In today’s world, it is no longer a question of “if” but a matter of “when” your organisation will suffer a cyber-attack. Reports show that 9 out of 10 major businesses in the UK fall victim to some form of security breach, so it is crucial that you are ready to respond immediately and minimise disruption.
Under the new General Data Protection Regulation (GDPR) coming into force next month, it is required for organisations that store the personal information of individuals that reside within the European Union to report data breaches within 72 hours of becoming aware of them. Just three days to assess and report on a breach is a very short amount of time and therefore the implementation of a robust cyber incident response (CIR) strategy is vital to comply with this obligation.
In fact, having a CIR plan is a compulsory component for many major cyber security standards today, such as the Payment Card Industry Data Security Standard (PCI DSS), ISO 27001, NIST and Business Continuity Standard ISO 22301. Implementing an CIR program is considered best practice, so even if you are not obligated to do so by law it is strongly urged as good practice.
What is a Cyber Incident Response?
CIR is the structured approach that organisations should follow when they are the victims of an information security breach or attack. An effective incident response strategy should include how an organisation is to attempt to manage the aftermath of a breach and consider how damage can be limited, recovery time and costs can be reduced, and reputation can be preserved all while still running their business effectively.
CIR management often requires multidisciplinary teams of experienced experts working quickly, to help not only fully identify the threat, but to clean up and deal with the various third parties, including possible data breach victims, the authorities, the police, lawyers and regulators.
For many organisations, the most challenging part of the CIR process is accurately detecting and assessing possible cyber security incidents – determining whether an incident has occurred and, if so, the type, extent, and magnitude of the problem.
Ultimately, CIR will only work if each of the six steps outlined below are pulled together in a unified framework.
Six steps for a successful Cyber Incident Response:
Preparation is key. Organisations must recognise the need for CIR and ensure there is a widely-understood and well-rehearsed plan in place. This includes the definition of CIR roles and escalation paths, as well as interfaces with other parties. For instance, a live incident may require responders to take operational control of areas for which they do not have management responsibilities on a daily basis. As such, it is critical that healthy relationships are in place with relevant internal and external parties, as these relationships will often be stressed during a live incident. It is also essential that controls are put in place allowing CIR teams access to vital data and giving them the ability to record all actions taken in response to an incident.
In order to spot an incident, an organisation needs to work from a risk basis to determine what is important to them, and make sure that their controls can detect such events in a timely manner. False positives have to be tuned out as much as possible, otherwise operator apathy kicks in at a very low level of false alerts. This increases the risk of higher level events not being investigated at all.
In most cases, CIR teams should quickly isolate any networked device that has been compromised, most often by physically disconnecting it from the network. However, it is also important that evidence is preserved not destroyed during the process. Occasionally it can be a risky decision whether to allow some intrusions to continue while more information and evidence is gathered.
Measures should be implemented to ensure there is no continuation of the incident. When there is doubt, organisations should seek to rebuild systems from known clean sources instead of, for instance, simply deleting malicious files.
An organisation should seek to return to an operational state as soon as possible and naturally this is the primary goal of any investigation. When initiating the response procedure, the “exit” status should be determined as early as possible – what is the state at which the incident has been contained and normal service is restored? Unless this state is known and agreed, then the CIR process risks becoming a protracted affair in which people are diverted away from their core functions for longer than is necessary, costing both time and money. Recovery plans need to be tested, and the timescales in which recovery can be achieved should be communicated to relevant parties.
6. Lessons learned
This is essential if the organisation is to maintain situational awareness that is applicable for the current environment. Controls, policies and processes may need to be reviewed and amended as a direct result of an investigation.
Don’t have the resources for an internal Cyber Incident Response team?
Not to worry, Commissum’s security experts are at your disposal to manage the entire response process from start to finish. Our experts work quickly to analyse, understand and contain the incident while preserving evidence to ensure that a sufficient investigation can be conducted using forensics to identify those responsible and gather insights to prevent such incidents from happening again.
If you’ve been affected by a cyber incident and need expert advice or assistance, get in touch.