The 3 Keys to a Successful Cyber Incident Response Strategy

Ask any CISO and they’ll tell you dealing with the immediate challenges of an active cyber incident is only half the battle (less, actually). An effective response requires a well-executed incident response and remediation strategy that covers both before and after an incident to limit both major disruption to business operations and financial harm. 

As ransomware events have become commonplace (and, unfortunately, more profitable for threat actors), cyber risk has become top of mind for a broader set of organizations than ever before. Thus, we’ve witnessed the rise in popularity of robust, standalone cyber liability policies — what were previously a niche product. With more organizations eager to invest in their cyber resilience, preparedness, and insurance, it's time to break down the right Incident Response strategy as well.

The Two Key Angles of Incident Response to Consider:

• The things your organization can do independently to prepare

• The way your organization works with your cyber insurer, before, during, and after a cybersecurity incident

We’ll cover both in this post, but you can dig deeper on what to do after a cyber attack with our two downloadable guides: Incident Response Done Right and How to Work with Your Cyber Insurer on Incident Response.

What Are the 3 Keys to a Successful Cyber Incident Response?

1. Prep Before the Incident

Lucky you: you’ve never had a breach at your organization thanks to your cybersecurity risk management efforts. You haven’t experienced any frantic alerts from IT, any belligerent ransom demands, and the IT system is generally an afterthought. At this moment, an incident response policy may not be top of mind. But time and time again, we’ve seen that those who prepare accordingly before a worst-case scenario have the quickest and most effective turnarounds after a cyber attack. Below, we’ll highlight some key preparation must-haves to ensure your organization can bounce back fast if that unfortunate day rolls around. 

Have an incident response plan (IRP)

• This written document showcases that your organization has a system in place before there’s a breach, enabling a quick response for mitigating threats. If you don’t have an IRP in place yet — that’s where to start. The SANS Institute, a provider for security training and certification, published a handbook on a structured 6-step plan for incident response training which includes details on developing an IRP and practicing a “fire drill.”

• Your IRP should clearly outline your carrier’s contact information, as they’ll be a first line of contact for providing you with resources to get out on the other side, such as breach coaches and forensic teams.

Develop an asset inventory of incident response tools

• The Corvus team has seen countless organizations deal with cyber incidents, but one of the most efficient responses we’ve seen started out with an advantage. They had a clear asset inventory established before the incident, saving them precious time in the early hours of the incident. Half the battle is knowing what you have. Outline all of your systems and their associated applications. 

• Know your Tier 1 infrastructure, which is the bare minimum of what you need up and running to be able to do anything.

Have a robust backup strategy

• Properly maintained and protected backups can be your strongest asset for bouncing back quickly after a ransomware attack. Consider the 3-2-1-1-0 backup strategy, which ensures you have multiple copies of your data stored with different forms of media (your own production data, offsite storage, and immutable backups — to name a few). 

2. Knowing the Key Steps of Incident Response

Maybe you’ve received an alert from your COO — there’s a suspected breach at your organization, and you need to be wary of incoming emails — or everything has gone offline completely. No matter the circumstances, panic might be setting in. Before anything else, we’d like to highlight how parallel work streams can help your organization move forward in the incident response process. As opposed to constricting your teams to working through a linear timeline, waiting on one result before starting the next stage, we suggest the practice of different work streams occurring simultaneously that spawn from one Incident Response Lead that oversees the entire process. 

The sub-teams will focus on recovery, containment, and forensics, all with the common goal of resolving the incident. 

Forensics

The first phase of the recovery process typically involves a third-party performing a forensic examination of the IT system. They want to paint a picture of exactly what happened within your environment, and the investigation will run smoother with coordination from a team of employees providing resources to the forensics experts.

Containment

The goal here is to prevent further access or damage to your systems through cyber risk reduction. With the help of insights from the forensic team, you can go beyond the basic preventative security methods (like changing passwords of admin accounts and disconnecting the environment) to pinpointing specific measures to decrease risk to your organization. 

Recovery

After making significant progress with the above efforts, new sub-teams can form to start repairing damage, restoring data, replacing hardware, and generally getting back online. A huge organizational help can be working from one single document that contains the status of all of the operating systems. This enables everyone, across teams, to update the tracker to the current status of each system. For more on how each of these steps can be done optimally, read our full guide to Incident Response Done Right here.

3. Work WITH Your Insurer 

One of the primary benefits of cyber insurance is that your provider can be your greatest advocate in responding to a cyber incident. But it’s important to know how to leverage their resources for maximum impact and to avoid common mistakes that can derail your incident response services. Below are some quick best practices (dive in deeper here) for working with your carrier through an incident:

Before an incident

• Socialize the IRP among necessary staff and do training on how to recover from cyber attacks and security threats. When creating an IRP, make sure to document the who, when, and how of contacting your carrier — they can help if needed!

When you discover an incident

• Follow the instructions and security measures in your IRP on who will contact your carrier, and how. Do so with safety in mind (don’t use email accounts that may be compromised). 

As you work with vendors

• Tell your carrier what you know, but resist starting your own internal investigation. Your vendors have your best interests in mind. 

• Your carrier’s claims team has the experience and knowledge to recommend vendors, use it to your advantage!

• Be forthcoming with vendors — tell them everything you know so they can better serve your organization

As you work with counsel

• Be ready to act quickly on the advice of your counsel to ensure you comply with notification laws and avoid additional fines that would increase the cost of the incident

When you can reflect

• Have an honest post-mortem to understand what your team did well in responding to the incident, to help improve your cyber mitigation strategies. Unlike lightning striking twice, unfortunately, attacks can (and do) happen again to victims, and you can be even better prepared in the future through proper cyber risk mitigation.

• Be ready to show investigators the extent of your preparations and the ways in which the security professionals on your team acted in accordance with those preparations.