Incident response is an ongoing process, a lifecycle that requires a risk mitigation strategy covering operational, legal and reputational risk.
A typical cybersecurity attack can result in a combination of attack across target segments within an organizational network and data that can result in critical infrastructure being exposed lacking security controls to mitigate risks.
A good cybersecurity framework is therefore an imperative, keeping into consideration how an organization builds its cybersecurity strategy that encompasses an integrated and holistic approach centered around security orchestration, analytics and incident response.
It is fundamental for an organization to have critical controls in place across prevention, detection and response environments that can help organizations build resiliency in providing a consistent and predictable recovery experience that can seamlessly respond to IT complexities and interdependencies across all environments.
An incident response plan must be designed in a way that can help an organization respond quickly and efficiently in the event of a breach, involving stakeholders and other lines of business, including the InfoSec and IT teams. Involving stakeholders across the organization helps in facilitating accountability and transparency with an objective to mitigate and minimize risk.
The incident response team should expand beyond responding to security threats, but should include management, human resources, legal, audit and risk management specialists, general counsel and public relations.
A case in point for example is, in the case of insider threat, a response plan mandates involvement of HR to check employee background, responsibilities and credential fundamentally key to minimizing risk. Similarly, a response process should include a general counsel attorney to ensure that any evidence collected maintains its forensic value in the event that the company chooses to take legal action.
Target and Yahoo are case studies illustrating the importance of involving the legal, compliance and public relations teams early to address risk. In essence, incident response is about managing risk, and incident response must be a holistic approach to managing risk that can impact operations as well as reputation of an organization.
Not an Isolated Event
Incident response must not be treated as an isolated event. Therefore incident simulations, tabletop exercises and reporting are key processes to incident response planning, enabling teams to test response plans, identify gaps and refine response processes that define incident response preparation.
To address incidents, it is important to ensure that an IR plan includes:
- Policies, procedures and agreements for incident response management;
- Communication guidelines key to incident response preparation;
- Threat intel feeds for enrichment and better preparation of investigations to identify indicators of compromise;
- Operational threat hunting exercises to prepare the security team, helping their response to be more proactive.
Another very pertinent aspect of incident response is communication.
A communication strategy must encompass both internal and external stakeholders. In order to know what to communicate to whom, an organization should assess the potential impact of the cyber security incident – for example, whether it concerns to only internal or also external stakeholders, and the magnitude of the incident, including evidence of data leakage.
Depending on the impact of the cyber breach, an organization’s cybersecurity incident communication will have different objectives. For example a privacy data breach would involve notification and adhering to the privacy data breach regulation of the respective country’s regulations.
In today’s context, some of the external regulatory guidelines may be complex (ex: GDPR) and would need a proper communication strategy in place in order to comply with regulatory obligations.
Global, national and local privacy breach requirements are more complex than ever before and are continually evolving. Privacy and legal teams can spend days working to meet regulatory obligations after an incident. Communication, therefore, is the key to mitigating any risk, both from a reputational and legal standpoint.
In a digital age, communication is an important strategy to mitigate risk and an extremely critical component to the basic operations of a company. Therefore, incorporating a communications strategy that takes into account business, legal and regulatory requirements should be a priority.
Containment of security incident and recovery are important steps for any incident response plan, keeping in consideration business continuity demands and a disaster recovery solution. This includes prioritizing which assets to rebuild first and ensuring business continuity.
The recovery process should include addressing the attackers’ point of penetration or associated vulnerabilities to be eliminated on and systems restored. It is important to ensure identified CIRT members or owners work hand-in-hand with the business continuity planning team to ensure smooth running of business operation.
Eliminate Root Cause
After containment of a breach, the next phase of an incident response plan is to eliminate the root cause of the breach.
An incident plan eradication program needs to be designed to ensure malware is securely removed, systems are hardened and patched, and, most importantly, updates are applied. This is critical, given that if any trace of malware or security issues that remain in the affected systems, the risk will continue and liability could increase. Eradication and recovery should be done in a phased approach so that remediation steps are prioritized.
Post incident event analysis is a critical component of any incident response plan, as it provide an opportunity for the stakeholders to reflect on the incident and apply lessons learned in order to make an incident response plan proactive and efficient. It also helps to improve security measures, identify early potential gaps and be more prepared in future.
Given the explosion in autonomous and other devices connected to the internet; access to smart phones, even in emerging economies; service providers in transformation; social networks in ferment; and organizations relying on DevOps, we must be prepared to have a matrix for positive possibilities, but increasing threat surfaces exposed. This will lead to multi-vector threats being executed on corporate as well as private targets and risk factors will become even more exposed.
Therefore, the state has to make private citizens aware of cyber safety. As far as enterprises and corporations are concerned, they will need to deploy appropriate counter- measure incident response technology that can in real time anticipate and proactively respond. They also must subscribe to threat intel feeds and intel sharing across verticals, combining the capability to bring in people, process and technology together to respond to attackers.
This can happen through artificial intelligence and intelligent orchestration. Learn more about how to outsmart, outpace and outmaneuver cyberattackers here.