Tips on Creating a Response Playbook

Mathew J. Schwartz writes the following in an article titled To Survive a Data Breach, Create a Response Playbook,” written for Bank Info Security:

To best survive a data breach, have a response plan. Also ensure early warning systems are in place to detect hack attacks. Identify everyone inside and outside an organization who must be involved in responding to a suspected breach – and how and when. And regularly practice and refine that plan so everyone knows what to do – and when – to help the organization rapidly shut down an intrusion and get back up and running.

Schwartz then outlines seven essential components of a data breach preparedness plan:

  1. Invest in monitoring and detection capabilities
  2. Build a response plan
  3. Identify breach response stakeholders
  4. Regularly review and update plans
  5. Run tabletop exercises
  6. Watch how peers get “pwned”
  7. Practice paying ransomware attackers

We asked cybersecurity solutions architects Michael Barry and Chris Nolen for their input on each action item listed.

response playbook-01Invest in Monitoring and Detection Capabilities

Many organizations hedge their data breach notifications by saying something akin to: “We have received no reports that potentially stolen data may have been fraudulently used.” Such a lack of specificity, experts say, often traces to a breached business having failed to gather sufficient log data or retain it for a sufficient period of time.

Businesses should not just be capturing log data, but monitoring it to immediately detect unusual or suspicious happenings.

Mathew J. Schwartz

Studies regularly show that cybersecurity breaches go up to 200 days or more before being detected. By then, the damage has been done and critical information has been stolen.

Collecting log information is useful in reviewing events that lead to a security breach. But if log events and alerts are not actively reviewed on a daily basis, then hackers can gain access to the environment and cover their tracks by deleting or altering logs.

A third-party monitoring service can provide ongoing daily review of log events, as well as other indicators of attacks beyond what might appear in a log. In addition, these services monitor many organizations and stay abreast of the latest attacks on the internet, so they can more quickly identify a true cyberattack and help customers quickly respond.

Michael Barry

In our world of innovation, the technology is available to organizations that will allow them to overcome the constant security threats they see every day. Visibility is key to any security strategy. Each customer should have the ability to identify a breach quickly, stop it, remediate the cause, and then provide a documented history of what took place. This takes a team of people to achieve, as well as good partnerships with vendors. The ability to gather sufficient log data and retain it is a basic IT function and should be widely practiced by everyone in the business.

Chris Nolen

Build a Response Plan

What’s your plan? Fictional professors of archaeology might get to say, “I don’t know, I’m making this up as I go.” Good luck trying that line on customers and regulators.

Mathew J. Schwartz

Being prepared to respond to a cyberattack is critical. The faster an organization can respond, the more they can limit the impact of an attack and keep an organization functioning.

The longer it takes an organization to respond to a cyberattack, the higher the costs will be. These costs include lost business if critical systems are impacted.

Michael Barry

Let’s not base our response plans on what our regulators require us to do but on an industry standard, and let’s make that standard part of the IT cultures within our organizations. A solid response plan should be implemented in every organization and tested frequently.

Chris Nolen

Identify Breach Response Stakeholders

When developing a data breach response plan, identifying everyone who must be involved in the plan – as well as at which stages – is key, as is doing so in advance.

Mathew J. Schwartz

Unless key stakeholders are identified and involved in building a response plan, the plan will be ineffective and will not be taken seriously by the whole organization.

Key stakeholders are not limited to IT security; the business units that may be impacted by a breach must be involved.

Michael Barry

This is one of the most important parts of a response plan. If you’re not doing this, you don’t have a solid plan.

Chris Nolen

Regularly Review and Update Plans

Gaining corporate agreement and buy-in to have a data breach response plan is just the start. Organizations also need to ensure that it's a good plan, of course, and that they regularly practice and refine it.

Mathew J. Schwartz

Businesses change, IT systems change, and new threats and vulnerabilities are constantly emerging. Incident response (IR) plans must be kept up-to-date.

IR plans should be reviewed and updated at least annually and after any significant change to IT systems or environments (e.g., a company relocates systems to the cloud).

Michael Barry

This practice should be the norm and part of every organization’s strategy. Without a plan, there will be chaos. If that plan is not tested on a regular basis, there will be chaos. Accomplishing both will build a rock-solid plan that will not only instill confidence in the business but set them up for success in the event of an incident.

Chris Nolen

Run Tabletop Exercises

How will your organization react to a breach? . . . After running a tabletop exercise – or responding to an actual breach – always have a post-breach or after-action debrief.

Mathew J. Schwartz

If key stakeholders have not gone through an IR plan exercise, they will be less effective when responding to a real attack.

Individuals may change roles in the organization, so tabletop exercises can help staff who are new to the response team become familiar with the processes and their responsibilities.

Tabletop exercises can help identify weaknesses and gaps in IR plans.

Michael Barry

Keeping this question top of mind will only strengthen your organization’s response plan.

Chris Nolen

Watch How Peers Get "Pwned"

Pay attention to attacks against other organizations in your industry.

Many industry-specific initiatives are also available for sharing threat intelligence. Also never underestimate the power of networking and employees maintaining relationships with their counterparts in other organizations to keep track of the latest threats and trends.

Mathew J. Schwartz

Staying on top of current breaches and reviewing historical breaches provides a great tool for planning testing scenarios and resolving potential issues in your own environment. It is much less stressful to learn from someone else’s mistakes than your own.

Chris Nolen

Practice Paying Ransomware Attackers

Responding to such scenarios may involve wildly different components. But practicing is also an excellent way to not only test how to respond, but which internal and external services might need to be readied.

Mathew J. Schwartz

Paying ransomware to attackers should be the last resort – this should be the last item on the list.

Ransomware payments are typically made with bitcoin or other cryptocurrency methods. An organization’s accounting and finance department should have knowledge of how cryptocurrency payments are performed.

Michael Barry

I don’t agree with paying ransomware attackers, but there may be scenarios where it is the last chance to save your organization. Practicing these scenarios is not going to hurt. It will only strengthen your stance in the event of an attack and also instill confidence if/when the time comes.

Chris Nolen

Click here to read the original article in its entirety on Bank Info Security.

With the right solutions, team, and IT procedures, the risk of a cyberattack can be kept to a minimum. Accudata offers assessments to ensure your organization’s environment is safe and secure from the most vengeful attackers. Contact your Accudata account manager or fill out the form on our vulnerability management page for more information on these assessments and security solutions to benefit your business.


Accudata is ready to help your organization secure, modernize, and grow through the use of leading-edge technology solutions. Contact our team to start today!