Creating an incident response plan that works

In 2016, a group of IT executives at Maersk, one of the largest shipping companies in the world, asked for a preemptive redesign of the company’s network. The request was approved, but the redesign was never executed.

A little over a year later, malware called “NotPetya” inadvertently took over nearly the entirety of the company’s global network, irreversibly encrypting every device it came in contact with. Ships were stranded at ports. Companies expecting shipments became irate. The entire company came to a screeching halt.

Fortunately, Maersk had an incident response plan in place. In a week and a half, the company’s network of 4,000 servers and 45,000 PCs had been completely rebuilt. The IR plan had a few flaws, however; all-told, the NotPetya attack cost Maersk more than $300,000,000 – and they were not even a direct target.

Three out of four companies do not even have IR plans in place, and their failure to respond would be even more devastating. Here are the steps that should be taken in order to appropriately respond to a cyberattack:

Assemble a team

The IR team is the foundation of a successful incident response. They are responsible for creating an IR plan, then executing it should a security incident occur. Because of the varied roles necessary, the team should comprise a cross-section of the company, not just IT or cybersecurity personnel.

Define clear roles

Every member of the team should understand the part they play in developing the IR plan in order to ensure that no portion of it goes undeveloped. In the event of an incident, each member of the team should know their responsibilities and what order they are to execute those responsibilities in.

Coalesce business departments

The IR team should not operate as a standalone task force. In the Maersk incident, chaos reigned as none of the siloed departments could communicate with each other. Stakeholders should be brought in from each sector of the company to ensure that the IR plan can be executed company-wide.

Write an IR plan

· Define incidents: If incidents are not clearly defined, the IR team will always be on edge. Determine what constitutes an incident so the IR team knows precisely when to engage.

· Identify KPIs: One of the failures for the Maersk team was that they had no KPIs attached to their incident response, so there was never an incentive for excellent performance. Determine what metrics are important, such as time to detect the incident, and include those in the IR plan.

· Establish communications protocol: When a breach occurs, there is a laundry list of parties who need to be contacted and apprised of the situation. Prioritize those parties, then assign each one to a member of the IR team.

Update consistently

An IR plan is a living document. As a company grows and changes, the plan should be regularly revisited to ensure that it remains the best response to an incident possible.

Perform drills

An easy way to ensure the plan remains up-to-date is to perform regular tests. Both the tests and their response should replicate that of a genuine incident.

No one wants to take the time and effort to develop a comprehensive incident response plan – until after an incident has happened. For more information on tools that can help you respond quickly and efficiently to incidents, as well as how they can be integrated into your incident response plan, contact WireX today.

linkedin facebook twitter

Learn more about WireX paradigm shift to Incident Response

Top 3 requirements to turbocharge your Incident Response

Read about WireX Systems Incident Response Platform