How can Organizations Prepare for a Security Incident?
It has become a matter of when – not if – an incident will occur. A cyber or security incident is an event that may indicate that an organization’s data, systems, or permissions have been compromised. This could be a stolen password, a database breach, or corporate espionage. 95 percent of cybersecurity breaches are caused by human error (World Economic Forum).
As organizations incorporate more technology into their processes and bad actors adopt more sophisticated attacks, the frequency and severity of incidents increase. Proactive security incident planning is essential for reducing the impact of a cybersecurity-related event. This takes the form of an incident response (IR) plan. Incident response ensures that any damages caused by a security incident can be minimized due to swift actions when the incident is discovered. 54 percent of companies say their IT departments are not sophisticated enough to handle advanced cyberattacks (Sophos).
Planning, communication, and incident response drills are essential when formulating an incident response (IR) plan. An incident response plan is a well-documented, written plan. The incident response plan has distinct phases intended to set responsibilities and timelines for IT professionals and organizational employees. These timelines set precedence and order for recognition and response to an incident. The IR plan also helps your organization deal with cybersecurity issues. The most expensive component of a cyberattack is information loss, averaging $5.9 million (Accenture).
The SANS Institute, conducts and publishes a vast amount of cybersecurity research. The institute published a white paper titled the Incident Handler’s Handbook regarding incident response. This handy 19-page guide describes an incident as “any violation of policy, law, or unacceptable act that involves information assets.”
The SANS Institute then introduces phases that build upon each other and serve as a foundation to perform incident response and develop an organization’s incident response plan. This is otherwise known as the PICERL Security Incident Framework: Prepare, Identify, Contain, Eradicate, Recover, and Lessons Learned.
SANS Institute Approach to Incident Response Planning
- Preparation – The internal security team or Managed Security Services Provider (MSSP) that your organization utilizes should be ready to handle an incident as close to real-time as possible. Considered the most critical phase, preparation for an incident response will dictate how well your team can respond to alarming events, ranging from hardware and electrical failings to hacking and corporate espionage.
Phase Key Elements for Mitigating Potential Problems
- Policies – Clear policies create an environment of security transparency that protects an organization from legal vulnerabilities while enforcing good cyber and information hygiene throughout the organization.
- Response Plan & Strategy – Organizational impact should prioritize incidents to receive executive sponsorship and appropriate resource allocation for the program.
- Communication – A vital element to prevent potential issues is having a clear idea of notification procedures and whom to contact, when it’s appropriate, and why they are receiving an incident response communication. Without this, response time can lag dramatically, the wrong people can be contacted, and resource allocation could be mishandled.
- Documentation – Documentation proves vital for bringing justice if the incident is considered criminal. Couple this with documenting what happened to build upon experience and lessons learned. Every action taken by the incident response team should be documented and able to clearly answer who, what, where, why, and how questions.
- Team – Stakeholders should be multidisciplinary to manage the multitude of problems that can arise during or as a result of an incident. These team members can include legal, HR, PR, and IT staff specially trained to handle these situations.
- Access Control – It is critical to ensure the incident response team has the correct level of permissions while mitigating the problem. It is important to note that permission levels should not be overly privileged or allow unnecessary access when there is no incident to respond to.
- Tools – The incident response team must be equipped with the tools (software, hardware, anti-malware, screwdrivers, USB drives, laptop with forensics software, etc.) and know best practices regarding dealing with an incident. A pro tip from SANS is to put together a “jump bag” that can be quickly grabbed during an incident response.
- Identification – Deviation from normal operations can indicate or directly result in an incident. This phase is one of documentation and gathering of evidence. This can include aggregating events from various sources, including log files, error messages, Security Information & Event Monitoring (SIEM) tools, and others.
Suppose an event is evaluated to be an incident. In that case, speed is crucial for reporting to allow the IR team enough time to collect evidence and begin preparations for the following steps in an incident response plan.
- Containment – This phase is intended to limit damage and prevent further damage from occurring from the incident. In this multi-step phase, each action required by the incident response team is necessary to mitigate the incident and prevent the destruction of any evidence that may be needed later by law enforcement.
Phase Key Steps for Containment
- Short-Term Containment – Limit damage as soon as possible to contain the incident before it worsens. Not intended as a long-term solution.
- System Back-Up – Before wiping and reimaging any system, it is critical to take a forensic image of the affected system. This should be carried out by your IR response team using tools that are accredited by the computer forensics community, as these records will preserve evidence from the event that can demonstrate the incident that occurred became of criminal action or serve as a lesson learned if a bad actor did not cause the compromise.
- Long-Term Containment – Affected systems are temporarily fixed to enable work. This differs from rebuilding clean systems, which happens in the next phase. The containment work can include permissions checks, removal of accounts or backdoors left on affected systems, security patching, and efforts to limit further escalation.
- Eradication – This phase focuses on removal and restoration. It is essential to utilize a proper incident response workflow to remove malicious content and ensure that the systems are clean, including wiping and reimaging hardware. At this juncture, defenses should be put in place, based on collecting evidence and learnings from the incident, to ensure that the system cannot be compromised similarly again.
- Recovery – This serves the purpose of bringing affected systems back into the production environment. This should be done in stages and carefully while testing, monitoring, and validating systems to prevent reinfection or another incident from occurring.
The incident response team should consult the incident response plan and reactively make essential decisions regarding restoration time, how testing is conducted to verify compromised systems are clean, how long to monitor for aberrational behaviors, and what toolset should be used to test, monitor, and validate the system.
- Lessons Learned – Considered by the SANS Institute as the most critical phase, this is when documentation is completed and possibly amended to include information that may be useful in future incidents. This document should be a report that can answer “Who, What, Where, When, and Why” queries.
A formal meeting should be conducted to review incident documentation so the incident response team can grow. Reference materials should be conferred for the event of a similar event, with the creation of training materials for new employees and benchmarking standards for future actions.
Lessons learned sessions should contain responses for the following:
- First detection of the problem
- Who discovered the incident
- Containment and eradication steps taken
- What was done during recovery
- Areas where the incident response team was effective
- How to improve
By piecing together a response through documentation and review, a precedent can be put into place to ensure that the incident response plan, the incident response team, and the company are better fit to mitigate risks from incidents.
The American Technology Services (ATS) Incident Response team brings strategy, organization, and control to what can be an alarming and confusing situation when an incident arises. The ATS IR team collaborates with your organization to properly escalate and handle critical cybersecurity events.
Regarding the overall cybersecurity process for responding to cyberattacks and data breaches, ATS works with you to resolve immediate security incidents and form a long-term strategy to reduce threat vectors.
ATS’ Incident Response team is comprised of top security analysts running an advanced 24/7 Security Operations Center. The ATS IR team is skilled in responding to cyberattacks and data breaches and takes an intelligence-forward team approach to real-world incident response and remediation.