Intelligent Issue 23 | Page 42


// FEATURE // follow the six steps below to develop an incident response plan . There are multiple frameworks in circulation , but the following steps cover the basics – and more – of how to best respond to an incident .

1 . Preparation
James Tamblin , BlueVoyant UK President
This begins with fully preparing for a potential cyberattack . Businesses need step-by-step guidance to define how incident response teams will manage incidents , including internal and external communications plans and incident documentation .
The adage that a business is only as secure as its weakest link – in this case , the business within its supply chain with the weakest cybersecurity practices – should be front of mind . As internal security becomes more secure , an organisation ’ s supply chain often becomes the weak link . Supply chains are the vendors that are connected to an organisation ’ s network .

As the size of supply chain ecosystems continues to increase , with BlueVoyant research indicating that the number of businesses reporting supply chains of more than 1,000 companies rose from 8 % in 2020 to 43 % in 2021 , a proactive approach is crucial in ensuring all departments of all organisations in a supply chain are ready .
2 . Identification
This is the detection of malicious activity . Whether based on security and monitoring tools , publicly available threat information or insider information , an important part of identification is to collect and analyse as much data as possible about malicious activity . Incident response teams must also distinguish between benign activity and true malicious behaviour .
This requires a substantial effort in reviewing security alerts and determining whether alerts are ‘ false positives ’ – not real security incidents – or ‘ true positives ’, which indicate malicious activity .
It ’ s important at this stage for an organisation ’ s threat intelligence / incident response consultancy to ensure they have secured any evidence that could be subjected to scrutiny as part of formal legal proceedings . It ’ s also crucial to ensure that a company ’ s legal counsel has been fully briefed on the developing situation , but organisations should look towards MSSPs that can assist legal advisors and counsel prior to and throughout the course of proceedings .
It ’ s important to remember that many organisations won ’ t have large cybersecurity departments – if at all ; if this is the case , it ’ s likely that legal counsel may not be well versed in how to deal with an ongoing cyberattack .
3 . Containment
Containment is an attempt to stop the threat from spreading in the environment and doing more damage . There are two types of containment :
• Short-term containment – Immediate action to prevent the threat from spreading . For example , quarantining an application or isolating a system from the network .
• Long-term containment – Restores systems to production in a clean state , identical to how they were configured before the threat was introduced .
. tech
Intelligent SME . tech