Incident Response Management
The Need for Rigorous Planning, Processes, and Procedures
Every hour of every day, cybercriminals create more diverse and complex attacks. Unlike the simple viruses of the past, new threats use machine learning, AI, and cloud-scale resources. The same tools we depend on to prevent attacks, criminals use against us. Although no business likes to think about a major security breach, failing to plan for one may turn a manageable threat into a disaster. Lack of foresight will lead to significant losses of assets, revenue, and reputation.
Creating a Plan to Deal with Cyberattacks Isn’t Easy
Better safe than sorry sounds simple but requires a concerted effort and continuous vigilance, maintenance, and improvement. In other words,
Every organization should have cyber incident response management with a CSIRP (Cyber Security Incident Response Plan). CSIRP provides well documented guidance on how an organization responds to cyber-attacks. With CSIRP, organizations create and maintain playbooks to manage a variety of threats. They include detailed step-by-step processes for containing and remediating low to critical cyber-attacks. Plans are well-orchestrated, detailed, and comprehensive to cover all aspects of bringing attacks to ground quickly.
In the event of a data breach, businesses and public sector agencies face tremendous costs—and even the potential for criminal penalties—for privacy law non-compliance. A breach can also cause significant damage to a brand or to your agency’s reputation.
Read this white paper to find out how MDR can minimize the impact of a breach.
A Holistic Approach to Incident Response Management
The overall cyber incident response management strategy is holistic. It not only defines the procedures that bring an attack to ground, but how to design the entire program.
- Roles and responsibilities are assigned, including decision-makers and executive managers
- Internal and external resources are identified including, consultants and outside experts
- Team member skill levels and expertise are measured and noted
- Additional training and certification requirements are outlined
- Escalation, notification, and communication policies to the CSIRP team, general IT, and individuals outside of the IT department are documented
- What is the attack type – ransomware, data breach, login credential phishing, unauthorized access, suspicious network traffic, etc.
- What services and systems are impacted – email, CRM, ERP, collaboration and communication, WAN network, or compute cloud, etc.
- Who is impacted – departments, sites, remote users, customer groups, engineering contractors, business partners, the entire company, etc.
- RPO – Recovery Point Objective is how much data an organization is prepared to lose (seconds, minutes, hours, days) if a system needs to be rebuilt back to a previous time.
- Can lost data be recovered manually
- RTO – Recovery Time Objective is how long a system can be offline while it is being recovered.
- SLA – Service level agreements can define acceptable loss limits.
- GDPR, ISO, and other regulatory compliance requirements may dictate loss limits
- Laws may define acceptable loss limits. Exceeding limits may lead to fines and penalties.
- Plan owner and alternates in the event the owner is not available
- Any overreaching governing policies such as HIPAA, ISO, SOX, etc.
- Communication and contact list for status updates
- Available hunting, containment, and remediation software, tools, and outside sources
- Time, cost, and acceptable loss goals for both containment and remediation
- Step-by-step processes including task timetables and the person responsible for each task
- Measurement for successful task completion
- Alternative procedures and tasks in the event the primary tasks fails
- Escalation in the event tasks fail to produce the desired outcome
- Escalation if time, cost, and acceptable loss limits need to be exceeded
- Criteria for case closure stating an attack is remediated
Cyber Incident Response Team
Incident response management begins by defining the team. These are the people involved in creating, implementing, and executing incident response plans. It includes all levels of management and those involved in identifying, containing, and remediating active cyber-attacks.
Specify Threat Boundaries
An important part of any plan is to determine the depth and breadth of coverage. A specific attack remediation plan created for the CSIRP knowledgebase begins with a threat scenario and its boundaries. Plans become nearly impossible to design, manage, and execute unless the threat is well defined.
An example of specific threat boundaries is ransomware on the CRM, which affects sales, marketing, customer service, and users. It’s also important to note that threats and plans are relational. A different or broader plan will require execution if a threat is not contained and spreads to another application. Remediation may include two or more situations and plans. As an example, an email phishing attack causes a salesperson to reveal their login credentials. This leads to a data leak of personal information for a thousand users. In this case, the CSIRP team will use two plans, one to close the phishing attack and the other to remediate the data loss.
Acceptable Loss Limits
No organization wants to have any losses caused by a cyber-attack. In some cases, other than a nuisance and lost productivity, there is no severe damage. On the other hand, many cases result in the loss of millions of dollars. With every CSIRP plan, there should be a reasonable determination of costs versus risks. As an example, in banking, there are often two mirrored systems per site and two mirrored sites. This is extremely expensive to maintain, but if the system is processing tens of thousands of credit-card transactions per minute, it is worth the expense. On the other hand, an internal HR system may be able to suffer a temporary outage of a few hours without causing any harm. When establishing a plan for an attack, it’s important to understand the cost of a service outage. The plan should include what expenses and downtime are deemed acceptable to bring the service back online in the event of a cyber-attack. Acceptable loss limits include,
Threat Identification and Prioritization
Threat visibility is a critical component of any incident response management program. Threats need to be identified and classified if they are to be contained and remediated with a plan. If you have a CSIRP strategy, then you need to implement a system to monitor, log, identify, and categorize cyber-threats. This includes alerts and using automated processes to bring low and medium threats to ground. Without proper threat detection and classification, organizations may be overwhelmed by false alerts or wait for threats to be reported by users. Without comprehensive 24 x 7 x 365 visibility, attacks may spread and will require additional resources and plans to bring them to ground.
A large enterprise may have several threats occurring simultaneously. Once a threat is identified, it must be prioritized based on predetermined criteria such as the ‘Acceptable Loss’ and ‘Damage Potential’ associated with the attack. A threat to a credit-card transaction system will likely have priority over ransomware on an internal graphic design system. Large organizations may have different teams for different priorities. Attacks can be categorized into critical, high, medium, and low levels. Internal corporate security experts may focus on critical and high-level attacks and offload medium and low-level threats to an MDR (Managed Detection and Response) provider.
Containment and Remediation
Once the threat is identified, the plan for containment and remediation is initiated. Plans can be short and simple or contain many complex steps. Elements of a plan include:
Incident Case Closure
Each attack has criteria that must be met to officially close the case. A final report is generated and provided to all stakeholders. It includes the results of containment and remediation actions and lists any follow-on activities such as rebuilding a system, closing a vulnerability, or issuing new security credentials. Other departments such a legal, HR, and compliance management may require reports to perform their own tasks. As an example, the unauthorized release or theft of customer information may need to be publicly reported.
It’s important to assess the performance of CSIRP, including the effectiveness of the plans, coordination of tasks, communication, etc. After an incident case is closed, challenges such as lack of resources, poor visibility, failed tasks, limited alternatives, or insufficient training should be reviewed and remediated. It’s also important to determine how future threats can be deterred, detected, contained, and remediated more quickly. That includes reducing acceptable loss limits, damage, and required resources.
Incident response management begins by defining the team. These are the people involved in creating, implementing, and executing incident response plans. It includes all levels of management and those involved in identifying, containing, and remediating active cyber-attacks.
- Roles and responsibilities are assigned, including decision-makers and executive managers
- Internal and external resources are identified including, consultants and outside experts
- Team member skill levels and expertise are measured and noted
- Additional training and certification requirements are outlined
- Escalation, notification, and communication policies to the CSIRP team, general IT, and individuals outside of the IT department are documented
An important part of any plan is to determine the depth and breadth of coverage. A specific attack remediation plan created for the CSIRP knowledgebase begins with a threat scenario and its boundaries. Plans become nearly impossible to design, manage, and execute unless the threat is well defined.
- What is the attack type – ransomware, data breach, login credential phishing, unauthorized access, suspicious network traffic, etc.
- What services and systems are impacted – email, CRM, ERP, collaboration and communication, WAN network, or compute cloud, etc.
- Who is impacted – departments, sites, remote users, customer groups, engineering contractors, business partners, the entire company, etc.
An example of specific threat boundaries is ransomware on the CRM, which affects sales, marketing, customer service, and users. It’s also important to note that threats and plans are relational. A different or broader plan will require execution if a threat is not contained and spreads to another application. Remediation may include two or more situations and plans. As an example, an email phishing attack causes a salesperson to reveal their login credentials. This leads to a data leak of personal information for a thousand users. In this case, the CSIRP team will use two plans, one to close the phishing attack and the other to remediate the data loss.
No organization wants to have any losses caused by a cyber-attack. In some cases, other than a nuisance and lost productivity, there is no severe damage. On the other hand, many cases result in the loss of millions of dollars. With every CSIRP plan, there should be a reasonable determination of costs versus risks. As an example, in banking, there are often two mirrored systems per site and two mirrored sites. This is extremely expensive to maintain, but if the system is processing tens of thousands of credit-card transactions per minute, it is worth the expense. On the other hand, an internal HR system may be able to suffer a temporary outage of a few hours without causing any harm. When establishing a plan for an attack, it’s important to understand the cost of a service outage. The plan should include what expenses and downtime are deemed acceptable to bring the service back online in the event of a cyber-attack. Acceptable loss limits include,
- RPO – Recovery Point Objective is how much data an organization is prepared to lose (seconds, minutes, hours, days) if a system needs to be rebuilt back to a previous time.
- Can lost data be recovered manually
- RTO – Recovery Time Objective is how long a system can be offline while it is being recovered.
- SLA – Service level agreements can define acceptable loss limits.
- GDPR, ISO, and other regulatory compliance requirements may dictate loss limits
- Laws may define acceptable loss limits. Exceeding limits may lead to fines and penalties.
Threat visibility is a critical component of any incident response management program. Threats need to be identified and classified if they are to be contained and remediated with a plan. If you have a CSIRP strategy, then you need to implement a system to monitor, log, identify, and categorize cyber-threats. This includes alerts and using automated processes to bring low and medium threats to ground. Without proper threat detection and classification, organizations may be overwhelmed by false alerts or wait for threats to be reported by users. Without comprehensive 24 x 7 x 365 visibility, attacks may spread and will require additional resources and plans to bring them to ground.
A large enterprise may have several threats occurring simultaneously. Once a threat is identified, it must be prioritized based on predetermined criteria such as the ‘Acceptable Loss’ and ‘Damage Potential’ associated with the attack. A threat to a credit-card transaction system will likely have priority over ransomware on an internal graphic design system. Large organizations may have different teams for different priorities. Attacks can be categorized into critical, high, medium, and low levels. Internal corporate security experts may focus on critical and high-level attacks and offload medium and low-level threats to an MDR (Managed Detection and Response) provider.
Once the threat is identified, the plan for containment and remediation is initiated. Plans can be short and simple or contain many complex steps. Elements of a plan include:
- Plan owner and alternates in the event the owner is not available
- Any overreaching governing policies such as HIPAA, ISO, SOX, etc.
- Communication and contact list for status updates
- Available hunting, containment, and remediation software, tools, and outside sources
- Time, cost, and acceptable loss goals for both containment and remediation
- Step-by-step processes including task timetables and the person responsible for each task
- Measurement for successful task completion
- Alternative procedures and tasks in the event the primary tasks fails
- Escalation in the event tasks fail to produce the desired outcome
- Escalation if time, cost, and acceptable loss limits need to be exceeded
- Criteria for case closure stating an attack is remediated
Each attack has criteria that must be met to officially close the case. A final report is generated and provided to all stakeholders. It includes the results of containment and remediation actions and lists any follow-on activities such as rebuilding a system, closing a vulnerability, or issuing new security credentials. Other departments such a legal, HR, and compliance management may require reports to perform their own tasks. As an example, the unauthorized release or theft of customer information may need to be publicly reported.
It’s important to assess the performance of CSIRP, including the effectiveness of the plans, coordination of tasks, communication, etc. After an incident case is closed, challenges such as lack of resources, poor visibility, failed tasks, limited alternatives, or insufficient training should be reviewed and remediated. It’s also important to determine how future threats can be deterred, detected, contained, and remediated more quickly. That includes reducing acceptable loss limits, damage, and required resources.
Consider a Service from an MDR Provider
A professional MDR service encompasses nearly all the processes, technologies, and techniques used to deter, detect, contain, and remediate cybersecurity threats and attacks. This includes remote users, cloud applications, compute clouds, WANs, and remote sites.
More advanced MDR service providers not only instruct the user on how to contain and remediate cyber-attacks but also if allowed behind the firewall, will help bring attacks to ground. Leading MDR providers can also replace or augment the traditional SOC (Security Operation Center) with SOC-as-a-Service. The customer can be involved in cybersecurity issues to whatever level they require, minimal to very hands-on.
Incident Response Management by Open Systems
Contact Open Systems customer advocates to obtain a free assessment. Learn more about implementing a complete cybersecurity posture with MDR (Managed Detection and Response) or SASE (Secure Access Service Edge).
