Develop a Personal Incident Response Plan (PIRP)

Soldiers never have to guess about what to do at war; hundreds of hours of drills at peacetime have not only carved what they are to do in every situation into their minds, it has committed it to muscle memory such that they default to it without much vacillation. In many cases, the heat of battle doesn’t give you the luxury of time to ponder, deliberate and decide; seconds could spell the difference between life and death, and you must know exactly what to do way ahead of time. This level of ultra high proactiveness can only come by developing a plan and walking through it prior to the sounds of shelling and gunfire.

In cyberwarfare this is also critical, and one plan that is crucial in achieving this is what is called an Incident Response Plan. The IRP, in its simplest form, tells you what to do when things get ugly. While every troop goes into battle with the preparation that should keep them from being hit, they also take with them the plan that should keep them moving if they get hit, and thus minimize the resulting disaster. That is the IRP. While a disaster might be unplanned, your response to it must always be planned. And that is why I advocate that every individual—not just organizations, but every individual—should have a Personal Incident Response Plan (PIRP) that they are very familiar with. Now let’s see what this plan looks like in plain battlefield language.

Developing Your PIRP

  1. Prepare: Face the fact that you might be hit, and the strike could range from mild to severe, and then equip yourself with sufficient cyber intelligence to handle the situation should it occur. Going through this book certainly gives you a good deal of equipping. Identify what your most critical information, data, applications and files are and where they are located—on your mobile device, in a folder on your computer, in the clouds, wherever. In cybersecurity these information and files are called Critical Assets; in plain battlefield language they are your vital organs—your heart, your lungs and kidneys. You need to know where they are and prepare to protect them if ever there’s a show down.
  2. Indentify: The first thing here is to determine if you’ve been hit or if there’s been a compromise that could be a precursor to the big blow. Your goal here is to understand what in the world is going on. Have I been hit? Where was I hit? How bad is the wound? Are any of my vital organs affected? Who hit me? Could a second blow be coming? You ask yourself these questions in rapid-fire mode and gather the answers as quickly as you can.
  3. Contain: Stop the bleeding and stop it fast. While you’re trying to identify what exactly has happened, you must also realize that you’re bleeding at the same time. If you dwell on the identification step, trying to get every single piece of information, you will soon lose consciousness. You need to stop the bleeding. What must I do to mitigate the spread of this attack? What should be shutdown or taken offline? What processes can be safely aborted? What can be safely deleted? Can I run a scan to identify all the affected files, folders or endpoints (devices)? How can I safely isolate them from the rest of my assets? As you find and implement the answers to these questions you will be containing the spread of the attack and reducing the bleeding.
  4. Eradicate: Here you get rid of the root cause of the incident. Beyond getting the shrapnels out of your flesh, you must ensure that the root cause which exposed you to the explosion in the first place is completed taken out. What were my vulnerabilities? Were there software packages I failed to update? Did I fail to patch my operating system? Did I download an untrusted file? Did I install a malicious software that could have created a backdoor for the attackers? You must ensure you eradicate every single strand of the root cause. Minimizing and eradicating your vulnerabilities is what reduces your chances of being hit again.
  5. Recover: Here you have to get things back to normal and move on. Recovery must be rapid in warfare; you can’t afford to stay down for long after you’ve been hit, lest you be fully captured or completely crushed. Recovery must be rapid; get back on your feet and move on. Restore backups of whatever you’ve lost, test your devices to be sure they’re running optimally, change whatever access credentials you need to change, get back to business—you’re at war!
  6. Lessons Learned: This is a critical component of your PIRP. It is easy to forget the whole drama after the dust has settled; the Lessons Learned component ensures this does not happen. Here, you go over everything that just happened and ask yourself the hard questions. Where did I miss it? What could I have done differently that would have averted the attack? What part of my response plan could have been better? How long did it take me to move from ‘Identify’ to ‘Recover’? Why did it take me so long? How can my response time be shortened? Could the attack have festered a while before detection? The goal here is to learn your lessons and get more battle-ready. You will use your findings from this phase to upgrade your PIRP and prepare better for the battles ahead.
 

Marching Orders

  1. Prepare your Personal Incident Response Plan following the steps we’ve seen in this chapter.
  2. Create a mock incident scenario and walk through your PIRP to see how it runs.
  3. Practice your PIRP sufficiently enough to make it your mental default.
  4. As usual, sound the battle cry to those around you—“A soldier never guesses at war; draw your plan and run your drills.”

Leave a Reply

Your email address will not be published. Required fields are marked *