific IR playbook can offer easily accessible guidance during the chaos of incident response and is a vital element of an IR plan.

When a cybersecurity incident happens, you’re scrambling to understand what’s being harmed or stolen, and not knowing where to begin can exacerbate the damage. Using your playbook as a set of IR standard operating procedures (SOPs) can define the roles and responsibilities of each IR team member as well as other key stakeholders within the company and keep everyone on the same page.

For instance, the IR team will determine that passwords need to be changed during the containment of a ransomware incident, but to understand which passwords need to be changed (administrative, service account, etc.) or other required actions, they could consult the playbook for quicker resolution.

These incidents call for “all hands on deck”, but for things to run smoothly, everyone must know their individual roles and the roles of others, including who the critical point of contact for each workstream is.

Evolve your IR plan as you adopt new technology

Technology is quickly advancing and changing, there are shifts in business operations and changes involving personnel and roles. As these shifts happen, your IR plan must be fine-tuned. For instance, you open your organization to new threats when you move data or workloads to the cloud. As a result, you’ll need to adapt your IR plan to address cloud-specific threats.

It’s not necessary to throw out the old plan and create an entirely new one. Make changes to the one you have and leverage the most up-to-date best practices, such as those provided by NIST Cybersecurity Framework and CSIRT to help guide you.

Test your plan proactively, before you need it

Testing your IR plan can help you find out about flaws before a threat actor helps the team to test it. By practicing, members of the team will be more liable to know exactly what to do and where to turn in the event of a real incident.

Proactive testing can include IR exercises, tabletop exercises, penetration testing, and purple teaming. It’s also helpful to involve each key stakeholder in this testing, such as legal (including outside counsel), crisis communications, marketing, etc., to ensure they have input into the plan and process.

It’s also more important than ever to regularly evaluate designated stakeholders in your IRP. Changes in the economy could mean that attrition and employee turnover make a more significant impact on your IRP this year.

Establish a zero-day budget

If there’s no budget, even the best plan can fail. While your organization may have insurance to help recover from a cyberattack, you may need additional capital to cover ancillary or unexpected costs.

To avoid having to make budget decisions during an incident or letting the budget bottleneck your ability to respond the right way, ensure your relevant players are informed and have signed off on how to secure that budget in advance.

After all, you may find yourself needing to purchase new devices to keep business operations going or invest in software to help contain an attack. When these what-if conversations occur during the IR planning stage, you eliminate the uncertainty or potential time lost in a high-pressure situation.

Ensure training is a priority

It can be easy to let incident response training fall by the wayside given the busy, dynamic nature of day-to-day business operations. However, this leads to stale plans and insufficient responses when it matters most.

Regardless of organization size, IR training should be a business priority, incorporated into the IR plan, and budgeted accordingly. This should include discussing possible scenarios and practicing response actions, so everyone understands their responsibilities.

Given what’s at stake, it’s vital that your IRP is effective. Following these best practices to strengthen your response will mean that while security incidents will occur, you will be able to guide your business through the incident with resiliency and less impact to business operations.