If you build websites or have your own, you need to have a plan if an intrusion occurs. Any disruption could lead to a significant loss in revenue, negative brand impacts, and a breach of customer trust–especially if the website is the backbone of your business.
Fortunately, there’s an easy solution: incident response plans. Incident response planning is crucial for every website’s security. It’ll help you manage risk before a security event or incident so your business is always protected. And if something does happen, you can recover–and quickly.
Let’s explore what an incident response plan is, why you need it, and how to create one.
What is an incident response plan?
Before understanding what an incident response plan is, it’s important to define core terms.
Every website or piece of information needs protection for its integrity, confidentiality, and availability. This triad is key to a safe, healthy website and describes what an incident response plan is protecting.
Here are what these terms (and others) mean:
| Integrity | The system has no problems or errors. |
| Confidentiality | The system has and protects user data. |
| Availability | The system is available to users who need to use it. |
| Event | An observable occurrence in a system or network, such as a brute force attempt. |
| Incident | A security event that compromises the integrity, confidentiality, or availability of an information asset. |
| Breach | An incident that results in the confirmed disclosure of data to an unauthorized party. |
Security events and incidents require special attention so you can maintain the integrity, confidentiality, and availability of your website. That’s what a plan is for. With an incident response plan, you’ll have a formal document with clear instructions on what to do before, during, and after a security incident.
An incident response plan also allows you to note other important considerations, such as incident definitions, escalation requirements, and more. Once you create one, it should be tested and updated regularly.
Why do you need an incident response plan?
You may know what you need to do, but when an incident occurs, you may have trouble figuring out or finding all the information you need. An incident response plan outlines what exactly you need to do when a security incident strikes.
Here are more reasons you need an incident response plan:
- Find security gaps. Analyzing and documenting important security measures could show you potential areas of improvement so you can strengthen your security.
- Mitigate risks. By knowing what to do before, during, and after an incident, you can mitigate and prevent security risks.
- Protect your assets. If an incident is not handled properly, it could turn into a breach and compromise your website.
- Minimize downtime. Incident response plans are designed to get a site or system back up and running as soon as possible. Minimizing downtime is key, especially if the website generates significant revenue or traffic.
- Build trust. Being security-first gives your customers and partners peace of mind when using your website or doing business with you.
- Secure your success. Security incidents can be expensive, and a breach could force your business to close.
Overall, incident response planning helps you navigate and prevent security risks so your website and business don’t experience significant financial or reputational damage.
Creating a cyber incident response plan
An incident response plan is not as simple as planning to restore a site backup. Instead, there is a cycle. Every incident response plan will be different, but here’s a quick overview:
- Preparation with risk assessment and communication plan with roles, responsibilities, and processes
- Detection of deviations from normal activity and identifying actual security events and incidents
- Containment of the threat
- Eradication of the threat and identifying the root cause
- Recovery of systems to normalcy
- Lessons learned to be better prepared for the future
Let’s take a closer look.
Step 1: Preparation
The first step in incident response planning is to prepare. You need to get all the essential information together, including who is on the team. Here are more considerations to add:
- Contact information for key team members
- Involved systems and how to access them
- Reporting and analysis tools
- Risk assessment of all vulnerabilities
You should also consider your backups. Who handles your backups? When was the last time you tested your backups?
Assess all of this information and start documenting it in a simple document tool. Then, start setting up training for all involved team members. You can do so through a mock incident or penetration tester. (Be sure to go back to this stage and train when adding new systems or staff.)
Step 2: Detection
Next is detection. One of the most important things to note for this step is what “normal” behavior is. You may notice unusual activity in your log files or an uptick in spear phishing emails, for example.
Then, look for indications of compromise. This can include:
- Unusual logins
- Detected malware
- Resource overuse
- Changed files
- User reports
- Bounced emails
Add this to your incident response plan so you can easily identify these indications of compromise.
Step 3: Containment
Now, you need to consider how things will be contained. Verify what has happened and prevent the situation from getting any worse.
Here’s what you’ll need to do:
- Figure out if the site is under attack. If it is, does it need to be taken down? For how long? Can you easily remove the threat?
- Learn about the attack. Was it a targeted attack that could have an impact on your business? Was it a general bot attack that found a vulnerability?
- Prepare evidence for communication. The media or stakeholders may need communication about the situation. Preserve and document evidence such as log files, IP addresses, malware hashed, file changes, timestamps, and more. Remember to consider where this information can be found and who is responsible for verifying the information.
Document what to do during this containment phase so you can quickly act and move on to removing the threat.
Step 4: Eradication
Of course, you’ll need to get rid of the problem. Here’s what to consider for this step:
- Identify the intrusion factor. How did they get in? Also, assume nothing is clean until you verify it is.
- Consider backups. Delete any infected backups and have a plan for checking if they are compromised.
- Assume passwords are exposed. As mentioned, assume nothing is clean, including passwords for wp-admin, SFTP/FTP, cPanel/hosting, and SSH. Then, change your passwords.
Take note of these considerations and provide as much detail as you need for backups, passwords, and the process for eradicating the threat.
Step 5: Recovery
Now, it’s time to bring your site back to life. Do you have a clean, tested, and recent backup you can use? If not, here’s what you’ll need to do to revive your WordPress site:
- Backup the infected site to a zip
- Clean the backup (files and database) in an isolated location – not on the server since the attacker may be active
- Verify it’s clean
- Replace the live site with the cleaned site
- Test the clean, live site
- Change all passwords immediately
Be sure to document all details for recovery so downtime is minimized.
Step 6: Lessons learned
Finally, it’s time to learn from the incident. Add a section at the end of your incident response plan with questions like:
- What happened, when did it happen, and how did it happen?
- Did the team respond well?
- Was the incident response plan useful? Where was it not?
- What information did we need sooner?
- What tools would have made our response easier?
This information is important because it allows you to see the big picture, identify areas of improvement, and prepare better for the next incident.
Build a cyber incident response plan now
Incident response plans are crucial to every website (and system), especially in the most popular content management system, WordPress. It’s safe to assume that your site will be under attack one day, so it’s not a matter of if but when. An incident response plan can help you be prepared and reduce the impact of that attack.
If you need a tool to help you improve your security posture, try Solid Security Pro. It allows you to identify vulnerabilities, close security gaps, and protect your data and business. Get it now to help you execute an effective incident response plan.