4 KEYS TO CYBER INCIDENT PLANNING AND RESPONSE
It’s no longer a question of IF you will have a cybersecurity incident. The real question is how you will respond and recover WHEN you have a cybersecurity incident.
This is a statement that is both sobering as well as liberating. All organizations must implement controls to prevent intrusions, disruptions, or data breaches, but it is still inevitable that you will someday have an incident. The key then is to put plans into place that will minimize the business impact of the incident through efficient management. Your organization can greatly benefit from understanding cyber incident planning and having a meaningful response strategy in place.
What is a Cyber Security Incident Response Plan?
A cyber security incident response plan, often called an IR plan, is the strategy and process a company creates to detect, respond to, and recover from a network security incident. Technology-centric in nature, these plans tend to address issues like malware detection, data breaches, and service outages.
4 Steps To Incident Planning and Response
Follow key principles and processes in your response plan.
Containment – the first priority in any incident is to “stop the bleeding.” To both minimize the impact and to accelerate the path to recovery you need to figure out where the issue is and how to contain it. In many cases, this may include steps such as quarantining a compromised machine or account and blocking communication ports that could be used for data exfiltration, malicious command, and control, or automated propagation of malware.
Impact assessment – the key issue to business leadership revolves around impact. How will the incident impact business operations? Has any sensitive data been lost? Will the incident have any impact on customers or other key stakeholders? Answers to these questions are key to incident management
Root cause – While containment and impact assessment are the highest priorities, it is sometimes difficult to be sure the incident is fully contained until the root causes are fully analyzed and understood. It’s key to take time and figure out where the root cause really lies.
Recovery – the end goal of any incident response is the recovery and restoration of normal business function. In many cases, a corrupted server or endpoint will need to be rebuilt from a backup. In some cases, these restoration activities can begin prior to completing the forensic analysis.
Categorize the incident based on the impact
Low impact (Level 1). These incidents happen all the time and get handled operationally with standard processes and procedures.
Level 2. The incident would have a low to moderate impact on the business but may require a coordinated response by IT organizations. An email worm or a moderate malware outbreak might be examples of a level-2 incident.
Level 3 or Level 4. These incidents would have a more significant impact on the business, either through degraded operations, financial loss, or reputation impact with customers or stakeholders. A level 3 incident would warrant activation of the company’s existing crisis management or emergency operations plans. By leveraging existing crisis management plans, key corporate functions for legal, HR, public, or shareholder relations can be leveraged without “re-inventing the wheel.” Any regulatory reporting of a data breach would be coordinated through appropriate business leadership during the recovery stages of the response.
Utilize external experts. It may be necessary to utilize external forensic expertise to definitively understand if there was any data loss, and how the incident occurred. It is recommended that retainer agreements be put into place before they are needed, to avoid unnecessary delays in contracting during an incident emergency.
Practice! Once you have a plan in place, it is important to exercise the plan through periodic tabletop exercises. These periodic drills will help increase organizational familiarity with the plan and develop a sense of “muscle memory,” which can be extremely important in the early stages of an actual incident. Incident response drills also help identify opportunities to further refine and clarify the plan over time.
Ransomware Specific Incident Response
Ransomware is a specific style of malware, where the attack will encrypt the victim’s data, and charge a fee (usually via some form of untraceable Bitcoin) to provide an encryption key to recover data. While ransomware was initially thought to be primarily a consumer-grade issue, it has increasingly been used to target companies, particularly those in healthcare or critical infrastructure, where the need for a timely recovery might drive leaders to agree to pay the ransom rather than risk being down for multiple days. Ransomware is a growing international problem that could exceed $20B globally in 2021.
Prevent ransomware incidents through proactive vulnerability management and diligent user education.
The only truly reliable protection from ransomware is a good backup. The more quickly and effectively you can initiate data recovery, the better you can minimize the impact of a ransomware incident.
If your business ever were in a position where they decided they needed to “pay the ransom” to recover data and systems, this could potentially require tens of thousands of dollars in Bitcoin. Most organizations would not be in a position to effectively acquire or handle this virtual currency. Fortunately, there are external legal service providers that specialize in hostage negotiation which also can serve as a resource for paying a virtual currency ransom. While you would hope to never need such a service, consider identifying such providers in advance to speed up recovery during time of crisis.
Emagined Security can assist organizations through managed security services that help monitor and identify potential incidents, as well as reactive incident response services to assist organizations in response to an active incident. Emagined can also provide consulting and advisory services to assist with cyber incident response planning or a strategic security program assessment.