Cybersecurity threats come in many varieties – criminals, nation states, malicious insiders, ransomware, phishing, malware…the list goes on and on. But just because there are a lot of moving parts to cybersecurity, it doesn’t mean you can’t be prepared to respond to a data breach or other security incidents. If you’ve done your job correctly, you will never ask “now what?” when such an incident occurs, because you’ll already have an incident response (IR) plan in place that prescribes exactly what you need to do.
Cybersecurity IR is different from physical security IR, though. With physical security, the top priority is human safety, and then “catch the bad guy” is the second priority. So, you gather all your video and other pieces of evidence to help law enforcement find the perpetrator. Cybersecurity is different. Your top priority is mitigating the damage that’s been done, which may include getting the business back up and running. And, since the attacker is usually beyond your jurisdiction, it’s rarely a productive use of time to hunt them down, unless it’s an insider.
The good news is, it’s possible to put together a comprehensive and tested plan to effectively respond to cyberattacks. And, you don’t have to be a technical person to do this – you can be the facilitator of a cross-functional team that includes technical people (employees or consultants), as well as other relevant executives.
So, the question everyone needs to ask themselves is not “now what?” – it’s “how do I plan for this?” So, let’s take a look at how to create an effective cybersecurity IR plan.
First Things First – Build a Plan Based on Best Practices
The first step to building an effective cybersecurity IR plan is to adopt an industry-standard IR framework, such as NIST 800-61. This sets the foundation for your plan and dramatically reduces the dreaded “trial and error” that inevitably comes with “do-it-yourself” approaches. NIST 800-61 breaks down IR into four phases:
- Preparation - Having an IR playbook in place is key so you’re ready for action should an incident occur. The playbook should define procedures, as well as the cross-functional team required for effective IR. It’s really the same thing as having a physical security IR plan – if someone breaks into the office, there should be a prescribed set of steps to take.
- Detection and analysis - Detecting an attack is the first step in any IR plan. Analyzing where the attack came from (internal or external source) and what systems it touched are important for remediation efforts.
- Containment, eradication and recovery - Preventing the attacker from moving anywhere else on the network or exfiltrating data (containment) and then ultimately removing them from the network is critical. Once the attacker is removed, recovery can begin – patching vulnerabilities exploited by the attacker, following steps to meet regulatory compliance, etc.
- Post-incident follow-up - Reviewing how well the organization executed on its IR plan and applying those “lessons learned” so response can continuously improve is key as well.
Obviously, the preparation phase is the foundation on which to execute the other phases. Given it’s importance, let’s take a deeper look at this critical stage.
Building the Plan
First of all, if your expertise lies more in physical security than cybersecurity, fear not. There is always help to be had, either among internal technical personnel, or the plethora of outside cybersecurity consultants roaming the world today (ranging from solo practitioners to global consulting firms). These outsourced professionals can be put on an IR retainer, where they can help with everything from the preparation phase, straight through to post-incident follow-up.
At a high level, there are a lot of non-technical aspects to a cybersecurity IR plan that are similar to a physical security plan. For example, you need to choose someone to lead IR, assemble a cross-functional team, do periodic practice runs so people will know exactly what to do if something actually does happen, etc. The cross-functional team typically involves representatives from areas of the company that are responsible for different areas of activity required by the response. So, this would include:
- CISO, CIO or both – Ransomware and breaches have become board-level issues, so there should be executive representatives on the team that can report directly to the CEO and the board.
- Technical leads - These are people responsible for different parts of the company computing infrastructure – security, network, infrastructure, etc. They gather computer logs and evidence to support the investigation (it is common to utilize third-party experts in the forensics efforts).
- Legal - Cyber incidents often have liability issues attached to them. Legal counsel should be part of the IR team to evaluate how a particular incident might open the company to legal exposure, and provide counsel on how to mitigate that exposure.
- HR – Insiders are a major source of cyber risk, and if an employee causes a cyber incident, HR needs to be on the ground floor, so a legal and effective strategy can be developed to address the employee issue. Likewise, a cyber incident might be the result of a lack of employee training around cyber-safe behavior, so HR should also be directly involved in designing training programs that reduce the likelihood of this happening in the future.
- Corporate communications professionals - Cybersecurity incidents create all sorts of internal and external communications challenges. If the company has to disclose the breach to comply with regulations, it could wind up being reported in the media. Likewise, if employees’ personal information has been compromised, they will need to be instructed on measures they should take to protect themselves. And, if it’s something catastrophic, like a ransomware attack, employees will need to understand how to continue performing their work while the situation is addressed.
- Finance - Responding to a breach may require hiring outside experts or acquiring new technology very quickly. Having corporate finance on the cross-functional team can streamline the process of getting the right skills and equipment, as quickly as possible.
- Risk management leaders - If there is a Chief Risk Officer, a Chief Compliance Cfficer, or something similar, that person should also be involved in the IR team.
Once the team is established, it is important to define the role of each member as well as communications protocols. This sets the framework for IR. From there, the team should work together to develop response plans for the different types of likely incidents: data breaches, ransomware attacks, denial of service attacks, insider data theft and more.
Testing the Plan
Creating a plan is an important first step; testing that plan is equally important. Failure to effectively execute on a plan is often just as bad as having no plan at all. According to the Optiv “State of the CISO” report, 36 percent of CISOs said they do not practice their IR plans at least once per year. Another 19 percent said they practice once per year.
Given the complexity of responding to a cyber incident, this level of practice is insufficient. And, when it’s time to execute on the plan, companies may even find that members of the original IR team are no longer with the company, or their contact information has changed, or new lines of business have started that are not accounted for in the plan. Given the pace of change in business, IR plans should be practiced and updated at least twice each year.
Testing often takes the form of tabletop exercises, where members of the cross-functional IR team spend half a day or more playing “war games” based on a variety of different scenarios. These exercises help team members internalize their responsibilities during a cybersecurity incident, and what steps they need to take based on different scenarios.
Additionally, it is an excellent idea to practice computer forensics processes because they help determine how the attack occurred, what type of attack it was, what damage the attackers did, and whether or not attackers are still on the company network.
A good way to practice forensics is to randomly choose a system and have the appropriate person conduct forensics on it. Capturing disk images and searching log files can take hours, so practicing will ensure forensics are conducted as efficiently as possible if an actual attack occurs.
Every Incident Creates New Questions
Some measures during IR are prescribed. For example, if your company is regulated and required to report a breach within 72 hours, that is pretty straightforward. But in cases where things are not that clear, many business and technical questions can arise. For example, if you’re hit with ransomware, do you call the police? If an intruder is still on the network, do you take emergency action and shut down your internet connection to stop data from leaving the company? Or, if it’s an insider attack, should you let the attacker continue so you can catch him in the act?
Questions like these will invariably come up – and in many cases, you may face questions you haven’t considered before. But, if you have a rehearsed plan in place and your IR team is executing properly, you will have more time and resources to dedicate to finding the best answer, rather than being distracted by endless firefights because you were not prepared for the incident. Put another way, you won’t have to devote any resources to figuring out “now what?” Instead, you can focus on the most important issues leading to the company’s recovery to normal.