According to the IBM Cost of a Data Breach Report 2021:
Let's jump in with Step #4. We will come back to the first three steps at the end.
Containment is an important consideration early in the process of handling incidents. You must secure operations before an incident overwhelms resources or increases damage. Containment may involve taking affected systems offline, temporarily shutting down external access ports, and securing physical facilities. Containment also provides time for developing a tailored complete remediation strategy.
Be careful to preserve forensic data collected during these early stages.
Although the primary reason for gathering forensic evidence during an incident is to resolve the incident, it may also be needed for legal proceedings. It is essential to document how all evidence, including compromised systems, has been preserved.
An incident response team should be available when incidents occur. Depending on the magnitude of the incident, one or more team members will then respond to the incident. The incident team analyzes data, determines the impact of the incident, and acts appropriately to limit the damage and restore regular services. Key personnel includes a data forensics team, legal counsel, and affected staff. The credibility and proficiency of the team depend to a large extent on the technical skills and critical thinking abilities of its members.
After you contain an incident, eradication may be necessary to eliminate components of the incident, such as deleting malware and disabling breached user accounts, and identifying and mitigating all vulnerabilities that were exploited. It is crucial to identify all affected hosts that need to be remediated during eradication.
In recovery, administrators restore systems to normal operation, confirm that the systems are functioning normally, and remediate vulnerabilities to prevent similar incidents. Recovery may involve restoring systems from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, and tightening network perimeter security (e.g., firewall rules, boundary router access control lists). Higher levels of system logging or network monitoring are often part of the recovery process. Once adversaries successfully attack a resource, they often attack again. They may also try to attack other resources similarly.
The intent of the early phases should be to increase the overall security quickly through high-value changes to prevent future incidents. The later stages should focus on longer-term changes and ongoing work to keep the enterprise as secure as possible.
Your business may need to interact with several external organizations while conducting incident response activities. Examples include other incident response teams, law enforcement agencies, Internet service providers, constituents, and customers. Your organization's incident response team should plan its incident coordination with those parties before incidents occur.
Before initiating coordination efforts, businesses sharing information with external organizations should consult their legal department. There may be contracts or nondisclosure agreements that you need to implement before discussions occur.
The communication plan needs to reach all affected audiences, including employees, customers, investors, business partners, and other stakeholders. Anticipate questions and concerns. Good communication upfront can limit customers' concerns and frustration, saving your company time and money later.
Companies should consider which types of information they should or should not share with various parties. For example, external indicators, such as the general characteristics of attacks and the identity of attacking hosts, are usually safe to share. There may be security and liability reasons why an organization would not want to reveal sensitive details of an exploited vulnerability.
Share actionable information about cyber threats with other organizations. Contemporary threats and attacks make it more critical than ever for organizations to work together during incident response.
Another incentive for information sharing is the ability to respond using techniques that may not be available to a single organization, especially if that organization is small to medium size. For example, your company may leverage a trusted information-sharing network to effectively outsource the analysis of this malware to third-party resources that have the necessary technical capabilities.
Businesses should also consider any existing requirements for reporting, such as sharing incident information with law enforcement, information sharing, and analysis center (ISAC), or reporting incidents to a higher-level computer incident response team (CIRT) or the United States Computer Emergency Readiness Team (US-CERT).
One of the most critical parts of incident response is also the most often omitted: learning and improving. Each incident response team should evolve to reflect new threats, improved technology, and lessons learned. Work with forensics experts to see what broke – identify root causes. Holding a "lessons learned" meeting with all involved parties after a significant incident can be extremely helpful in improving security measures and the incident handling process itself.
Your business should focus on collecting actionable data. It is best to decide what incident data to collect based on reporting requirements and the expected return on investment from the data. Possible metrics for incident-related data include:
Determine that termination criteria have been met and declare the end of the tactical recovery event. Stand down the recovery team and have staff return to their regular job functions.
Next, many organizations conduct a period of introspection and review and realize that the preparation for an incident was missing or insufficient. Use steps 1 -3 to improve incident readiness.
Establish a plan to implement, maintain and improve your response and recovery capability. Elements include policies, procedures, roles, training, and communications to prepare, detect, and respond to an attack quickly.
We cannot expect our protections to be effective 100% of the time. The primary goal of incident response is to identify threats on the enterprise, respond to them before they can spread, and remediate them before they can cause harm.
You do not want to be explaining your detailed incident response process to your staff during the heat of the crisis. Everybody who may need to be involved needs to know what the process is, how it works, and their role and expectations.
For example, if your incident response plan dictates that general counsel must decide to contact law enforcement, the entire team must know that and follow the correct process.
You will not have the time or focus to teach people the plan in real-time. Do it in advance.
After defining incident response procedures, your incident response team, or a third party, should engage in periodic scenario-based training, working through a series of attack scenarios fine-tuned to the threats and potential impacts the enterprise faces. These scenarios help ensure enterprise leadership and technical team members understand their role in the incident response process. Exercise and training scenarios will inevitably identify gaps in plans and operations and unexpected dependencies, which you can then update into the program.
Not every business can internally support the staffing and resources necessary for developing robust incident response programs on their own. Fortunately, you can partially or fully outsource to trusted partners the job of building in, training the team and running the tabletop exercises. At Truvantis, our vCISO service is not a one-size-fits-all solution. We take a personalized approach to your business situation, cybersecurity, privacy and incident response requirements.
Truvantis® is a cybersecurity consulting organization providing best-in-class cybersecurity services to secure your organization's infrastructure, data, operations and products. We specialize in helping our customers improve their cybersecurity posture by implementing testing, auditing and operating information security programs.
References: