The increasing complexity in information systems and networks has resulted in a rise of global cyber threats. Organizations need an Incident Response Plan in order to reduce and mitigate the impact of these attacks.
Incident Response or IR refers to the process which an organization responds to and manages “incidents” such as cyber attacks or data breaches. Incidents can be destructive, resulting in significant financial loss or theft of your company’s valuable data.
Most organisations have a host of business continuity and emergency response procedures. All too often organisations don’t have a cyber Incident Response Plan (IRP), or their plan deals with technical procedures but leaves out employee response.
While it is prudent to have staff members who are trained in the detection, analysis or eradication phase of Incident Response, it is equally important that management and stakeholders are aware of the implications a data breach poses, and the appropriate actions they need to take. Data breaches are stressful situations and only made worse by poor incident handling.
When discussing Incident Response, it is important to differentiate between a cyber event, an adverse event, and a cyber incident.
NIST’s ‘Computer Security Incident Handling Guide’ defines a cyber event as “… any observable occurrence in a system or network”. This may be something as simple and seemingly harmless such as sending an email. An event can potentially lead to an incident, but it’s not guaranteed that it will.
An adverse event is one where the observable occurrence has negative consequences. An example is unauthorized access to or nefarious use of administrative privileges that provide access to networks, servers, company computers or other important resources.
A Cyber Incident is the violation of a private network, its policies and procedures, and data sovereignty. This could be a phishing email that has stolen login credentials, an open Remote Desktop Protocol (RDP) port allowing ransomware to be installed on a network, or a botnet sending high traffic volumes to a website.
An Incident Response Plan or IRP is a set of policies and procedures that deal with cyber events and incidents. The plan should take on a form where all relevant employees are engaged, and all appropriate information is disseminated in an effective manner.
Printing a paper copy really cannot be stressed enough. If you are unable to access your servers or cloud storage, then you will likely be unable to access your Incident Response Plan from a computer. The IRP should also have up-to-date contact information for the Incident Response Team (IRT), your cyber insurance broker and legal counsel.
The response to cyber incidents are not ‘one size fits all’ and planning should be done to address multiple scenarios. Usually, the responsibility of the initial response will fall to one person who has de facto power to shut down networks and services to employees and customers as needed. That resource may not be an employee; it could be a member of a third-party Incident Response Team (IRT).
There are three, usually third-party, providers who will be integral in remediating a cyber disruption. These are your cyber insurer, legal representation, and Managed Security Service Provider (MSSP or the IRT). Each of these groups can assist you with the different phases of Incident Response.
The Incident Response Team will be your first call.
The Incident Response Team are the computer security professionals who will investigate and remediate your cyber events and incidents. They’ll provide actionable recommendations on how to begin mitigating the situation. If you don’t have an IRT, your insurer will recommend or contact one who can provide the necessary service. The IRT will follow a specific workflow that safely collects evidence and restores your systems. Thorough reporting will be provided throughout the incident for the benefit of owners, directors, management, law enforcement, shareholders, etc.
Incident Response consists of seven phases which your Incident Response Team (IRT) will carry out. Depending on the nature of the incident, the duration of each phase will vary with some phases blending into others. The phases are as follows:
An Incident Response Plan allows your organization to be as prepared as possible for an incident. The goal of maintaining internal and client data privacy should not be overlooked as the consequences of a breach can be devastating both legally and financially. In the event that information systems are disabled, your Incident Response Plan shouldn’t rely on negotiating with the threat actor, but rather, the focus should be on maintaining business operations and restoring the affected systems as quickly as possible. Having regular backups of applications and data, a printed Incident Response Plan, and a competent Incident Response Team will help ensure that your organization is ready for any possible threats and continues to run smoothly.