Despite the fact that the proliferation of cyber attacks and security breaches is not a new development, not all organizations have been motivated to implement best practices for cyber incident response planning due to the ongoing “cyberpandemic”.
In November 2022, a Wall Street Journal survey revealed that 74% of companies had implemented a cyber incident management framework. However, only 23% of these companies conduct testing for their framework at least twice a year.
Furthermore, due to the lack of creation, a considerable number of organizations may be unaware of the constituents of an incident response plan.
According to IBM, despite the rise in supply chain attacks, only 32% of organizations have prepared incident response plans to deal with them. Kroll, a risk consulting firm, states that more than one-third (36%) of organizations lack response plans for any kind of cyber incident.
Every business in the 21st century, regardless of its sector or size, must take the necessary time to develop an incident response plan (IRP).
There are numerous and significant advantages to having an incident response plan.
An effective IRP provides the necessary tools and resources for your organization to become equipped and empowered.
- Prevent orgnizational chaos when a breach occurs. Establish and document clear action steps, roles, and responsibilities in the event of a breach.
- Mitigate the damage a cyber incident causes more quickly, so your business operations aren’t interrupted any longer than necessary. Help minimize the cost of data breach recovery.
- Respond in a comprehensive and organized way, avoiding a scattershot and ineffective approach. Help limit the severity of business interruption.
- Ensure compliance with increasingly stringent cyber security regulations.
- Build or rebuild trust with customers, corporate partners, and others so your reputation and revenue don’t take catastrophic hits.
- Strengthen your overall security posture in a cyber landscape where malicious activities are only multiplying. Meet your regulatory duties and help defend against a charge of negligence and reduce the risk of litigation and regulatory exposures.
It is not possible to create an IRP for every possible threat; however, outlining a command structure and set of processes that allow your organization to respond strategically and methodically can reduce the impact of any incident.
Preparation
In order to effectively respond to incidents, no organization can instantly establish a response without prior planning. It is necessary to have a plan in place to both prevent and tackle such events.
Define the CSIRT (Computer Security Incident Response Team)
In order to effectively respond to an unfolding incident, it is crucial for all members of the CSIRT to be aware of their responsibilities and have a clear understanding of the decisions they are authorized to make.
The CSIRT should consist of individuals from various business and technical backgrounds who have the power to make decisions that benefit the business. The team should be made up of representatives from management, technical, legal, and communications fields, as well as security committee liaisons. All departments impacted by an incident should be informed, and everyone should be provided with a decision matrix to assist them in their actions throughout and following the incident.
Develop and update a plan
In order to stay up-to-date, it is crucial to have and regularly update plans and related documents. All personnel who are involved in specific responsibilities should be able to access the relevant sections of the plan and should be notified of any revisions. To enhance the plan consistently, a feedback system should be implemented following every major incident.
Acquire and Maintain the Proper Infrastructure and Tools
To ensure the identification and investigation of incidents, as well as the preservation of evidence, it is vital to possess the capacity for detecting and investigating occurrences. In order to ascertain the presence of an attacker within your system, possessing endpoint security technology that offers comprehensive insight into your endpoints and gathers incident data is of utmost importance.
If you lack the appropriate tools and processes to provide guidance, you will not be adequately prepared to examine how attackers are gaining access to your systems, to reduce an attacker’s current access, or to prevent future access.
Always Improve Skills and Support Training
It is important to make sure that the IR team has the necessary skills and training. This involves regularly practicing the IR plan. It also involves having qualified personnel on the IR team, either through in-house staff or a third-party provider, who can dedicate time away from their regular jobs to maintain certifications and take advantage of educational opportunities.
Possess Up-to-Date Threat Intelligence Capabilities
The utilization of threat intelligence capabilities aids an organization in comprehending the types of threats it needs to be ready to address. It is crucial for threat intelligence to smoothly integrate into endpoint protection and employ automated incident investigations to expedite breach response. Through automation, threats can be thoroughly analyzed within minutes instead of hours, empowering the organization to outperform advanced persistent threats (APTs) through more intelligent countermeasures.
Detection & Analysis
The second phase of incident response involves determining if an incident took place, assessing its severity, and identifying its type. NIST provides guidance on five specific steps to be taken during this phase.
- Pinpoint signs of an incident (precursors and indicators): Precursors and indicators are specific signals that an incident is either about to occur, or has already occurred.
- Analyze the discovered signs: Once identified, the IR team has to determine if a precursor or indicator is part of an attack or if it is a false positive.
- Incident documentation: If the signal proves valid, the IR team must begin documenting all facts in relation to the incident and continue logging all actions taken throughout the process.
- Incident prioritization: NIST designates this step as the most critical decision point in the IR process. The IR team can’t simply prioritize incidents on a first come, first serve basis. Instead, they must score incidents on the impact it will have on the business functionality, the confidentiality of affected information, and the recoverability of the incident.
- Incident notification: After an incident has been analyzed and prioritized, the IR team should notify the appropriate departments/individuals. A thorough IR plan should already include the specific reporting requirements.
Containment, Eradication, & Recovery
The containment phase serves the purpose of stopping the incident’s impact from causing additional harm. After containment, the IR team can dedicate time to customize their subsequent actions, which must involve addressing the incident’s underlying cause and restoring systems back to their normal functioning state.
Criteria such as will be used to develop strategies of containment, eradication, and recovery.
- the criticality of the affected assets
- the type and severity of the incident
- the need to preserve evidence
- the importance of any affected systems to critical business processes
- the resources required to implement the strategy
It is important to constantly document these processes and gather evidence. This is necessary for two reasons: firstly, to gain knowledge from the attack and enhance the security team’s skills, and secondly, to be ready for potential legal proceedings.
Post-Incident Activity
Despite every incident being a chance to learn and enhance, numerous organizations tend to overlook this crucial stage. Adversaries continuously develop, and it is imperative for incident response (IR) teams to stay updated with the latest procedures, tactics, and techniques.
It is necessary to have a lessons learned meeting after a major incident and it is preferable to have one after less severe incidents to enhance overall security and incident handling. For major attacks, ensure the involvement of individuals from various departments and prioritize inviting those who will be important for future incidents.
Review during the meeting:
- what happened and when
- how well the IR team performed
- whether documented procedures were followed
- whether those procedures were adequate
- what information was missing when it was needed
- what actions slowed recovery
- what could be done differently
- what can be done to prevent future incidents
- what precursors or indicators can be looked for in the future
The outcomes of these meetings have the potential to be a valuable resource for training new employees. Additionally, they can aid in the revision of policies and procedures and the creation of institutional knowledge that can be beneficial for upcoming incidents.
