Are you IR Prepared? A Checklist

Responding to an incident can be a complicated process for two major reasons: firstly, no two incidents are the same; and secondly, to successfully respond, multiple people, teams, and departments all have to work together effectively. As a result, ensuring that you prepare for an incident and have a response plan is a significant factor in determining the outcome. 

1. Have A Plan

An incident response plan is a plan that outlines the procedures, steps, and responsibilities when responding to an incident. Incident response planning often includes the following details:

• The organization’s approach to incident response
• Activities required in each phase of incident response
• Roles and responsibilities for completing IR activities
• Communication pathways between the incident response team and the rest of the organization
• Metrics to capture the effectiveness of its IR capabilities

The NCSC had provided a guide on how to plan out your incident response process.

2. Identify Evidence Sources

It would be virtually impossible to investigate any incident without at least some evidence, and in general the more evidence you have available, the better the chance you gain a successful outcome from your investigation, so it is vital that your organization knows what evidence is available and how to best access it before an incident occurs. It's also important to check that sources such as logging are enabled and running as if they are not enabled when an incident occurs then no evidence will be recorded.  

3. Access

Access is one of the biggest blockers in investigations, especially in the cloud, where access to cloud resources often controlled by a cloud team separate from the IR team. Analysts often find they cannot get the access they need fast enough and often end up having to wait for their access to be granted while the attackers are free to operate unhindered. So in order to be prepared, it is important to check before an incident that analysts and IR teams can access the resources they need to complete investigations. 

4. Communication

During an incident, it is vital that various teams and stakeholders get the information they need, so before an incident, it's a good idea to identify who needs to know what and where they can obtain the information they need. And further, where teams need to send information. 

5. Establish Triage Criteria 

Understanding the severity of an incident allows you to determine how urgent your response is. It also enables you to ensure that the correct people are involved from the outset.

Severity is typically considered against the following:

Availability: Is the availability of data or systems impacted? 

Confidentiality: Has sensitive data been accessed, leaked, or stolen?

Integrity: Could data or systems have been altered such that they cannot be trusted?

The NCSC suggests creating a Severity matrix to aid your evaluation of incident severity.

6. Escalation

The severity level will inform how quickly the incident needs to be handled and to whom it might need to be escalated. It’s best practice to establish what severities need to be escalated to what levels. Important things to establish are who the escalation points of contact are, along with their contact details (including out-of-hours) and how quickly the escalation needs to occur.

7. Review Regularly  

The final and possibly most important point is to regularly review all of the things mentioned above. As projects and resource groups grow and teams change, things can get missed and if your response plan is not up to date, it could cause more problems than it solves. The CISA recommends a quarterly review cycle for IR preparedness to ensure that nothing slips through the cracks.

Be Prepared With Cado

The Cado platform provides an Incident Readiness Dashboard that provides a readiness score based on several factors, including whether the organization can acquire critical forensic evidence across its environment. This dashboard enables organizations to continuously improve their ability to proactively and regularly understand their risk posture and invest in incident readiness improvements based on actionable insights.

The Cado Incident Readiness Dashboard 

The dashboard is just one of the many ways the Cado platform empowers investigators using the power of the cloud, the Cado Platform also allows security teams to:

• Automate the entire end-to-end incident response process – from collecting, preserving, and analyzing forensic evidence, to containing the threat and limiting its impact.
• Prepare comprehensively for an incident by setting up accesses, testing data acquisition, implementing automation rules, and integrating with third-party systems including incident management platforms such as XDR, SOAR, CNAPP, and SIEM.
• Test for incident preparedness in order to continuously understand risk posture, know where gaps exist, and where to invest in reducing exposure.

If you want to find out more about how the Cado Platform can allow your organization to carry out investigations at cloud speeds schedule a demo with one of our team. Or try our 14-day free trial.