Virtually all companies today depend on computer networks to link employees, suppliers and customers, exchange information and facilitate a variety of essential day-to-day tasks. Unfortunately, that makes them susceptible to cyberattacks. It’s why all companies need an incident response (IR) plan — a structured process for detecting, responding to and recovering from cybersecurity incidents.
Only 23 percent of organizations have a formal IR plan according to the Ponemon Institute’s most recent study on cyber resilience. Most respondents said they tend to deal with security incidents on the fly due to a lack of skilled security personnel.
That’s clearly a risky approach given the increasing frequency and sophistication of cyber threats. What’s more, the lack of a plan could expose a company to significant fines or legal action. Many data privacy regulations such as the California Consumer Protection Act require companies to have a formal IR plan.
Fortunately, there are established standards and guidelines for creating an IR plan. For example, the SANS Institute’s framework has six steps:
- Preparation. Review and codify an organizational security policy, perform a risk assessment, identify sensitive assets, define which security incidents the team should focus on and build a Computer Security Incident Response Team (CSIRT).
- Identification. Monitor systems to detect deviations from normal operations and determine if alerts represent actual security incidents. Once an incident is confirmed, collect additional evidence, establish its type and severity, and document everything.
- Containment. Perform short-term containment — for example, isolate the network segment that is under attack as soon as possible. Then focus on long-term containment, which involves fixes that allow systems to continue being used in production.
- Eradication. Remove malware from all affected systems, remove accounts or backdoors left by attackers, and install security patches on affected systems. This process could involve a complete reimaging of hard drives to ensure that malicious content is removed and can’t cause a reinfection.
- Recovery. Bring affected production systems back online carefully to prevent additional attacks. Test, verify and monitor affected systems to ensure they are back to normal activity.
- Lessons learned. Prepare a retrospective assessment within two weeks after of the incident. Prepare complete documentation of the incident, including how it was detected and contained, and identify processes that could be improved.
Developing such a plan isn’t a simple process. It requires the coordination of myriad people and technologies. That’s why many organizations turn to a GIAC Certified Incident Handler (GCIH) to help coordinate their IR planning.
GCIH is considered one of the more prestigious certifications for IT security professionals. It’s an in-depth certification covering a wide number of incident-handling topics — including how cybercriminals infiltrate networks, crack passwords and cover their tracks following an attack. It also covers prevention, containment, incident recovery and system restoration strategies
GCIH pros have demonstrated understanding of common attacks, with specific training in the leading techniques for detecting and resolving cybersecurity incidents. They are trained in how to identify the latest attack vectors as well as older attacks that are still prevalent. GCIH professionals are also trained in the latest investigative techniques for examining evidence from the network and memory.
Additionally, GCIH professionals understand how to develop a comprehensive incident-handling plan, as well as the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement and handling evidence. These skills make them exceptionally qualified for leading IR teams and coordinating IR planning.
Verteks has the experience and expertise to help you develop a comprehensive IR plan. Our cybersecurity team features a deep bench of highly trained network engineers who hold a number of key security certifications, including GCIH. Contact us to learn how we can help improve your security posture.