How you respond to a security incident can determine whether the problem gets fanned into flame or extinguished.
When companies plan their cybersecurity strategies, there’s often a lot of time spent talking about and testing various security solutions, backup and disaster recovery tools and security awareness training options. All these actions are vital components to building a strong security posture, but they’re not the first thing companies should be thinking about. One of the most important foundational activities organizations tend to put off until it’s too late (i.e., post-incident) is creating a plan that details how your company would handle a security incident. While it might sound a bit defeatist to create a plan that assumes the security tools and services you’re about to invest in to prevent a security incident are going to fail, it’s not the case. First, not every security incident is a worst-case scenario like the Colonial Pipeline attack that resulted in a $5 million ransom payment. Often, an incident is something much smaller, such as a failed attempt to breach your defenses. The second point is that a small security incident can become a serious threat if the incident response isn’t handled properly. More on this point below.
3 pitfalls to not having an incident response plan
While some companies may choose not to create an incident response (IR) plan, this is a big mistake. Here are three negative outcomes non-planners are more likely to experience:
- Oversharing and legal troubles. This can occur when an employee becomes aware of an incident, then starts telling everyone—coworkers, family members, peers, etc. Not only can these conversations spread misinformation (e.g., the person may refer to the incident erroneously as a “cyberattack” or “breach”), but they also can make the company more vulnerable to law suits and fines.
- Prematurely paying the ransom. Besides the fact that a threat actor might not honor their part of the deal (i.e., unencrypting your data), paying a ransom could violate the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory issued last year that warns against paying threat actors on the U.S. sanctions list. Imagine a company paying a large ransom and then having to pay a large fine afterward to the government.
- Cyber insurance ineligibility. Security incidents and breaches have become so common that companies can take out insurance policies to help offset business losses. However, many cyber insurance providers require the client to have an IR team—either on staff or on retainer—as part of the terms and conditions of the plan.
Plan for the possibility of an attack
To avoid adding unnecessary complexity, cost and stress to an already difficult situation, it’s imperative that companies create an IR plan. The National Institute of Standards in Technology (NIST) has readily available resources that can help you build a plan. However, NIST also acknowledges there’s no one-size-fits-all approach. For example, some organizations may prefer a central IR plan where a central body such as a computer security IR team (CSIRT) handles the response. Other companies may require a distributed plan involving multiple response teams responsible for a location or affected systems. There’s even a coordinated option where a central team or body conveys response plans to the affected groups. Regardless of the option, be sure to heed the following tips when choosing someone for this role:
- Select a well-rounded person. An IR person should have a wide range of technical skills, such as reading logs, running queries against SIEM (security information and event management) tools, performing data forensics and understanding hacker techniques. Additionally, this person needs to be able to interact with key stakeholders in the company and handle stress.
- Invest in training and resources. To keep up with the evolving threat landscape, IR personnel will need to be constantly learning to keep up with these changes. Additionally, in handling an incident, the IR team needs access to computers and servers, so they’ll need easy access to credentials, IR tools and hardware to do their jobs.
- Don’t overburden them. IR can be a high-stress job with high burnout potential. Security incidents rarely happen on a Monday morning; they’re more likely to occur on a Friday evening or over a holiday weekend. An incident may consume the IR person’s time for several days or weeks, requiring lots of overtime. It’s better if companies have at least two employees in this role, so they can cover for one another and balance the workload more easily. But, if that’s not possible, consider ways of helping the IR person maintain balance following a security incident.
PICERL: 6 phases of incident planning
One of the most widely used IR planning models, PICERL, comes from the SANS Institute. The acronym summarizes the six phases of an IR plan, including:
- Preparation—If a company can get the right people, processes and tools in place ahead of an incident, it stands a much better chance of managing an incident rather than letting it escalate out of control.
- Identification—Two critical questions must be answered at this point. First, how are you going to define an incident? Second, how are you going to identify an incident has taken place?
- Containment—Key stakeholders will need to be informed at this stage, and it’s crucial to both limit the risk to the organization and keep it running at the same time.
- Eradication—Once the full scope of the problem is understood, it’s time to clean up. You need to understand the attack vector and remove it permanently as well as clean up any remnants left over from the attack.
- Recovery—Finally, it’s time to put things back into production after taking the system through any validation processes. These tests should be the same ones used to evaluate that the system is providing good data after a major upgrade or when a new application is installed.
- Lessons Learned—Review all the information acquired during the incident process and determine whether your security posture needs to be modified to help prevent future attacks. It’s important to ensure these meetings don’t turn into finger pointing sessions. The goal is to create an atmosphere of transparency and continuous improvement, not create a culture of defensiveness.
For more information about adopting the PICERL process, download this free white paper from SANS.
Put your IR to the test: tabletop exercises and blue/red assessments
Having an IR plan and team are excellent steps in the right direction to building a more comprehensive security posture. But, it’s impossible to know how effective the team and plan will be until they’re tested. Here are two primary types of testing to consider:
- Tabletop exercises. These services are typically performed by an outside firm and take about four hours. The process entails bringing the IR team and other key stakeholders into a room and running through various “what if” scenarios. For example, the leader may ask, “Suppose several of your network files were locked during a ransomware attack. How would you restore the files?” The person responsible for this process would explain how the files are backed up, including how often, and the restore procedure. The leader could then ask several probing follow-up questions, such as, “When was the last time you tested your backup? How long did it take to restore the data set?”
- Red team and purple team assessments. While tabletop exercises are good at getting teams to think through scenarios, assessments take things to a whole other level. For example, a red team assessment involves ethical hackers using penetration (PEN) tools to attempt to break into your network like an attacker would do. The ideal assessment is a purple assessment—which gets its name from red plus blue (i.e., the security defenders), each working independently of the other. In other words, the defense team doesn’t know when the offense team is going to attack, nor do they know which methods the attackers will use, which gives the process a much more realistic feel. A purple assessment typically takes two weeks to complete.
Threat actors have become very aggressive and innovative at what they do, and their increased success rates and payouts prove this point. Despite having the best security tools and services in place, nearly every company will experience a security incident at some point. By having an IR plan and team in place that know how to respond, the threat will more quickly be mitigated, resulting in lower downtime costs as well as higher stakeholder and customer confidence.