Blog

Back

A Guide for Creating a Cyber Incident Response Plan

As NJ Cyber Insurance specialists, we firsthand observe the severity and frequency of cyberattacks on firms in our community. To help inform and protect your business, we offer this guide on establishing a Cyber Security Incident Response Plan (CSIRP) for your operations.

You can never assume you won’t encounter a cyberattack. That’s because the number of incidents is growing, putting every organization is at risk regardless of size or the type of business it runs. For example, according to the Identity Theft Resource Center, the number of data breaches publicly disclosed last year surpassed the 2020 total and set a record for 2021.

There are no indications that attacks are declining. And experts have growing concerns as they find hackers are becoming more methodical and precise in their targeting. So, it’s time to either establish or review your CSIRP and examine the security of your crucial information security systems.

Creating a Cyber Security Incident Response Plan (CSIRP) for Your Business

Your business needs an information security policy as part of your overall risk management strategy. You must understand what laws and regulations require. A robust information security policy sets out your organization’s expectations for how employees, contractors, partners, customers, suppliers, and others interact with your company’s systems and data.

What Is a CSIRP?

A cyber security incident plan is a document that gives information about what to do when a serious security incident occurs. Your CSIRP should include procedures for preparation, detection, containment, eradication, recovery, and post-incident activities. Details on each phase are below.

Business Continuity Planning

CSIRPs are sometimes known as “business continuity” or “cyber security” plans. They intend to cover any cyber security incident within a company’s network infrastructure. Creating such plans helps protect against malicious hackers, natural disasters, power outages, employee misconduct, and other events that can cause harm to the organization. Effectively, they will help to minimize the damage caused by such incidents.

Considerations for Incident Response Planning

A CSIRP is the most crucial part of a Security Operations Center (SOC). When creating a CSIRP, make sure senior management supports your SOC. Build your SOC around critical criteria to measure success. Make sure your CSIRP does not become a box-ticking procedure.

Key stakeholders include owners, managers, employees, customers, suppliers, partners, and others. The owner or manager should communicate to all parties with clear and concise updates without unnecessary technical terms when reporting incidents. In addition, security teams should share with other groups using precise language.

Responsibilities for CSIRPs

SOC analysts are responsible for analyzing and interpreting security incidents. They must have a broad knowledge of cyber security threats. For example, a SOC analyst should have access to Security Information and Event Management (SIEM) and Endpoint Detection and Response (EDR) solutions. Team members will also need to know how to triage events and escalate them if necessary.

Preparation

Establish playbooks that your SOC will follow when triaging an incident. Playbooks are essential tools to help you respond to high-level incidents and identify such threats as DDoS, Malware, Insider Threat, Unauthorized Access, and Phishing attacks. First, it is essential to create playbooks that give clear instructions on prioritizing incidents when they occur. Second, the team must test the playbooks to become familiar by following their specified procedures. Finally, tabletop exercises will increase correct, timely responses and create insights to help probe for necessary improvements and updates.

Identification

Malware spreads fast because it uses many different methods to infect computers. It connects to servers and sends information back to the attacker while creating new files on the hard drive and applies them to or overrides existing ones. Malware will also make and run new processes on affected devices.

Malware uses unique registry keys to identify itself. Then it searches for specific files and certain software programs to infect. It also searches for unique IP addresses, URLs, and email messages on the computer, which hackers use to further their exploits and create new security issues.

Patient Zero is the term for the first computer affected by malware. Once you’ve identified the size and scope of the incident, you can begin to remove it successfully. Start at the first compromised device, i.e., patient zero, with the mission of identifying the root cause of the breach. Use this information to learn where the infection has likely spread by using lateral move tactics to find new vulnerabilities in other devices.

Accurate identification of an attack comes from gathering valuable indicators. For example, in addition to rebuilding the original infected devices, seek to identify other incidents of compromise across the network. Answering these questions is helpful to the process.

  • What network connections does the malware use?
  • What domains does the malware connect to?
  • What specialized, unique files and running processes has the malware created on the system?
  • What unique registry keys has the malware created?

Your answers are clues that will help you discover further evidence of compromised computers and identify any infected computers on your network.

Containment

Immediately establishing containment measures after the scope of an incident is identified is crucial. Short-term containment involves isolating the compromised devices from the rest of the system. Long-term containment tactics require deep-dive hard drive analysis to identify stolen and compromised data. Data forensics may also provide new insights about the attacker. And they may uncover additional incidents of compromise, which could trigger the need to reevaluate and rerun the identification phase.

Eradication

Eradication steps differ due to the process and cause of compromising a device. Successful eradication methods to remove threats require a combination of patching infected devices, disarming malicious software, and deactivating compromised accounts.

Recovery

The recovery phase encompasses the steps to restore regular service. If clean backups are present, then these can be restored. Rebuilding any compromised devices helps ensure a safe and clean recovery. Monitoring affected devices after any cyberattack is a prudent safety precaution. 

Incident Postmortem

Reviewing the entire episode of a malware breach is instrumental in preventing them. Start with the most critical question, “How do we stop this from happening again?” Holding a post-incident review to investigate how the incident happened and determine measures to prevent future attacks is a pivotal means of prevention. However, such reviews only help if the company’s procedures and playbooks for responding to future attacks reflect any agreed changes made after the inspection.

Protecting Your Business

Hackers have been making headlines for years now. And with COVID-19, the news worsens since remote work is the new normal, making businesses increasingly vulnerable to threats. Today, small and medium-sized companies frequently experience data breaches, ransomware, and other cyber threats, proving they are just as vulnerable and desirable targets for cyber attacks as big companies.

Following the suggestions in this guide is your first line of defense. Safeguarding your business with the best NJ Cyber Insurance coverage available is the next vital step to protect your operations. At Dickstein Associates Agency, we design comprehensive insurance plans to help your business recover after a ransomware attack or data breach. Your policy will provide financial support to put the damage right and help with legal and regulatory headaches in the wake of an incident. 

About Dickstein Associates Agency

Dickstein Associates Agency has distinguished itself as a leading provider of personal and business insurance in the tri-state area since 1965. We pride ourselves on being advocates for our clients and providing them with quality and affordable coverages. As Trusted Choice™ independent insurance agency, we partner with various national and regional carriers, allowing for flexible coverage for each client’s unique circumstances. For more information on how you can leverage all your insurance to work best for you, and how we can secure the best insurance in the marketplace suited to your specific needs and business objectives, contact us today at (800) 862-6662 or www.dicksteininsurance.com.

SUBSCRIBE

Be the first to get updates and new offers.

related post

Locations We Serve

New Jersey, New York, Pennsylvania, Delaware, Florida, Iowa, Illinois, Indiana, Maryland, Michigan and Utah.

Connect with one of our experts
Facebook-f Pinterest Linkedin-in Twitter Youtube
New Project

Make A Payment

New Project

Report A Claim

New Project

Obtain Certificates

Request A Quote

Personal Insurance

Business Insurance

Employee Benefits

Trusted Choice
wedding
at

© 2022 Dickstein Associates Agency, LLC   |   Privacy Policy   |   Terms and Conditions   |   Legal Notices