Must-Haves for an Essential Incident Response Plan

This is a plea and primer for SMB decision makers to decide and document a few basics as part of an Essential Cybersecurity Incident Response Plan.

While an Incident Response (IR) plan should be comprehensive and well-tested, the fact is that a thinking through and documenting a few fundamental items may save you days of lost time and many headaches. These are not decisions you want to deal with in the heat of the moment. They can be costly.

So consider the following items to be a few must-haves for a Essential IR Plan.

Essential IR Plan Elements

Insurance

Know WHO & HOW you are going to call. No, it’s probably not your broker. That might work on Tuesday at 2pm but you need a number for Friday Night at 9pm. Most cyber insurance carriers have a hotline number or emergency email address. Know it and make sure you have it saved in your contacts.

Legal Counsel

Make sure you have Legal Counsel that is

  • Experienced in Data Security/Privacy Law
  • Has pre-approved rates with your Insurance Provider.

Lawyer jokes aside, a great cyber lawyer is worth their weight in gold when it comes to IR/Breaches. Also this is likely not your normal corporate attorney. Find and retain a specialist. Depending on your insurance provider you may want to look into their panel attorneys (attorneys that that refer you to with pre-approved rates). I’ve seen great panel counsel and those that were lest than stellar. Your mileage may vary. Interview some panel attorneys and make an informed decision. If you independently find your own counsel, have a conversation with your insurer to see if they can be on the pre-approved short-list or at least have pre-approved rates.

Forensics

You will need specialists the know Incident Response, Threat Hunting, and Forensics. The same situation with pre-approval and panel firms apply here as well. If you find your own, get them pre-approved. Also be aware, that you typically don’t want to find your own in the heat of the moment. You don’t get priority without some sort of retainer or relationship. A panel forensic firm will get started quickly due to their relationship with the insurer. However, that doesn’t mean they are awesome.

Know WHO is going to call

Who in your organization can make the decision to call the attorney when a cyber situation is possible? The CEO or CFO are a natural answer, just make sure you think through contingencies that cover late nights and vacations. Also don’t assume it will be a clear cut situation, you may be dealing with gray areas.

Know WHO to call 1st

I’ve often been in conversations about calling insurance agency/broker or Legal Counsel first. Many SMBs default to Insurance first because of cost concerns. Nothing wrong with that per se, but my advice is to call Legal Counsel FIRST. I’m not a lawyer, don’t take legal advice from me, but I’ll just say there are good reasons to do so. Of course this means you have a Lawyer to call and their fees are pre-approved by Insurance.

WHAT NOT TO DO

Now that I’ve shared a few things you should do its just as important to know what you should NOT do. Cyber Incidents are unique and require special handling.

  • Don’t make changes – Don’t make changes until you fully understand what you are dealing with. Don’t reboot systems, don’t change passwords, don’t block IP addresses. I know this seems counter-intuitive but you don’t have a normal IT problem, you have a digital crime scene with an intruder possibly still in the building. Few SMBs have the in-house experience to properly investigate an incident. Therefore you will likely not be able to scope the incident without engaging a cybersecurity team, specifically a a Forensics/IR firm. (Note that the industry term is Data Forensics / Incident Response (DFIR).

  • Don’t poke the bear – Do not probe the adversary. No pings, lookups etc… Don’t tip your hand that you have discovered their presence.

  • Communicate Out-of-Band – Don’t send emails or chat messages on systems that may be compromised. Use personal email addresses, use text messaging, use Signal. Don’t write any work emails that say OMG we’ve been hacked. Act as if the adversary can read your email.

Common Missteps an organization can make when first responding.
Common Missteps Graphic from CISA

More Help

If you want to take your IR plan further I’d recommend you review CISA’s Technical Approaches to Uncovering and Remediating Malicious Activity. It’s more technical than planning but it’s excellent guidance.

Need a great Forensics/IR firm or legal counsel. Contact me and I’ll be glad to share the partners and people that I trust.

Leave a Reply