How to Update your Incident Response Playbook During a Crisis

As we (perhaps uncomfortably?) settle into the “new work from home normal” (or as I like to call it a Modified Disaster Recovery situation), it’s likely a good time to update your Incident Response Playbook as new cybersecurity threats come to light almost daily in the current environment. But first, we must ensure that we understand what incident response is.

What is Incident Response?

The term incident response refers to the operating procedure an organization uses to deal with cyberattack or other breaches in data. The Incident Response process has become a necessity with what seems to be an unavoidable issue as companies move more and more to the digital world. How the incident is managed, who will be involved in the recovery process, and ensuring that any collateral damage is kept to a minimum are all important to include when considering an Incident Response plan.

What is an Incident Response Plan?

Here are a few things a standard Incident Response Plan template would include:

• First, a written set of policies and guidelines that are meant to prepare and prevent the incident from happening in the first place.

• Next, you’ll need a strategy for how to handle an incident when it does happen. This includes how to prioritize which situations need attention first and who to communicate with, so it can be addressed as soon as possible.

• Another crucial element is a process for documentation of incidents. It’s important to have a record of what hasn’t worked in the past, so you can make adjustments for further prevention.

Now that you understand what incident response is, it’s imperative you have an incident response plan in place.

Don’t have an Incident Response Playbook? Start by reviewing this resource NOW:

How Often Should An Incident Response Plan Be Reviewed?

I typically recommend a complete review of your Incident Response Playbook on an annual basis (with a likely scenario tabletop test every quarter). An annual refresh helps account for significant changes such as new staff, upgraded skills, new partners/vendors or technology.

What’s Most Important in the Incident Response Playbook?

The preparation column is among the most important facets of the Incident Response Playbook. Just as an ounce of prevention is worth a pound of cure, you’ll find that the better-prepared you are for the eventual incident, the better you’ll emerge from it.

Incident Response Plan Considerations

Let’s get started with specifics to consider in these unusual times:

• Endpoint visibility: Now is the time to ensure that you’ve got full coverage and visibility across all endpoints. Do you remember that great EDR software you purchased but couldn’t find the cycles to install? With a considerable portion of your workforce working remote, it’s now necessary, and it’s time to test and roll it out. Endpoint visibility must be part of your Incident Response Playbook.
• Endpoint security: Consider the current process by which you update your endpoints for patch management. Is this process still viable in the mostly-remote scenario? Both regular and emergency patching processes become of higher priority, as does the need for regular remote endpoint vulnerability scanning
  
• Readiness: Incident response readiness is imperative. Keep a copy of the Incident Response Playbook handy and printed out (in physical format) in case the network is inaccessible. Have a permanent remote meeting room designated as a war room, pre-defined, pre-published and ready to go. In case there are resource issues with that remote meeting room, have a backup available (from an alternate provider) similarly pre-defined. Ensure that all contact information for critical personnel is up-to-date (I suggest even including their spouse’s cell phone information, with the strongest caveat that you don’t abuse it)
  
• Multi-factor authentication (MFA): Historically, the implementation of MFA has been highly recommended but given today’s more remote-agile working environment, all users’ remote access should incorporate MFA. It’s critical to start with full Administrator-level MFA to be enabled. As late as July 2019, less than 10 percent of O365 administrator accounts had MFA account. Now, it’s time!
  
• A “Break Glass” MFA protocol: As stated in the previous bullet point, it is critical that MFA is enabled by default, but in case it is unavailable (for whatever reason) there’s a need for old-school administrative controls (with a long, highly randomized password). This emergency authentication method is usually referred to as “break glass credentials”
  
• Review vendor access and THEIR updated Incident Response plans: It’s a good time to reach out to your critical vendors, especially if they have access into your environment. Given this “new normal”, they’ll undoubtedly have people working from home as well. As such, their security stance intersects with yours and can expose you
• Review your cloud infrastructure and assess its security stance: This is the time to analyze the security stance of infrastructure of which you’re not fully in control. This should include cloud (both private and public instances) to ensure that logging measures are in place, that your configurations are secured. This is especially true if they were created as a response to the pandemic (and might not have been through a formal vulnerability assessment process)
• Corporate dependencies: Do you have external systems that rely on a wholly corporate address? By this, I mean external services that rely entirely on corporate IP addressing to restrict their access. It’s time to consider a slight relaxing of this standard, to diminish internal-only (on-prem) dependencies (e.g. IP address lockdowns for external portals/infrastructure management) in case corporate networks suddenly become unavailable (e.g. the “go dark” Protocol earlier mentioned. Build a “jump-off” box if there’s no way to diminish dependencies for emergency purposes only
• A “Go Dark” protocol. A “go dark” protocol is a methodology to completely shut down the entire network in case the worst scenario plays out, and you’ll need to shut down the entire company’s network. Of course, it’s critical to have backup access measures in place, and tested. Similarly, tabletop scenarios should take into account what would happen if no person is available on-site to work the incident response process

Ensure You Have an Incident Response Playbook

The first priority within any incident response plan is to ensure the safety of your staff. The best way to do this is to be prepared for the security challenges moving ahead. I hope that you’ll take this time to review your Incident Response plans and update with the key points I’ve listed above. If you work with an incident response vendor, proactively reach out now to assist you with this before an incident occurs. And visit this dedicated resources webpage to read more about cybersecurity strategies for uncertain times.