CISO Tradecraft: 10 Steps to Cyber Incident Response Playbooks

On this episode of CISO Tradecraft, you can learn the 10 steps to Incident Response Planning:

Establish a Cyber Incident Response Team

Develop a 24/7 Contact list for Response Personnel

Compile Key Documentation of Business-Critical Networks and Systems

Identify Response Partners and Establish Mutual Assistance Agreements

Develop Technical Response Procedures for Incident Handling that your team can follow:
External Media - An alert identifies someone plugged in a removable USB or external device 

Attrition - An alert identifies brute force techniques to compromise systems, networks, or applications.  (Examples Attackers trying thousands of passwords on login pages)

Web - A Web Application Firewall alert shows attacks carried out against your website or web-based application

Email - A user reports phishing attacks with a malicious link or attachment

Impersonation - An attack that inserts malicious processes into something benign (example Rogue Access Point found on company property)

Improper Usage - Attack stemming from user violation of the IT policies.  (Example employee installs file sharing software on a company laptop) 

Physical Loss- Loss or theft of a physical device (Example employee loses their luggage containing a company laptop)

Classify the Severity of the Cyber Incident

Develop Strategic Communication Procedures

Develop Legal Response Procedures

Obtain CEO or Senior Executive Buy-In and Sign-off

Exercise the Plan, Train Staff, and Update the Plan Regularly

To learn more about Incident Response Planning, CISO Tradecraft recommends reading this helpful document from the American Public Power Association

If you would like to automate security reviews of infrastructure-as-code, then please check out Indeni CloudRail Link