The Often-Overlooked Foundational Steps in Cybersecurity Planning

By Kelly Gieg Insight Blog Security October 7, 2021

How you respond to a security incident can determine whether the problem gets fanned into flame or extinguished.

When companies plan their cybersecurity strategies, there’s often a lot of time spent talking about and testing various security solutions, backup and disaster recovery tools and security awareness training options. All these actions are vital components to building a strong security posture, but they’re not the first thing companies should be thinking about. One of the most important foundational activities organizations tend to put off until it’s too late (i.e., post-incident) is creating a plan that details how your company would handle a security incident. While it might sound a bit defeatist to create a plan that assumes the security tools and services you’re about to invest in to prevent a security incident are going to fail, it’s not the case. First, not every security incident is a worst-case scenario like the Colonial Pipeline attack that resulted in a $5 million ransom payment. Often, an incident is something much smaller, such as a failed attempt to breach your defenses. The second point is that a small security incident can become a serious threat if the incident response isn’t handled properly. More on this point below.

3 pitfalls to not having an incident response plan

While some companies may choose not to create an incident response (IR) plan, this is a big mistake. Here are three negative outcomes non-planners are more likely to experience:

Oversharing and legal troubles. This can occur when an employee becomes aware of an incident, then starts telling everyone—coworkers, family members, peers, etc. Not only can these conversations spread misinformation (e.g., the person may refer to the incident erroneously as a “cyberattack” or “breach”), but they also can make the company more vulnerable to law suits and fines.

Prematurely paying the ransom. Besides the fact that a threat actor might not honor their part of the deal (i.e., unencrypting your data), paying a ransom could violate the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory issued last year that warns against paying threat actors on the U.S. sanctions list. Imagine a company paying a large ransom and then having to pay a large fine afterward to the government.

Cyber insurance ineligibility. Security incidents and breaches have become so common that companies can take out insurance policies to help offset business losses. However, many cyber insurance providers require the client to have an IR team—either on staff or on retainer—as part of the terms and conditions of the plan.

Plan for the possibility of an attack

To avoid adding unnecessary complexity, cost and stress to an already difficult situation, it’s imperative that companies create an IR plan. The National Institute of Standards in Technology (NIST) has readily available resources that can help you build a plan. However, NIST also acknowledges there’s no one-size-fits-all approach. For example, some organizations may prefer a central IR plan where a central body such as a computer security IR team (CSIRT) handles the response. Other companies may require a distributed plan involving multiple response teams responsible for a location or affected systems. There’s even a coordinated option where a central team or body conveys response plans to the affected groups. Regardless of the option, be sure to heed the following tips when choosing someone for this role:

Select a well-rounded person. An IR person should have a wide range of technical skills, such as reading logs, running queries against SIEM (security information and event management) tools, performing data forensics and understanding hacker techniques. Additionally, this person needs to be able to interact with key stakeholders in the company and handle stress.

Invest in training and resources. To keep up with the evolving threat landscape, IR personnel will need to be constantly learning to keep up with these changes. Additionally, in handling an incident, the IR team needs access to computers and servers, so they’ll need easy access to credentials, IR tools and hardware to do their jobs.

Don’t overburden them. IR can be a high-stress job with high burnout potential. Security incidents rarely happen on a Monday morning; they’re more likely to occur on a Friday evening or over a holiday weekend. An incident may consume the IR person’s time for several days or weeks, requiring lots of overtime. It’s better if companies have at least two employees in this role, so they can cover for one another and balance the workload more easily. But, if that’s not possible, consider ways of helping the IR person maintain balance following a security incident.

PICERL: 6 phases of incident planning

One of the most widely used IR planning models, PICERL, comes from the SANS Institute. The acronym summarizes the six phases of an IR plan, including:

Preparation—If a company can get the right people, processes and tools in place ahead of an incident, it stands a much better chance of managing an incident rather than letting it escalate out of control.
Identification—Two critical questions must be answered at this point. First, how are you going to define an incident? Second, how are you going to identify an incident has taken place?
Containment—Key stakeholders will need to be informed at this stage, and it’s crucial to both limit the risk to the organization and keep it running at the same time.
Eradication—Once the full scope of the problem is understood, it’s time to clean up. You need to understand the attack vector and remove it permanently as well as clean up any remnants left over from the attack.
Recovery—Finally, it’s time to put things back into production after taking the system through any validation processes. These tests should be the same ones used to evaluate that the system is providing good data after a major upgrade or when a new application is installed.
Lessons Learned—Review all the information acquired during the incident process and determine whether your security posture needs to be modified to help prevent future attacks. It’s important to ensure these meetings don’t turn into finger pointing sessions. The goal is to create an atmosphere of transparency and continuous improvement, not create a culture of defensiveness.

For more information about adopting the PICERL process, download this free white paper from SANS.

Put your IR to the test: tabletop exercises and blue/red assessments

Having an IR plan and team are excellent steps in the right direction to building a more comprehensive security posture. But, it’s impossible to know how effective the team and plan will be until they’re tested. Here are two primary types of testing to consider:

Tabletop exercises. These services are typically performed by an outside firm and take about four hours. The process entails bringing the IR team and other key stakeholders into a room and running through various “what if” scenarios. For example, the leader may ask, “Suppose several of your network files were locked during a ransomware attack. How would you restore the files?” The person responsible for this process would explain how the files are backed up, including how often, and the restore procedure. The leader could then ask several probing follow-up questions, such as, “When was the last time you tested your backup? How long did it take to restore the data set?”

Red team and purple team assessments. While tabletop exercises are good at getting teams to think through scenarios, assessments take things to a whole other level. For example, a red team assessment involves ethical hackers using penetration (PEN) tools to attempt to break into your network like an attacker would do. The ideal assessment is a purple assessment—which gets its name from red plus blue (i.e., the security defenders), each working independently of the other. In other words, the defense team doesn’t know when the offense team is going to attack, nor do they know which methods the attackers will use, which gives the process a much more realistic feel. A purple assessment typically takes two weeks to complete.

Closing Thoughts

Threat actors have become very aggressive and innovative at what they do, and their increased success rates and payouts prove this point. Despite having the best security tools and services in place, nearly every company will experience a security incident at some point. By having an IR plan and team in place that know how to respond, the threat will more quickly be mitigated, resulting in lower downtime costs as well as higher stakeholder and customer confidence.

Kelly Gieg

+ posts

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other".
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
Zoominfo	session	Zoominfo uses technologies to collect and store information when you interact with services it offer to their partners, such as advertising services or analytics. All of those processes are meant to improve your user experience and the overall quality of our services.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_111355416_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This is a Hotjar cookie that is set when the customer first lands on a page using the Hotjar script.
_hjIncludedInPageviewSample	2 minutes	This cookie is set to let Hotjar know whether the user is included in the data sampling defined by site's pageview limit.
_hjIncludedInSessionSample	2 minutes	This cookie is set to let Hotjar know whether the user is included in the data sampling defined by site's daily session limit.
_hjTLDTest	session	Hotjar test cookie to check the most generic cookie path it should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed.
oktgid	1 year	This cookie is used for storing the visitor ID of the user who clicked on an okt.to link.
oktsid	session	This cookie is used for storing the session ID of the user who clicked on an okt.to link.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
personalization_id	2 years	Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by YouTube and is used to track the views of embedded videos on YouTube pages.

Cookie	Duration	Description
__gwtCookieCheck	session	This cookie is used to check if the visitors' browser supports cookies.
AnalyticsSyncHistory	1 month	These cookies are used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information is shared with other organizations such as advertisers.
li_gc	2 years	These cookies are used to deliver advertisements more relevant to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information is shared with other organizations such as advertisers.
UserMatchHistory	1 month	LinkedIn - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.

The Often-Overlooked Foundational Steps in Cybersecurity Planning

Kelly Gieg

UJIMA

VETs

WONDER

PRIDE

Mental Health Matters

KEVIN FLEURIE

Dan O’Brien

BRYAN CALDER

ROBERT KIM

VINCENT TRAMA

WAHEED CHOUDHRY

CHRIS CAGNAZZI

BRID GRAHAM

MICHAEL KELLY

KEVIN WATKINS

JENNIFER JACKSON

MANNY KORAKIS

JUSTIN FILIA

GOPINATHAN PANDURANGAN

STEVEN PALMESE

ELLIOT BRECHER

BARBARA ROBIDOUX

Please select your venue city and
complete registration form below.

Please complete registration
form below.

Dave Hart

CHRIS BARNEY

JOHN HANLON

Greg Hedrick

Courtney Washington

CHRISTINE KOMOLA

VINU THOMAS

JULIETTE AUSTIN