Defending Your Digital Frontier: A Smart Guide to Effective Cyber Incident Planning for SMEs

Reference the infographic here.

Lacking the deep resources of their larger counterparts, small and midsize enterprises (SMEs) face an uphill battle in cybersecurity. However, what many SMEs lack in resources can be made up with comprehensive planning to ensure that they react swiftly to any potential cybersecurity attack.

Perhaps that’s why the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) recommend that every business create a cyber incident response plan.

Creating a clear path to counter any cybersecurity incident can minimize the impact of an attack, helping SMEs recover quickly, reducing costly downtime. Demonstrating an ability to quickly overcome threats can build trust with customers and clients.

Much of the work on explaining how to create a cyber incident response plan is publicly available from CISA and NIST. Also, creating a tailored response plan with input from third-party experts (more information provided below) could ensure a more comprehensive strategy in the event of a cyberattack.

Helpful Resources to Get Started on Incident Response Planning

For most SMEs, the following U.S. government documents are a good starting point to create a cyber incident response plan which link to additional resources for more in-depth information.

• Incident Response Plan (IRP) Basics: This two-page document from CISA is a good primer that defines an IRP in terms of steps to take before, during, and after an incident. It can be serve as a quick study guide.

• Federal Government Cybersecurity Incident & Vulnerability Response Playbooks: This 43-page document lays out how federal agencies are expected to respond to cybersecurity incidents and vulnerabilities. Included are helpful checklists an organization can use to track progress on an incident.

• Incident Response Training: The CISA site has a page that links to many training resource pages and related topics. The site also includes links to publicly available courses and webinars.

• CISA Tabletop Exercise Packages: This resource provides links to PDFs and tools for training teams about how to respond to different threats. The packages or downloads can be customized for your organization and used for training or as discussion starters.

The Key Steps of Any Response Plan

SMEs looking to create a cyber incident response plan benefit from a time-tested series of steps that provide a logical plan for almost any situation. Organizations can customize these steps to meet their needs:

1. Preparation
2. Detection and Analysis
3. Containment
4. Eradication
5. Recovery
6. Post-Incident Activities

Please note that clear communication is necessary in any incident or emergency. All steps in an incident response plan need to incorporate not only “who does what,” but also “who needs to be informed” of each action. Also, get advice from legal counsel on any components that may be affected by privacy laws or data retention regulations.

1. Preparation: This is the first step in the process and provides a good foundation for the other steps.

• Identify who will be involved in each part of a response, including outside contractors.
• Identify all IT, legal, and C-level personnel who need to make decisions.
• Train IT staff on how to respond to threats with the tools and solutions to be used.
• Train employees on company cybersecurity policies and behaviors that prevent attacks from taking place.
• Use table-top exercises to discuss and review best responses.
• Prepare a security audit (by either internal or external experts).

2. Detection and Analysis: This may be the most difficult step in which the organization first verifies an incident has happened, then determines the extent and magnitude of the response.

• Set up the tools that make it possible to monitor and detect threats.
• Define the level of response to each threat or incident warrants.
• Alert all the affected parties (internal or external).
• Correctly identify the threat vector to determine its root cause.
• Safeguard or log information as best evidence for potential law enforcement investigations.

3. Containment: The detection and analysis investigation will lead to understanding the scope of the breach. This containment phase is direct mitigation of the threat by denying adversary access.

• Isolate affected systems and software from the rest of the infrastructure (may require defining short-term and long-term actions).
• Block and log unauthorized access, as well as sources of malware.
• Close specific ports, mail servers, and other relevant servers or services to enhance security.
• Change system admin passwords, update firewall settings, rotate private keys, and adjust detection tools.
• If possible, direct adversary actions to a sandbox to monitor ongoing activity.

4. Eradication: Eradication is where all actions are taken to neutralize the immediate and long-term threat.

• Eliminate all evidence of a compromise and prevent the threat actor from maintaining a presence.
• Reimage affected systems, rebuild from sources, and replace compromised files.
• Install patches, reset passwords on compromised accounts, and monitor for adversary responses.
• Maintain close monitoring for any continued unauthorized access. If spotted, an organization may need to return to the technical analysis phase to determine the cause.

5. Recovery: The goal of this phase is to return to normal business operations.

• Restore systems to normal operations and confirm functionality.
• Reconnect rebuilt/new systems to networks.
• Tighten perimeter security and implement zero trust access rules.
• Test systems thoroughly, including security controls.
• Monitor operations for abnormal behaviors during the recovery phase.

6. Post-Incident Activities: This step evaluates the complete chain of causal events to infer important information. This may address changes to governance, policies, and training.

• Identify and address “blind spots” to ensure adequate coverage.
• Monitor the environment for evidence of persistent adversary presence.
• Address root causes, infrastructure problems, organizational policy issues, and update roles, responsibilities, interfaces, and authority.
• Identify technical or operational training needs and improve tools for protection, detection, analysis, or response actions.

The process of identifying key staff and stakeholders means responsibility will be shared. It’s important that SMEs with fewer resources make the most of shared responsibility for cybersecurity. Taking cybersecurity out of its “IT” silo is essential to making safe policies and behaviors everyone’s responsibility.

Developing Customized Plans

However, if this does seem like a daunting task, SMEs can always work with cybersecurity experts to create a customized cyber incident response plan. A customized plan can help an organization better identify who should take which actions. Clear communications are critical in an emergency and having a defined responsible party for each component of the plan is critical to success.

Some cybersecurity consulting companies, such as Blackthorne Consulting, specialize in customized incident response plans. The right partner can produce tailored technical playbooks based on the technologies within a specific organization (AWS, Azure, Office 365) and each kind of threat vector (ransomware, email compromise, phishing attacks).  

Whether an organization creates its own plan from scratch or partners with a cybersecurity consulting team to create a customized plan, the planning process has its benefits. By identifying stakeholders and sharing cybersecurity responsibility (part of the first step), this helps make cybersecurity everyone’s responsibility.

The Bottom Line

Getting cybersecurity out of the IT silo is an important accomplishment. Threat actors don’t just target the IT department – they target everyone. As a result, ensuring that everyone is mindful and prepared is the best way to anticipate and prevent threats.