5 New Tips to Strengthen Your Agency’s 2021 Incident Response Plan

1. Collaborate with Other Agencies and the Private Sector

One of the common themes throughout the wave of new guidance we’ve seen this year has been a call to develop more collaborative relationships between federal agencies on cybersecurity matters. Large-scale incidents often involve more than one agency, and advance planning and information sharing leads to a more coordinated and effective response to emerging incidents.

The Joint Cyber Defense Collaborative brings together the federal military and law enforcement communities along with state and local partners to coordinate planning efforts, facilitate information sharing, and conduct exercises and assessments designed to measure the effectiveness of the nation’s cybersecurity defenses.

President Joe Biden is also calling for federal agencies to remove barriers to collaboration with the private sector firms that operate critical technology infrastructure. In a May 12 executive order, he called upon federal agencies to remove contractual barriers to information sharing, calling this collaboration necessary to “accelerating incident deterrence, prevention, and response efforts.”

EXPLORE: Find out how your agency can enhance its cybersecurity posture.

2. Update Responses to Specific Threats

External changes also influence the effectiveness of your incident response plan. Just as your agency’s operations evolve over time, so does the threat landscape.

Researchers discover new vulnerabilities, attackers develop new tactics and security controls mitigate risks in different ways. As you review your incident response plan, think about how changes in the external threat environment might impact your plan. What types of incidents are occurring at other government agencies and private sector organizations? Would your plan cover those incidents well?

For example, ransomware attacks have increased dramatically over the past year. While you might treat this threat as similar to other malware threats from a prevention standpoint, ransomware raises new questions from an incident response perspective.

The threat here is so significant that the DHS placed ransomware at the top of its priority list, focusing a 60-day activity sprint this spring on tackling ransomware more effectively.

Agencies at all levels of government should consider their own response plans for a ransomware attack. Documenting planned actions in incident response plans and playbooks provides an opportunity to guide future critical decisions.

3. Consider Having an Incident Response Retainer

Responding to a security incident requires skill and expertise in the discipline of incident response as well as in specific technical domains impacted by the incident.

A 2021 Kroll report notes that 46 percent of organizations have inadequate staffing to respond to cybersecurity incidents. Even those with a plan in place may benefit from leaning on outside expertise in the event of an incident.

It’s difficult to bring an IR consultant into an active response effort if you don’t already have a relationship. Consider entering into a retainer agreement with an incident response firm. This allows you to establish technical and management contacts to facilitate the rapid deployment of expertise should it become necessary during an incident.

4. Maintain an Updated Incident Response Contact List

Incident response efforts involve contacting a lot of people. You’ll need to activate your internal escalation procedures to call in team members and notify senior agency officials, and you may need to contact vendors specializing in incident response or one of your critical applications.

Depending upon the nature of your agency and the incident, you may also need to notify a specialized incident response center or call in law enforcement to assist with a criminal investigation.

When you update your incident response plan, it’s also an excellent opportunity to revisit your contact list and make sure that you update information for each of your critical vendors. The last thing you want to discover during an incident is that a key contact left his or her position and you need to bring a new representative up to speed during a crisis.

DISCOVER: How are agencies improving their network visibility?

5. Update Your Response Plans Based on Lessons Learned

There’s an adage among military tacticians: “No plan survives first contact with the enemy.” That sentiment certainly holds true when it comes to cybersecurity incident response.

No matter how robust plans seem when they are first designed, surprises are inevitable, and IT security leaders will encounter situations where the existing plan doesn’t seem like the best course of action. That’s when incident response teams must exercise their professional judgement.

Each time your agency conducts an incident response, take some time in the days that follow to walk through the response effort and identify places where you were forced to deviate from your plan.

Were those events shortcomings in the plan or one-off abnormalities? Does it make sense to modify the plan based on your recent experience? This iterative process will make the plan stronger each time you execute it.

Incident response plans play a vital role in helping organizations through the chaos and confusion of a security breach. Small, periodic investments of time in plan maintenance ensure that a plan is battle-ready when the unexpected strikes.