Does your IR Plan Help During a Breach?
Say I give you the manual for a 737 jumbo jet. I asked you to read it, understand it, and be ready to fly the plane at a moment’s notice.
Two years go by.
Then, I call you up and say that I need you to fly the jet from New York to Los Angeles that afternoon. Would you be ready? Would you remember anything you read in the manual two years earlier? Do you even remember where you put the manual?
These questions are, of course, rhetorical. No one would expect you to fly a plane having only read the manual. So why do we think that having an incident response (IR) plan that we write up, read once, and then put in a drawer is going to help us when we have a security breach?
Because the truth is, just like the manual for that jumbo jet, we're not going to remember anything about what we're supposed to do in a breach if that document hasn't been a living, breathing part of our organization between when it was written and when it was needed.
The Real Benefit of An Incident Response Plan
Having an IR plan is absolutely important. Everyone’s role should be laid out, and response strategies clearly defined. But that's only the first step.
Because the secret of having an IR plan is not that having it is the most useful thing. Rather, the real benefit of an IR is knowing how to use it. And how do you know how to use it when the time comes?
Practice, practice, practice.
Having an IR plan makes you that much more likely to practice how to respond in an actual emergency. Because if you don’t practice your response in a crisis, then you might as well not bother having an IR plan at all. In other words, if you’re going to wing it the day of the test, you might as well not have bothered studying, right?
Perfect Practice Makes Perfect
As the noted philosopher Vince Lombardi once observed: “Practice does not make perfect. Only perfect practice makes perfect.”
Perfection might be a high bar to strive for, but not practicing at all with your IR is likewise striving - in the wrong direction. Because if you don’t call people, send malware to employees, or test specific scenarios, when things hit the fan for real, you’re going to see procedures fail when you didn’t expect them to, and then where will you be?
Panicked, in all likelihood. Because the truth is that 43 percent of all cyberattacks are aimed at small-to-medium-sized businesses, and breaches cost an average of $200,000 or more per incident. More than half of all small businesses suffered a breach in 2019, and 60 percent of hacked businesses go out of business within six months of a successful attack.
As expensive as testing strategies are, it’s well worth it if it can save your business. While no practice can be perfect, you can (and should!) learn from mistakes made during tests and simulations, learn from them, and then fail forward the next time.
Strategies to Test Your IR Plan
Consider testing an opportunity to evaluate your plans, find places to improve your response, and broaden the range of incidents your team is exposed to, so that when it’s go-time for real, they’ll know what to do. Here’s how:
- Review the plan quarterly: make updates as necessary. Pay particular attention to any technologies, threats, policies, legislation, or in-house roles that may have changed since the last review.
- Do tabletop exercises: a lower-stress test of the IR plan. Take half a day for cross-functional teams to walk through their response to specific attack scenarios. Think of this as a dress rehearsal.
- Run annual “fire drills”: full-scale simulation of a cyber incident. These will help your staff keep sharp on how to respond to an incident, let you spot weaknesses in your IR plan, and test specific scenarios. Sample fire drills might include:
- phishing emails: attempting to get employees to hand over passwords or other sensitive data unwittingly
- malicious attachments: seemingly legitimate files or documents attached to an email that would contain a virus or malware - but that for testing purposes contain a benign one
- password and other suspicious requests: a seemingly legitimate source requests passwords or other sensitive data
- unauthorized devices: computers or other devices without proper authentication to access your network
- lost or stolen devices: corporate-owned laptops or usb keys that are stolen, or even just left on a transit vehicle.
For any of these scenarios, determining whether and how data was accessed, and whether that data could have caused material damage, will be an essential part of the test. This is so that you can notify if necessary.
- After-action reports: after each drill, debrief with your staff, IT, and your CIO. What went well? Where did your processes fall down? What are takeaways for improvements? This will help you run more effective fire drills in the future, leaving you better prepared for actual breaches.
For more steps like these check out our Elite SMB Incident Response Guide.
An after-action debrief is also a good time to reevaluate what you’re doing well in-house and what areas could benefit from outside help.
You can do a simple test right now, with benign files from eicar; click this link. (Don’t worry it’s safe, but it will serve as a good test for your defenses)
What happened? Did your AV go off? Did your Firewall? Was it logged/alerted? Who got it? What are they doing now? What are you doing right now? If nothing happened you may have more to do today than read this blogpost :)
Partnering with a trusted ally like IntelliGO can gain you access to qualified talent that acts as an extension of your team via our comprehensive MDR service. Our proprietary technology and dedicated Threat Hunters help bolster your defences, detecting suspicious behaviour and responding to attacks in real-time.
Contact IntelliGO today to find out how you can secure your business at a price friendly to SMBs.