Building an incident response plan

Building an incident response plan

Mazen Adnan Dohaji, Vice President and General Manager (iMETA), LogRhythm, looks at how to build an effective incident response plan for the Middle East.

The Middle East is facing a rapid rise in cyberattacks, with 75% of organisations in the region at risk of an attack in 2023, up from 64% in 2022, according to Statista. Attacks by threat actors have become an issue of when, not if, and organisations of all sizes across all industries are now having to re-evaluate how to respond to this growing risk.

The continuing success of digitisation initiatives across the Middle East brings an increased exposure to cyber threats. The growing digital attack surface is giving threat actors more entry points to exploit and putting upcoming initiatives, such as Saudi Vision 2030, at risk.

To add to this challenge, cyberattack methods have evolved substantially in recent years, becoming more sophisticated and damaging. With the threat landscape in the Middle East set to become even more complex, formulation and permanent loss of data are all potential consequences of being hit by an attack. To protect against these outcomes, Middle Eastern organisations should implement an IRP.

This is a documented list of instructions or procedures to detect, respond and recover from cybersecurity threats. Establishing a secure foundation enables businesses to not only mitigate against ever-evolving threats but also digitise without disruption.

Building a threat-ready response

Preparing a response plan and creating a dedicated team to implement it can save vital minutes and help mitigate potential damage. To develop an effective response plan, it is crucial to understand the individual steps. By preparing and following these, organisations can ensure their response will be quick and efficient. An incident Response Plan (IRP) is an essential strategy for safeguarding critical data.

Creating a dedicated Incident Response Team (IRT)

Putting together a team designed to specifically identify and respond to incidents is the first step to making an effective IRP. The IRT will consist of members of multiple departments such as IT and security.

Next, they must all be assigned roles and responsibilities, which should be laid out in the IRP to explain who needs to undertake which task. Examples of some of the different roles the team would take are security analysts, incident response managers and communication teams.

Within these roles, the analysts would be responsible for identifying any potential threats or suspicious activity, reviewing security logs, and carrying out an investigation into the attack. Incident response managers would then choose the most appropriate response to the incident. Informing the affected stakeholders would then fall to the communication team once it is confirmed that any damage has occurred. The team would be led by a Chief Information Security Officer (CISO), who oversees the process and enforces security policies.

Identifying your most important business assets and any potential vulnerabilities in your systems

It is crucial to identify your organisation’s business-critical assets. Cyberattacks will do the most damage to these assets, so identifying and protecting them is the priority to minimise the impact. Identifying your most important assets also has the added benefit of highlighting vulnerabilities within your system, which you can then focus on securing. For example, if your email system poses a potential and significant risk to security, you can put procedures in place to block threat actors that attempt to exploit it.

Drafting an Incident Response Plan

The draft of your IRP can use two pre-existing frameworks as inspiration. These frameworks are the National Institute of Standards and Technology (NIST), and the SANS Institute.

An effective IRP will follow these
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Post-incident Activity

The NIST and SANS frameworks are incredibly similar, with the only difference being that the SANS framework views containment, eradication, and recovery as individual stages, as opposed to NIST which views them as one.

This step helps lay out to employees the process they should take in response to a cyberattack. The plan is important in ensuring the response is organised, preventing losses that would have occurred from wasted time.

Developing a communication plan

Developing a communication plan is an effective method of ensuring that information reaches the relevant stakeholders in a timely manner. You should also include the contact details of your IRT members in your plan both internal and external to guarantee the required people are reachable.

A communication breakdown could be detrimental to the organisation in the event of an attack. This could result in a spread of misinformation which could cause further harm to the business. If stakeholders aren’t informed quickly about the attack, they may lose trust in the organisation, causing it to lose out on future business.

A communication plan cuts out these risks by helping you respond faster during an attack. This prevents misinformation from having the time to spread and appeases your stakeholders.

Testing and updating the IRP

The final step in creating an IRP is to test it, and then update it accordingly. Cyberattacks are constantly evolving, and your IRP must reflect this. It’s not enough to just create one plan, not keep it up to date and hope for the best.

Testing your IRP is critical as it allows you to identify any weaknesses before threat actors can. This can be done by performing cyberattack simulations or walkthroughs to test the effectiveness of the plan, and that the members of the IRT understand their roles and responsibilities. During the test, the IRT should record any observations and areas of improvement.

Your IRP should be tested and updated annually at the very least. As cyberattacks continue to grow in the Middle East, having an updated plan provides the security needed to prevent assaults on your systems.

Taking control of your security outcomes

Cyberattacks in the Middle East are no longer an issue that organisations can ignore. Their growing frequency has led to them becoming an inevitable challenge that businesses must tackle head-on. Even though cyberattacks may be unavoidable, losses from them don’t need to be. Preparing an IRP can help security teams react and respond quickly and efficiently, reducing the damage done by a breach. The faster the response, the less damage a threat actor can perpetrate, saving both costly losses and the trust of your stakeholders.