5 Keys to Avoiding Common Mistakes in Incident Response

A Big Problem in State and Local Government Security

According to Sophos, state and local governments overwhelmingly report an increase in the volume of cyberattacks over the past year, both in terms of complexity (59 percent) and impact (56 percent). (Ransomware attacks seem especially problematic: Sophos reported that ransomware attacks against state and local governments rose 70 percent in 2021.) A cyberattack could allow hackers network access, shut down servers, interrupt emergency response systems, expose sensitive information and more.

An effective incident response program can help limit damage and speed up recovery from a security incident. Cross-functional IR teams can work quickly and effectively to detect, contain and recover from cyberattacks, communicate with affected stakeholders, and restore needed services. Fortunately, about half of state and local governments report they have an IR plan in place and test it regularly, according to a 2022 survey by the Center for Digital Government. Unfortunately, that means the other half either do not have a plan in place or have one that may not prove effective when needed. The worst time to find this out is during a cyberattack.

Here are five ways to make sure your incident response is timely, effective and thorough.

UP NEXT: Visibility and why it is vital for government IT network security.

Develop a Comprehensive Incident Response Plan

Whether it’s called an IR strategy, playbook or plan, the approach is the same. Incident response starts well before an actual incident, relying on a robust IT infrastructure; continuous monitoring to detect security threats; and a strong, ongoing employee security training program. The IR team should be interdisciplinary, including management, legal, HR, public relations, customer service and other personnel.

The plan should encompass:

• The cybersecurity strategy and how it supports objectives
• Roles and responsibilities of team members
• Procedures and testing scenarios for each phase of an incident: detection, analysis, containment, eradication and recovery
• Procedures for communicating with all stakeholders and regulatory compliance agencies
• Post-incident activity, lessons learned and information sharing

Test the Plan to Assess Weaknesses

The incident response plan must be tested thoroughly to determine whether it covers all relevant activities and to ensure team members are familiar with it before an incident happens. Testing is often conducted via tabletop exercises, in which team members walk through the plan and ensure they are comfortable with the roles they will play. Consider unplanned security drills that can quickly uncover gaps in the plan.

Use the Plan and Analyze Results

No matter how complete the plan, the response to an incident involves carrying out all aspects faithfully. When a cyber incident is discovered, IR teams may focus their attention on containment (to limit the damage to systems) and eradication (to remove and restore affected systems). They may perform only an initial investigation into the nature of the event. A deeper analysis of how the incident occurred and precisely where existing security measures have failed takes a back seat to the immediacy of getting back to business as usual. The crucial step of performing root cause analysis may be put off for later, only to never occur.

EXPLORE: What tools are available to help improve government security.

Keep Adequate Logs to Record Incidents

Given the length of time between when security breaches occur and when they are discovered (an average of 197 days), it is vitally important to ensure that log retention periods can cover most eventualities. Make sure firewall and intrusion detection logs have retention periods set for longer than 30 days to allow for a thorough analysis of cyber incidents and to determine the root cause.

During an incident, the team should document all actions taken. This information can reveal the reasons behind the incident and help assess how to improve response efforts. Above all, the IR plan should be a living document, updated every six months to account for new types of security issues and attacks targeting state and local governments.

Invest in Modern Tech Now

Newer technologies can vastly increase the efficiency of incident response. Chief among them is security orchestration, automation and response, or SOAR. SOAR can make IR teams more effective by integrating with other security tools and orchestrating them to enable complex responses to attacks. SOAR capabilities, such as those in the Exabeam SIEM, can use playbooks to run automated multistep workflows and generate reports that help IR team with incident analysis.

 Invest the time now, before an incident occurs. Accept that in the flurry of excitement, some things will get overlooked, so focus on those aspects of the plan during testing and security drills. Follow the plan rigorously, document everything and use the latest technology to automate what you can. Finally, don’t neglect post-event analysis and documentation of lessons learned.