A cyber incident response plan is a key element of business security. Having the right...
The term Incident Response refers to the processes and policies an organisation utilises in response to a cyber incident such as an attack or data breach. The goal of Incident Response is to mitigate the damage of an attack i.e. reduce the recovery time, effort, costs and reputational damage associated with a cyber-attack or data breach. Apart from mitigating various consequences of a cyberattack, the process of Incident Response can help organisations prevent future attacks that threaten their information security.
Every organisation should have an Incident Response or Cybersecurity Emergency Plan that helps them identify, contain and eliminate cyberattacks. IR plans outline what constitutes an attack and provide organisations with a clear guide on what steps should be taken if an incident were to occur.
Incident Response Frameworks
The purpose of an Incident response framework is to assist organisations with the creation of standardized response plans. These frameworks are commonly developed by large organisations with a significant amount of security expertise and experience. Two of the most well-known examples are the Incident Response Frameworks created by the National Institute of Standards and Technology (NIST) and the SysAdmin, Audit, Network and Security Institute (SANS). Below is an outline of each of these Incident Response Frameworks:
NIST Incident Response Framework
The National Institute of Standards and Technology (NIST) was founded in 1901 and is now part of the U.S. Department of Commerce. NIST is one of the nation's oldest physical science laboratories. As part of their cybersecurity initiatives they created an Incident Response Framework, which quickly became one of the most popular solutions for organisations around the world. The framework provides organisations with detailed steps on how to create an incident response plan, form an incident response team, communication procedures as well as training scenarios for employees.
The Incident Response Cycle
NIST defines a four-step process for incident response, the process puts emphasis on the fact that incident response is not a linear process that starts when an incident is detected and ends with eradication and recovery. Instead, incident response is a cyclical activity, a process of continuous learning and improvement to discover how to better defend the organisation against cyber attacks.
The four steps of NIST Incident Response:
This involves organisations doing a thorough inventory of their IT infrastructure including, networks, servers and endpoints, and evaluating their importance. To evaluate importance organisations need to judge which IT assets hold critical or sensitive information. Along with this, organisations need to create a baseline for normal activity through monitoring. As part of the preparation, security teams also need to create a guide for how to deal with common types of incidents and identify which types of incidents require thorough investigation.
2. Detection and Analysis
Detection involves collecting data from IT systems, security tools, publicly available information and people inside and outside the organisation, and identifying signs that an incident may happen in the future (precursors) and data showing that an attack has happened or is happening now (Indicators).
The analysis involves identifying a baseline or normal activity for the affected systems, correlating related events and seeing if and how they deviate from normal behaviour.
3. Containment, Eradication, and Recovery
The goal of containment is to limit the impact of a security incident, without proper containment incidents can spread across an organisation's systems and networks, giving unlimited access to malicious actors. An organisation’s containment strategy can depend on the level of damage an incident can cause, the ability to continue servicing customers, the ability of employees to continue operating and the duration of the solution. Depending on these factors organisations may decide to utilise a temporary solution versus a permanent one.
After the incident has been successfully contained, organisations are required to eradicate the incident, this can be achieved by removing all elements of the incident from the environment. For example, identifying all affected hosts, removing malware, and closing or resetting passwords for breached user accounts are examples of eradication.
Finally, once the threat is eradicated, restore systems and recover normal operations as quickly as possible, taking steps to ensure the same assets are not attacked again.
4. Post-Incident Activity
A key part of the NIST Incident Response methodology is learning from incidents to improve the overall response process. Security teams need to ask questions surrounding the incident response process such as: What happened? How well did we deal with the incident? Were processes followed and did they suffice? What went wrong in the response process? What can we do differently next time? Etc. These are a few examples of questions that can be asked during post incident activity, answers can be used to improve the process, adjust an organisation’s incident response policy, plan, and procedures as well as fine tune research undertaken in the preparation stage of the cycle.
SANS Incident Response Framework
The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. One of the main contributions the SANS Institute has made to cybersecurity is their Incident Response Framework, which has also garnered praise from organisations around the world for its comprehensiveness. The SANS Institute published a 20-page handbook that lays out a structured 6-step plan for incident response. Below is a brief summary of the process.
The SANS Incident Response Process consists of six steps:
This involves organisations performing reviews of their security policy, which typically involves risk assessments to identify vulnerabilities, sensitive assets and areas of focus in terms of security incidents. In this stage organisations also work towards forming a Computer Security Incident Response Team.
In this stage, security teams monitor systems and networks to identify any suspicious activity taking place during day to day operations, in the hopes of discovering any premature security incidents. If an incident is to be discovered, security teams should document everything, e.g. the nature of the attack or its origin.
If an Incident is identified the next step that follows is containment, security teams need to work towards isolating the attack and preventing it from spreading. This can involve segmenting a network under attack as part of short term containment. Once short term measures are in place, security teams can focus on long term solutions or fixes which may involve rebuilding entire systems.
This step involves bringing back affected systems that were taken down over the period of the incident. Security teams should test and monitor affected systems to ensure that attacks don’t repeat and that normal functionality is achieved.
5. Lessons Learned
Shortly after the attack, teams need to look back and evaluate how the incident was handled and analyse how the incident response process can be improved for future incidents.
Why is an Incident Response plan important in the event of a cyber attack?
Organisations that suffer a cyber attack usually are not aware of the presence of a malicious actor until it is too late or security teams within organisations don’t take appropriate action as soon as a threat is identified, either downplaying the severity of the attack or ignoring it entirely.
Incident Response plans help organisations and their various departments and employees aptly respond to threats. Strong IR plans include guidelines for roles and responsibilities, communication plans, and standardised response protocols. These factors help establish a clear procedure for responding to cyber incidents, effectively reducing their negative effects, such as reducing downtime, financial impacts as well as reputational damage.
How can StickmanCyber help?
SMEs can find building a full cybersecurity strategy by themselves to be a daunting task, given the extensive skill, expertise and resources required. If your business is unable to perform incident response in house, outsourcing to an external service provider may be the best option. StickmanCyber provides its clients with emergency response services in the event of a security incident. Get in touch with one of our cybersecurity expert consultants to start today with a free consultation.