Incident response plans will be integral to helping organizations manage the aftermath of a breach in a way that limits damage and reduces recovery time and costs. According to an FBI report, ransomware alone caused more than 4,000 attacks daily in 2016, a 300 percent increase over the previous year. Malware strains are continually evolving to subvert detection from traditional security measures, infect networks and compromise sensitive information. This shift and associated consequences show that businesses can no longer relax in the face of advancing cybersecurity risks.
However, a Ponemon Institute survey found that 75 percent of respondents don’t have a formal incident response strategy, and 66 percent aren’t prepared to recover from a cyber attack. In this two-part series, we will delve into the necessary stages of your incident response plan as well as how to implement it effectively within your organization to minimize the damages of a breach and reinforce business continuity efforts.
1. Preparing for Anything
Creating an effective incident response plan will take considerable planning and preparation. This will arguably be the longest and most involved stage in the process, as you will need to identify the start of an incident, how to recover and establish preventive security measures, such as application control/ whitelisting. CSO managing editor Ryan Francis noted that the incident response plan should lay out who should be notified when a breach is detected and how information on the situation will be communicated. People across the company should collaborate to develop the plan, establish call trees and identify members within the incident response team, including external entities.
Training employees on the incident response strategy will be another major part of this step. Because cyber attacks can come in many shapes and sizes, it will be necessary to address these characteristics through ongoing sessions. For example, the incident response team might need specialized investigative techniques, environmental procedure requirements and incident response tool usage. All staff should be trained on where the incident response plan is located as well as what actions to take in the event of a breach, to report problems quickly and minimize potential damage.
2. Identifying and Reporting Unusual Behavior
The IT department is no longer solely responsible for ensuring the security of sensitive business assets. It’s now important for all employees to recognize the risk that certain behaviors can pose, as well as how to identify unusual behavior in their daily operations. CSO Online contributor Anthony Caruana noted that it’s crucial for staff members to understand their environment to look for significant deviations from normal traffic and other methods. This knowledge will be integral to spotting malicious activities quickly and starting the process of mitigation.
In addition to identifying unusual behavior, it’s equally as important to be able to classify whether the activity was a cyber security event or incident. These terms are often used interchangeably, but their differences will make a major impact in how they’re approached. An event is often known as any observable occurrence in a system or network, like a firewall blocking an attempt to connect. A security incident is an event that violates protection or privacy policies involving sensitive information. Reporting these activities appropriately will be necessary for adhering to compliance standards, maintaining customer relationships and minimizing potential risks.
“Teams must limit the damage caused to systems and prevent any further impact.”
3. Containing the Situation
When a cyber incident is identified, it’s necessary to work as quickly as possible to contain it. In this stage, incident response teams must limit the damage caused to systems and prevent any further impact. Short- and long-term containment activities will go a long way toward mitigating the current situation and stopping similar incidents in the future. The SANS Institute noted that short-term containment could be something as simple as isolating a network segment and performing a system backup. This will capture evidence of the event and be used to learn how the breach occurred.
Long-term containment will be a big part of unexpected downtime prevention. Incident response teams will look to rebuild clean systems, removing accounts and backdoors left by hackers on affected systems. Some assets can even be temporarily fixed to limit disruptions while other work is being done to reduce the risk of further compromise. Organizations must do what they can to isolate the threat and limit its risks to other important systems.
These first three steps in the incident response plan are critical building blocks that will help teams establish response protocols, effectively identify threats and contain them. In the next part, we will look at four more necessary steps within your incident response strategy to help eradicate the issue, recover effectively and learn from the incident.