How to Mobilize an Incident Response Plan Using Feature Flags
We can’t know when our systems will experience a cyberattack and how much damage will be inflicted. So, your preparation plan for data breach mitigation determines how much data loss you can reduce and the resources you can save. In this article, you will learn what an incident response plan is in detail and how it can be implemented. In addition, you will learn how to boost incident response plans using Unleash feature flags.
What is an Incident Response Plan?
The pain of seeing your servers down and user credentials being stolen instills fear and panic. As humans, we never make the right choices when we are under the influence of fear and panic. Panic attacks just make us do more harm to the system as we will be clueless about what to release and save.
An incident response plan gives you confidence as it shows you how to minimize the damage caused by the data breach. An incident response plan is a set of policies and guidelines that ushers you on how to mitigate a malicious incident and clean up the chaos caused by the incident. An incident response plan should be detailed and provide a step-by-step guide on how to solve an issue. An incident response plan strives to show you how to address a cyberattack event and how to reduce the aftermath of a data breach.
There are many incidents that are often carried out by malicious intent users such as
- Data leaks
- Data breaches
- Ransomware
- Denial of Service(DoS)
An effective response plan is one that is human resource cross-functional by involving different departments such as engineering, IT security, and public relations. Incident response plans do not only have technical instructions they also detail who to communicate with to access certain resources.
Every department has to be involved, even the human resource department is needed to retrench employees that might voluntarily help coordinate the cyber threat. Below is an example of an employee who stole secrets:
In 2022 Linwei Ding stole more than 500 files that had Google’s artificial intelligence trade secrets while working as a software engineer.
Public relations and the legal team advisors are crucial to help you know which data breaches have to be reported to the regulatory authorities. The General Data Protection Regulatory(GDPR) states that a data breach has to be reported to the supervising authorities such as the Securities Exchange Commission (SEC) if your company is publicly traded.
Incident Response Plan Phases
The incident response plan phases are different depending on the security framework you choose. In this article, we will use the SANS Institute incident response plan. But, there are other response plan strategies such as the National Institute of Standards and Technology (NIST) incident response plan.
- Preparation
The preparation phase is implemented prior to the cyber-attack incident. This phase puts everything in place that will be needed when an incident occurs. This phase is crucial because it details which tools will be used to mitigate the breach impact such as logging and scanning tools. This phase also ensures that all critical resources are always backed up and up to date in case data loss occurs during a data breach.
Below is a list of security tool categories you need when combatting a cyberattack:
- Security scanners
- Data leak detectors
- Network intrusion detection systems
Examples of the above category tools are Upguard and Breachsense. However, choosing the tools to use in an incident breach depends on the frameworks and technologies your application uses.
This phase is also responsible for documenting the incident response phases. This documentation explains which personnel will be responsible for specific tasks during an incident task and how the incident response team will communicate. Sometimes, hackers can exploit internal communication channels such as email addresses. So, it is important to know how to contact your teammates in case the company email domain has been taken over.
- Identification
The second stage gets technical and it is the first risk mitigation implementation of the incident response plan. Software engineers have to analyze logs, monitor network traffic, and analyze the size of the breach. Engineers get to acknowledge the incident and alert the management about the incident. For investigation purposes, engineers have to record and document all critical details of the incident.
Unleash allows you to integrate Slack with the Unleash platform. If an unknown feature flag change that might start a data breach occurs you will know through the Slack feature change alert. You can implement this integration using the following code. You need your Slack workspaces webhook to implement this integration.
curl - location - request POST 'https://eu.app.unleash-hosted.com/eugg0002/api/admin/addons' \
- header 'Authorization: INSERT_API_KEY' \
- header 'Content-Type: application/json' \
- data-raw '{
"provider": "slack",
"description": "feature-change-alert",
"enabled": true,
"parameters": {
"defaultChannel": "general",
"username": "alert",
"url": "slack webhook URL"
},
"events": [
"feature-environment-enabled",
"feature-environment-disabled"
],
"projects": [],
"environments": [
"production"
]
}'- Containment
This stage strives to get control of the incident by limiting its spread rate or surface attack. Engineers can disconnect the affected systems and services to prevent the cyber attackers from getting access to the unaffected systems through the affected systems. Containment can be classified as short-term or long-term. Making changes to the system to reduce incident damage is considered long-term containment whereas making quick changes such as disconnecting exploited systems is considered short-term containment.
- Eradication
After limiting the incident damage, the next step is to find the root cause of the incident. Which vulnerability was exploited to get system access? This is a series of investigations that strive to eradicate all malware from the systems or any threat. The vulnerabilities will be eliminated, and system refreshed to ensure 100% safety of the system.
- Recovery
After the security vulnerabilities have been eradicated the system can be restored by retrieving the backed-up data in case there was data loss and all systems reconnected. The goal is to get everything operational. Customers and stakeholders have to be reassured that the services have been fully restored and data integrity has been uplifted.
The recovery phase also includes the post-incident review that assesses how effective the incident response was and generates suggestions where the incident response was not effective.
How to Boost Incident Response Plans Using Feature Flags
Feature flags boost incident response plans with their kill switches that enable fast switch-off access to resources in case of a cyber breach. This section will teach how Unleash feature flags give you more ability to reduce impact during a breach. We will learn the following feature flag solutions:
Rapid Containment and Recovery
Feature flags are crucial during the containment phase as they enable you to switch off the affected features. Isolating affected features from safe features allows you to focus on diagnosing the affected features and reducing the incident damage. You do not have to roll back the entire application, you can just roll back one feature or two features that have to be fixed.
The Unleash Maintenance mode enables you to stop everyone from making feature flag changes in case a malicious unauthorized user has taken over your feature flags. This will help to contain the incident.
Incident Analysis
Unleash feature flags help you analyze the incident by giving you metrics fetched from feature toggles. These metrics help you assess and diagnose the impact of the incident. You can switch off some features to see how the system performs without them. To get better at diagnosing and investigating issues, you can use A/B testing to test how different systems are before eradicating the malware injected during the data breach or test how the systems performed before the data breach.
Phased Rollouts and Testing
After finding the root cause of the incident and eliminating it, it is essential to make a detailed and phased plan that shows how you will deploy the newly fixed features. It is important to use canary deployments by deploying the changes to a group of users. After the new changes prove to be safe and free from vulnerabilities then you can roll out the feature to the rest of the user base.
Unleash allows you to test the new security changes on selected users using the Unleash segmentation solution. Below is an example of a segmentation that targets users based on their user IDs.
curl - location - request POST 'https://eu.app.unleash-hosted.com/eugg0002/api/admin/segments' \
- header 'Authorization: INSERT_API_KEY' \
- header 'Content-Type: application/json' \
- data-raw '{
"name": "South Dakota",
"description": "new users",
"project": "default",
"constraints": [
{
"contextName": "userId",
"operator": "IN",
"value": "",
"values": [],
"caseInsensitive": false,
"inverted": false
}
]
}'Conclusion
Feature flag management platforms like Unleash offer a lot of solutions that boost the safety and security of your application that we haven’t covered in this article. It is very important to adopt feature flag platforms and enable all the security features we discussed in this article.
By integrating feature flags into your incident response framework, your team can dynamically manage features, mitigate risks through kill switches, and roll out security changes after a security breach to a few segmented users to ensure the fixed applications don’t have any malware from the incident.
