Even the best incident response plans are probably missing important details that could help a company better handle a security situation. In some cases, organizations create a plan that only includes the perspectives of security and IT personnel since they're the people who would handle the fallout from an incident like a data breach. But re-establishing normal business operations after an incident can require the efforts of employees from other departments. These workers should, at a minimum, be aware of the incident response plan. Ideally, they should be involved with incident response planning from the start.
Security professionals often dismiss small incidents and assume they're relatively harmless compared to the more serious threats they face. However, investigating a minor incident could help analysts discover a more advanced, dangerous threat that’s penetrated their network. For example, applications that are slow to load could indicate that a machine is infected with a bitcoin miner. But users may be reluctant to report a slow computer to their IT department. And even if a user opened a ticket, the IT department may lack the time and resources to investigate this type of incident.
Don't forget to include industrial control systems in your incident response plan. Computer systems found in manufacturing facilities, oil refineries and other industrial settings are often overlooked because companies assume attackers won't target them, meaning they are not monitored for suspicious activity. In other cases, people who don't work in either the IT or security departments may handle industrial control systems and not understand how to closely monitor them, leaving these system vulnerable to attackers.
Remember to include thorough containment and remediation steps in your incident response plan. Security teams often stop only one component of an attack instead of shutting down the entire campaign. Failing to fully eradicate a malicious operation means the same attack could re-occur. Investigating the malware’s techniques and infection vector would result in a better eradication plan.
Mor Levi is a security researcher at Cybereason.