In 2023, almost 40% of attacks came from software/API vulnerabilities. In addition, this same report from Palo Alto also found that in close to half of the cases, hackers exfiltrated the data in less than 24 hours. These fast attacks that leverage zero-day and slowly patched known vulnerabilities are popular attack trends and preventing them is challenging. The shift to the cloud has also changed incident response, and many teams are unprepared for curveballs when working with cloud providers. What’s your best bet? Assume you will have an incident and make sure your incident response playbook addresses today’s latest threats.
IBM found that having an updated incident response plan and a properly trained IR team can save your organization $2.6 million in data breach costs. Whether you are looking to create an incident response playbook for the first time or update your existing plan, let’s dive into key elements to include, timely updates such as zero-day vulnerabilities and cloud incident response, as well as what’s in our LMG Security IR “go bag!”
These days, many organizations use the term interchangeably. But often an IR plan is a strategic document that outlines your goals and major activities in the event of a breach, while an incident response playbook is a detailed plan and guide with specific steps, contact information, and more. Playbooks range from short guidance documents to incredibly detailed step-by-step directions. Some organizations also have incident response playbooks that specify unique actions depending on the type of breach (i.e. zero-day breach versus ransomware). You should decide what level of guidance your organization needs and whether to invest internal resources or outsource the development of your organization’s IR plan or playbook.
There are three crucial controls that you should have in place as the minimum baseline for proactive incident response preparation.
Now that we’ve covered the topics and minimum tools you will need in your plan, let’s jump into a step-by-step guide on what to include in your incident response playbook.
One of the biggest changes in incident response has been the shift to the cloud. For example, if you are dealing with a cloud breach you may encounter unique challenges, including data preservation and limited vulnerability management options in your specific cloud service (which means logs may not exist, there may be limited data inventories, etc.). Even worse, our team finds that the cloud providers’ tools can’t always be trusted. Some can:
So, what does this mean? Our team recommends ensuring that your incident response playbook is updated to address cloud-based response issues, and then PRACTICE your response. Seriously, practicing makes all the difference. Not practicing your response is the equivalent of a sports team just playing in games without having practices. The best way to practice your response is with a tabletop exercise. Read our blogs on how to conduct tabletop exercises and our favorite scenarios: best tabletop scenarios for 2024 and evergreen tabletop exercise topics for more details. Keep in mind that for your plan or playbook to be effective, your IT team also needs to be trained on how to quickly spot an incident as this is crucial to activating your plan and reducing damage.
Until now, few organizations considered zero-day vulnerability response when designing their incident response playbooks. Today, it’s a crucial component given the speed of exploitation. Fortunately, CISA has provided an example of how to integrate vulnerability response into your incident response playbook. In the image below, you can see a simple incident response process graphic from the CISA Incident and Vulnerability Response Playbook that can be included in your incident response playbook and guide your team on what to do in the case of an incident. This chart provides your incident response team with a clear process to determine whether a newly identified vulnerability may have led to an actual intrusion, and steps to quickly reduce risk.
While there are many tactical steps you can take to reduce your risk, you should start with these four key strategic initiatives to proactively prepare for an incident.
Your team should define what you can realistically do in all four of these areas right now, and you should create a plan to phase in any missing initiatives as soon as your organization’s budget and resources allow.
We hope you found this information helpful. If your team is stretched thin or you want experts to support your policy development, contact the LMG Security team and we can lighten your workload and ensure you’re aligned with today’s best practices!
Blog post courtesy of LMG Security.