How incident response plans involve remote working strategies
An incident response plan is a normal, routine part of good IT security and cyber defense. It entails precisely as it sounds: proceeding with a plan in the face of intrusion or other malicious activity.
However, today’s cyber environments are quite different. Mainly because – you guessed it – of remote working situations. How do you create and manage an incident response with a “spread” network? There’s no one simple answer, but it’s good to account for. We’ll take a look at what constitutes a strong incident response strategy and how that works with remote working.
Hallmarks of a good incident response
Every person, organization, enterprise, and business operates differently. Therefore, their incident response plans will differ depending on certain needs. But, there are always foundations to a solid incident response plan (which we’ll call IR moving forward).
Most solid IR plans constitute the following:
- A way to identify and report incidents
- Professionals who respond to the incident in a timely fashion
- Downtime estimations
- Methods to eliminate threats
- Post-analysis of threat with cohesive, transparent reports
Sound familiar? It should. If it doesn’t, you may want to take a hard look at your current IRP. Lacking strategies like this or backup recovery plans is a recipe for future disaster.
Let’s take this foundation, then, and translate it to remote working operations. The strategies, fortunately, aren’t too different. But, considerations must be taken for the distance and literal remote aspect of remote work.
Phases of good IRP
The Response Team
Good incident response starts with a team, a localization of experts, veterans, staff, and management. This can be as many or few as needed. With remote working, though, this is trickier. The primary reason for the extra complications is that remote workers now often shoulder the burden of good cybersecurity defense.
Therefore, in a small and big way, remote staff are part of incident response. Not in the sense they’re directly responsible for handling a breach or malicious attack. More in that, they’re the first to respond and provide feedback about cyber breaches.
With a response team, anyone dealing with a breach event should have the ability to notify IT teams and security teams as quickly as possible. For remote working, an emergency method of contacting someone should be available.
Note: there are some complications with this, because what if a breach takes advantage of trusted users to elevate their attack? In social engineering schemes, an attacker could mimic a trusted user pretending to alert about a breach. If this occurs, keep a lookout for unusual requests to access secure parts of a network.
Detection and Mobilization
The reason open communication is so critical is it allows for agile detection of the threat. Therefore, a response can be made, whatever that should be. Communication in remote environments, then, remains one of the largest hurdles. If IR is slowed by lagged responses, then detection and analyzation of a threat will hit various roadblocks.
You’ll want to have processes set up for detecting threats, intrusions, and possible red flag scenarios that fit a remote working environment. Of course, that’s easier said than done.
There are numerous red-flag events (something that triggers a type of security response). Some of them are as follows:
- Security software prompting alerts based on unusual activity on any part of the network sector
- In-depth logs revealing abnormal behavior which could entail several things, like operating system behavior, data access (when a file is accessed), modifications to any services, and/or connection attempts from unusual traffic
The types of tools you use for threat detection will vary. It’s recommended to utilize simple, flexible apps and software that integrate well into both your business needs and with each other.
Containment and Removal
“Containment” in a remote setup is a challenging obstacle indeed. Remote working operations create a wide, massive attack surface which adds to the potential malware saturation you will encounter.
Because of remote working’s unique characteristics and the potential for weaker cybersecurity infrastructure, damage can spread quickly. This should be a powerful foundation to your IRP in order to mitigate as much harm as possible. In remote working, though, some key steps can always be taken:
- Quarantine infected system(s)
- Disabling access to parts of a remote network in part or whole (a reason why network segmentation is always recommended)
- Password resetting in totality (or whatever level may be necessary)
- Patch installation, software updates
- Prepare any backup systems you have (and this should be set up if not already – take a hard look at your current BDR plans)
In a remote working situation, these steps could entail blocking access from remote systems you suspect are compromised. Also, alerts to all relevant parties on the network should be made, including the type of intrusion suspected.
Afterward, recovery efforts should be underway.
Assessments are conducted after a breach has been dealt with. In some cases, it can take days to weeks before a complete understanding of the damage done is tallied.
While questions about how a breach occurred, in remote setups, they should center around just that: the remote aspect. It is, of course, important to examine all intrusion points in a cyber theater, but remote networks present unique challenges.
Typical questions around breaches involve things like “was this the result of a DDoS attack or SQL injection?” But in remote scenarios, there are other things to consider, like, did the attack occur because of successful social phishing techniques? Human error? Outdated malware protection?
Post-Breach Response and Defense
Once the assessment is made and all relevant parties are properly notified, next comes the actual response. It’s better to maintain a proactive defense than reactive. In other words, having measures to counter cyber attacks before or as they happen, not when. An offensive defense, if you will.
Key questions to ask should detail how the intrusion happened, specifically if it involved remote elements. In that scenario, devising ways to better protect a network from remote threats should take precedence.
If you have a comprehensive IRP, a lot of what we discussed will look and sound familiar. If that’s the case, good! It means you have a healthy cyber defense environment. Or at least, one which takes cybersecurity seriously.
But, remote working has surged in use, so it’s utilization can’t be ignored. Review your current IPR with remote working to keep on the cutting edge of cyber defense.