First Steps when Executing a Cyber Incident Response Plan
The initial stages of incident response are frequently the most important. Incidents always involve elements of the unknown and unexpected. If this weren’t the case, then the events causing the incident should be prevented outright. This inevitable, initial lack of full understanding of the incident can cause panic and disorganization, which reduces the effectiveness of the response. An effective early incident response establishes an intentional, methodical tempo for the full process. The goal of cyber incident response is to fully understand an incident, its causes, its impact to an organization and the required steps for remediation and prevention of similar incidents.1. Detect the Incident
The first required step in cyber incident response involvesdetection.An incident first needs to be discovered, before further response steps can take place. Detection can come from innumerable sources. Discrete systems may generate alarms which need to be investigated. Firewalls, intrusion-detection systems, antivirus and other endpoint protection services, network monitoring tools, and SaaS and public cloud systems are just a few systems that may generate event and alarms that need to be individually investigated. These sources can be individually tuned to generate quality alarms.
Organizations with more mature security programsmay collect these discrete sources into a single system, known as Security Information and Event Management, or SIEM. A SIEM may also consume other relevant data, such as threat intelligence feeds, network flow data, and vulnerability scan data. These events can be correlated by the SIEM, generating high-confidence alarms. Additionally, a SIEM typically provides a quality search functionality, which supports rapid incident response.
Initial detection may also come from individuals, both inside and outside of an organization. Individuals within an organization should be trained, and vigilant to identify precursors and indicators of cyber incidents. There should be an established internal channel to report incidents, such as an established primary contact, or a ticketing system. Reports may come from clients, vendors, or the general public, and general contact information should be available and reviewed for incident reports. But, individuals outside of the organization can’t be expected to use an official channel. For example, there are many accounts of good-natured, serious incident reporters making initial contact through social media. Everyone within an organization should understand what steps to take when receiving a report from an outside source.
One notable challenge in the detection process is defining what constitutes a “cyberincident.” Most organizations with public-facing resources are attacked many times a day. Brute-forceauthentication attempts, password spraying, and vulnerability scanning occur againstall ofthese resources, almost constantly. End-users may receive poorly spoofed emails that evade filters. However, these events may not constitute a “cyberincident” within an organization unless they break the expected confidentiality, integrity or availability of a system. An important part of the detection process is “baselining.” This involves silencing the day-to-day expected noise in a system, so only high-confidence events are escalated to alarms.
Clean, actionablealarms from this stage of an incident response lifecycleusedin subsequent stages to determine the correct course of action.
2. Notify Cyber Incident Handling Team
When a possiblecyberincident is discovered, the Cyber Incident Response Team (CIRT) should be notified. The composition of this team may vary greatly, depending on the resources and requirements of an organization. Typically, this team is comprised of members from different groups within an organization. The composition of this group should represent broad and deep institutional and technical knowledge. Typically, this team will be comprised of management and IT resources. But, may also include Information Security, Human Resources, Legal, and Public Relations resources, depending on the needs of the organization. A well trained CIRT team can convene and quickly review thecyberincident indicators to determine its causes, impacts, and the path to resolution.
3. Analyze Data and Validate the Incident
With a CIRT convened, and incident indicators in hand, the next immediate step is to furtheranalyzethefactstoconfidentlyvalidatethatacyber incidenthas occurred or isoccurring. This step is ideally initiated shortly after a crediblecyberincidentindicator or precursoris detected.The combined knowledge and perspective of the CIRT resources should server to rapidly determine theveracity of the incident, as well as an initial understanding of its scope and impact.
4. Begin Documenting the Facts
The firststepafter you become aware that a cyber incident has occurred isto begin todocumentall the facts.Thiswill likely involve gathering, parsing, augmenting, and preserving available indicators and related data. For example, in the event of an account compromise, these steps may involve establishingwhenthe account was compromised, and what actions were performed by the account during the incident. Gathered incident information, such as known malicious IP addresses, or attacker activity windows, can be used to investigate the scope of the incident across disparate systems.Allthis data may be augmented with synthetic features, such as geolocation and threat intelligence. A SIEM can be particularly useful for efficiently searching through security events within an organization. The more “complete” the information available, the easier it is to accurately determine the scope, and impact of the incident.
This information is used by management to guide the resolution of the incident and inform other related responsibilities of the organization.
The effectiveness and efficiency of incident response – particularly in early stages – is dependent on preparation. Quality incident detection requires well-configured technology, and well-trained staff. Effective incident handling requires a well-informed CIRT composed of diverse roles suited to anorganization’s needs. All incident responses begin withsomeuncertainty, which,can result in adisorganized response. An effective incident response process can cover a lot of ground quickly, when the right technology, the right roles, and the right processes are already established.