A written incident response plan details how your organization will respond to a cyberattack or data breach. How will you manage the consequences of an attack or breach? Without a solid, repeatable response plan, your organization will not be able to identify, contain, eradicate, recover, and learn from the event.
The National Institute of Standards and Technology defines an incident response plan as “the documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attack against an organization’s information system(s).”
What is the difference between a security event, a security incident, and a data breach?
Some short definitions for context. An event is anything that happens on your computer, while a security event is an event that affects security, things like changing a password or permissions, or scanning a network. A security incident encompasses any event in a system or network that may have relevance to security.
A data breach specifically refers to a type of security incident that results in unauthorized access or disclosure of sensitive information. When an intruder in your organization’s network moves from one computer to another, exfiltrates protected health information (PHI), and puts it up on the dark web, the security event becomes a data breach. Unintentional information disclosure, data leak, information leakage, and data spill are all other names for a data breach (Wikipedia).
Your organization has to label events like this because you must notify regulatory agencies, the media, law enforcement, and your clients as to what occurred, especially if those contacts are affected (IAPP).
The incident response should go through six steps to detect, respond, and limit consequences.
What are the signs that you have been compromised?
Before I get into responses to cyber attacks, have you interacted with phishing or spam email, or fallen prey to a fake website?
If you have responded to phishing or spam emails with “remove me from your email list,” you may have sent out a beacon verifying your email. The email scammer may consequently become more aggressive in sending spam, or selling or trading your email address.
Or they may have lured you into clicking on or putting personal data into a professional-looking website.
These are other warning signs that your network or endpoints (computerized devices) may have been compromised:
(1) Unauthorized access to computers, files, webcam, or microphone.
(2) Ransomware attack.
(3) Slow performance (can be a sign of your computer being used as part of a botnet or cryptomining).
(4) Adware, other malware, or email spam.
Do you think it’s too late? What do you do if you have been compromised?
What are the steps in incident response?
(1) Preparation: Your employees should be equipped to handle security incidents with effective operating procedures and training. Information assets should be cataloged. Who and what are mission critical for business continuity (the continuation of business after a security incident or disaster) should be decided?
Cybersecurity policy should ensure your organization’s compliance with legal and regulatory requirements (like HIPAA). YOur vulnerabilities, threats, and response activities should be identified through a risk assessment. Network and user identities need to be monitored. Firewalls, virtual private networking, and file monitoring software are controls that should be used. Unauthorized changes should be detected and rolled back if needed.
2) Identification: 24/7 monitoring for intrusion detection and prevention systems, security information and event management, file integrity checking, third-party monitoring services and malware logs, operating systems, services, applications, network devices and flows, and alert reviews all involve the identification of events when they happen. Your in-house contact should monitor publicly available information about vulnerabilities, exploits, people, and reports regarding security events or activity.
3) Containment: in case of a successful attack, your company needs to limit the damage and isolate affected systems. Containment, along with 4) eradication and 5) recovery, prevents the spread of a breach or incident and halts criminals from moving into other systems.
4) Eradicate: your organization should eradicate the infection by finding and removing the compromised or responsible system.
5) Recover: your organization must then clean the affected systems so you can return to regular business as soon as possible. This process should be documented for the future. Business continuity is the critical goal.
6) Lessons Learned: in addition to the postmortem communications by PR, your staff should understand what they must do the help your organization promote business continuity after the incident. Your organization should follow NIST’s recommendations for recovery: continued monitoring, revisiting security measures, and taking proactive steps to evaluate and detect events of any type using log review.
Incident response policy will guide your organization at a high level. You must assign duties to each member of your IT team and leadership. Everyone in your organization needs to be in on prevention. Your plan will say your organization is ready, able, and responsible to respond to security incidents appropriately.
Some Other Concrete Steps For Incident Response
Your organization can take some concrete steps to recover after a security incident or cyber attack:
1. Contact your insurance company if there is a claim to be filed; insurance will recommend a breach coach, who works with organizations to isolate affected data, notify customers, retain forensics professionals, and manage crisis communications when a breach occurs (Travelers).
2. Your state will have notification requirements as well (California’s requirements).
3. Stop using affected devices.
4. Change passwords on all systems. Set up MFA if you are not using it. Use passphrases or password managers for the strongest results.
5. Monitor network and perform an updated malware scan for all systems.
6. Collect evidence and begin a forensics exam if the affected system is considered a crime scene.
7. Notify credit bureaus and determine credit monitoring needs for victims if ID theft is suspected.
8. Notify relevant employees and internal department in charge of fraud, clients, law enforcement, and federal agencies, like the FTC. Remain in communication with affected businesses. IT should update them on their progress.
The point of an incident response plan is to improve and learn so the next attack will be less impactful. Your company’s reputation also hinges on a successful incident response.
Following the written cybersecurity incident response plan will help your organization express its cybersecurity readiness and risk management decisions to the public.
Questions to Ask Yourself About Incident Response
– When should a security event be escalated to a security incident?
– What are the reporting requirements for the incident?
– Who will lead your critical incident response team in recovery efforts, and who else is on the critical incident response team?
– What are their duties? (In case law enforcement must be involved, the critical incident response team will preserve chain of custody and oversee the transport of data and computer equipment, secure the environment around the compromised systems, document and record what they discover, and create a report for the event.)
– Who is the executive-level sponsor who will help prioritize breach preparedness at the leadership level? (This is who will coordinate and report to the board and relevant parties.)
– Who is your human resources contact?
– Who is your internal or external general counsel?
– Who are your public relations and marketing team who will communicate with the outside world? (If an incident is revealed to be a data breach and of a specific size, your organization may be required to disclose the breach to the media or notify individuals.)
– When will incident response exercises occur, and who is required to participate in them?
Business Continuity In Case Of Disaster
As you actively participate in your organization’s recovery, also implement a disaster recovery plan in case of a more severe attack or disaster that could take out your organization’s systems entirely. What would happen if a worst-case scenario hit your organization, an environmental disaster, military, terrorist, or cyberattack?
A disaster plan provides contingencies for restoring your organization’s IT functionality with the least disruption possible, e.g., computers, power, telephone systems, and physical assets like printed documents.
Disaster Recovery Restoration Site Types
If a disaster occurs, your organization could need to move operations to a recovery facility until the regular business place is restored. Recovery facilities fall into one of three types:
Cold site – Computers and infrastructure are available but not configured, connected, or updated. Recovery could take weeks.
Warm site – Computers and infrastructure are available but only partly configured, connected, and updated. Some recovery systems at that location may only receive updates monthly. Recovery could take hours or days.
Hot site – Computers and infrastructure are kept as exact duplicates of the regular systems and network.
The cost of upkeep and level of maintenance both increase from cold being the least expensive and least time-consuming to hot being the most expensive and most time-consuming.
Cloud site – Alternate to traditional disaster recovery (above three types), cloud disaster recovery combines strategies and services intended to back up data, applications, and other resources to a public cloud or to a dedicated managed service provider. When a disaster occurs, your data, applications, and other resources can be restored to your premises or cloud provider and resume business for your organization (Tech Target).
Your organization’s recovery needs will dictate which site type you maintain. You may choose a warm site so that your organization’s recovery would take less time than a cold site and cost less than a hot facility.
Questions to Ask Yourself About Disaster Recovery
– Who will be the individuals who will be charged with your recovery, and what are their phone numbers and contact information?
– Where are your data backups (helpful with ransomware attacks, for example), what are the backup schedules, and how can you fully recover your data?
– How will you communicate with local or national service carriers in a disaster?
– Who will participate in and test disaster recovery?
– With which employees (cross-departmental) and customers will you regularly communicate in a disaster?
Conclusion: Plan for the Worst, Recover The Best
Having processes for recovery from a cybersecurity incident can save you a lot of headaches when it comes—and it will come. Preparing for a crisis takes detailed planning and will ensure faster recovery, handle messaging within and outside of the organization, and aid in preserving your organization’s reputation.
Similarly, preparing for a disaster can help you preserve business continuity when a more significant incident or disaster occurs.
Both are indispensable in today’s modern marketplace.