An Introduction to Incident Response for SMBs
Overview
Every organization experiences cyberattacks and these are referred to as incidents. Incident almost always refers to something bad happening. Sometimes an incident results in a security breach. Breach is usually used when an unauthorized person or program gains access to computers, network, or devices and information is stolen.
Your organization has a mission and usually cybersecurity is not considered to be part of that mission. Yet your organization needs to take steps to live through, or be resilient to cyberattacks. You must be prepared. Incident Response planning is the process of being prepared for attacks and being able to respond to attacks with pre-planned actions. The purpose is to minimizing damage to your organization
The Details
Background
Small and medium-sized businesses (SMBs) are a target for attackers. And SMBs generally have fewer resources to respond to attacks. Sometimes people in small businesses think they are too small for anyone to want to attack them. This is not the case. The 2023 Verizon Data Breach Investigations Report indicates that SMBs face similar attack types, patterns and motives as large businesses. (You can download your own copy of the 2023 DBIR at verizon.com/dbir)
Your organization needs to take appropriate steps to plan for an incident and how you will recover. This is called an Incident Response Plan.
There are six major components to an incident response and you need to plan for each. While incident response seems to be a technical response, these responses must be driven by the organization goals – minimize financial loss, minimize liability, minimize future risk, etc.
So, let’s look at an overview of these six components of incident response. Although it seems like these steps are sequential, they often are performed iteratively.
The Six Components of Incident Response
- Preparation: This component is where it all begins. Tools, policies and procedures should be identified that will help you respond to the incident. A qualified response team should be identified. You should have a plan for communicating both inside your organization and with external entities – law enforcement, your attorneys, and media. You should validate and test your backup systems. Finally, create some realistic scenarios that you will use to test your plan and response capabilities.
- Identification: Here is the plan for how you will detect and verify that an incident has occurred. There are many sources of information that could indicate an incident. These could come from your network and computer monitoring/logging system. You should have a monitoring system that alerts on common signs of compromise. This could be unusual network traffic or messages on users computer screens. It is important that a human verify that an incident has occurred and define the type of incident. This all affects how you will respond. When an incident occurs, the scope and severity of the incident needs to be defined. The response team is activated.
- Containment: The goal of containment is to stop the Bad Guy from continuing to operate in your environment. Some possibilities for containment are: disconnecting the system from the network, blocking malicious traffic at routers/firewalls, changing passwords, patching the system or changing DNS entries. Care should be taken to preserve any evidence that might be useful during a later prosecution of the attackers. Evidence may be logs, screenshots or memory dumps of affected systems.
- Eradication: Eradication may occur simultaneously with Containment, but first there needs to be some analysis. The evidence must be examined and the root cause of the incident identified. The path of the attack may identify how the incident occurred. It is important to identify any/all data that was stolen or compromised. This all leads to getting the Bad Guy or malicious software out of the system.
- Recovery: The business needs to get back up and running. Rebuild systems if necessary. Restore from backups as needed. Establish new monitoring regimens. Bring systems up during off-hours if possible. Fix the root cause of the incident. Was it because of weak passwords or no multi-factor authentication? Did someone click on a phishing email? Or something else?
- Post-Incident: By this time the technical aspects of the response are complete. Now the effectiveness of the response plan should be evaluated. Look for gaps or weaknesses in your plan. Communicate to appropriate organizations/people that the incident is over and the resolution. Let the business leaders know what happened and the steps taken. Learn from what happened!
Why Is This Important
As mentioned earlier, every organization regardless of size or purpose is a target of malicious activity and cyberattacks. Cyberattacks are a serious risk for SMBs who may not have the resources or expertise to deal with them. By having an incident response plan in place, you can reduce the damage, recover faster, and improve your security posture.
The incident response plan is a set of tools and procedures to help your organization respond to a cybersecurity incident in a well thought out manner. It gives thought to all sorts of external threats, helps the organization minimize losses and provides guidance for restoration of systems.
Your organizations incident response plan shows that you give serious attention to protecting your organizations assets (data, money, people) and your customers information. Some regulatory frameworks require you to have this plan. Having a written incident response plan may help to lower your costs for cyber insurance.
Your incident response plan can lead to minimizing the impact of an incident and could help to minimize reputational damage due to the incident.
Next Steps
Here’s an action plan that will get you started.
- Create a handful of realistic scenarios that you could use to begin thinking about your incident response plans. These could be ransomware, internal theft of data, unauthorized use of systems, or even receipt of phishing emails.
- Test your backup systems to ensure they can be used effectively when needed.
- Establish a means to monitor for unusual network activity.
- Create the beginning outline of what you would do if you (a) notice unusual network activity or (b) have a staff member that receives a ransomware notification on their computer screen.
And if you need some help with creating or testing your Incident Response plan, hit that Contact Us button at the top of the page to get ahold of us!