Generally speaking, while organizations will focus on how to prevent a cyber incident, they may not have a plan for what to do in the event that one occurs, or understand the high cost of recovery from a breach. Reacting properly to a cyber attack is important to ensuring that business operations are not halted as a result, as well as for reducing any financial liability associated with negligent information-security.
The first step to responding to cyber events is strategizing and drafting an incident response plan. Although the specific information within each plan will vary by organization, the purpose of each one is to provide a centralized point-of-reference to members of a firm. This is accomplished by having all of the necessary information about vendor contacts, potential scenarios and sequential actions steps all presented on one document.
The whole idea is that in the event there is even a possibility of a cyber incident, malicious or accidental, the designated-response lead can pull out the written plan to pursue the next steps. As previously mentioned, specific information will heavily depend on the specific business, however the sections listed below can serve as a starting point for your business.
Please note that although this can be used as a baseline for incident response planning, different organizations may require additional components for security and compliance. Be sure to consult with cybersecurity and legal experts to ensure that your organization is fully prepared.
Within an incident response plan, information about various designated personnel leads should be included. Listed should be their roles, responsibilities and contact details (name, phone number, email, etc.). Regardless of what type or how many roles are added to the plan, at a minimum a plan should have an Incident Response Lead.
Below are some examples of roles with responsibilities that can be included:
- Incident Response Lead: Serves as the main person/point-of-contact responsible for coordinating all incident response activities.
- Partner Coordinator: Works with the organization’s third party technology providers such as a managed-service provider, IT management vendor, cloud services provider and/or cybersecurity service provider.
- Upper Management (Chief Security or Information Officer/IT Director): Works to coordinate with other executives and department leaders for cross-departmental activities. (Example: a financial department filing a cyber insurance claim after an incident)
- Human Resources Lead: Communicates with employees regarding the incident and handles internal questions.
- Compliance Lead: If the organization has compliance requirements for things like investigating or reporting an incident, this person would take the lead on determining and executing those requirements
- Public Relations Coordinator: Communicates with external parties like customers, clients, partners, vendors, etc.
Third Party Incident Response Firms
In addition to documenting employees and contractors that will take various leads in the event of an incident, there should also be a section for third-party firms that can be contacted in the event of an incident. Below are some common types of third-party vendors that could be included:
- Cyber Incident Response Specialists
- Public Relations Consultants
- Law Firms
- Insurance Agencies/Carriers
Threats and Incident Classifications
In order to set a reference point as to what a cyber incident looks like, there should be a section that lays out the definitions, classifications and methodology to measure a cyber incident.
A universal framework used by the cybersecurity community for identifying incidents, is using the CIA triad for information-security. It essentially uses three elements of measuring security for information as well as systems. In the event that one of these is compromised, a cyber incident has taken place. Below are each of the elements of the triad with simplified descriptions:
- Confidentiality: Information and systems are protected from unauthorized personnel
- Integrity: Information and systems are full and accurate (unmodified)
- Availability: Information and systems are accessible to authorized personnel
A cybersecurity control or solution is designed to protect one or more of these elements, while a cyber threat is something that could compromise one or more of these elements.
The next thing to examine, if it was determined that an element of the CIA triad was compromised, is measuring the severity level of the incident. The severity level would determine which action steps (if any) are needed to respond.
It’s important to note that severity can have a wide range. For example, an incident as minor as someone accidentally emailing a file to the wrong address counts as an incident since the “confidentiality” of that file is compromised. Below are common examples of incident level classifications:
- Low: Zero to minimal impact to the CIA triad. Zero to minimal effect on information, technology and/or network systems. No operational downtime.
- Medium: Minimal to moderate impact to the CIA triad. Minimal to moderate effect on information, technology or network systems. Zero or minimal operational downtime.
- High: Moderate to severe impact to the CIA triad. Moderate to severe effect on information, technology and/or network systems. Moderate to severe levels of operational downtime.
- Extreme: Severe impact to the CIA triad. Severe effect on information, technology and/or network systems. Severe levels of operational downtime.
Incident Response Action Steps
The majority of an incident response plan is likely going to be the section that lays out actions steps to take in the event of a cyber incident. The action steps should explain chronologically and specifically what needs to be done.
Because cyber attacks and events vary so much, the response for each incident is going to differ heavily. So there should be action steps for various types of scenarios. Below are just a few types of cyber scenarios that an organization should plan action steps for:
- Network Extortion/Ransomware
- Unauthorized Access to a Network System
- Disclosure of Confidential Information (Accidental or Malicious)
- Denial of Service Attack/System Outage
- Data Corruption or Loss
An incident response plan should lay out each step by addressing various phases within an incident for each potential scenario.
Steps in the event discovery would detail what to do as soon as an incident is suspected or confirmed. Below are some common specific steps in the event discovery phase:
- “Inform [insert person or department here] of the incident and how it was discovered.”
- “Determine whether the information or system is critical to business operations.”
- “Identify the source of the incident (phishing email, downloaded malware, etc.) and notify other personnel that may be affected.”
A critical phase in incident response is isolating the incident as much as possible. The incident containment phase would illustrate the steps that minimize the impact of a cyber incident through containment. Below are some specific examples of steps in the incident containment phase:
- “Take compromised devices offline from the network to prevent potential malware spread.”
- “Change passwords for all user and system administrator accounts.”
- “Close all ports on the firewall and/or router.”
Steps in the business continuity phase are intended to make sure that business operations continue to run or are planned to get back to running quickly despite a cyber incident. Below are some steps within the business continuity phase:
- “Begin the claims filing process for cyber insurance.”
- “Re-open network connection and firewall ports (if they were closed).”
- “Return any servers and systems online.”
This phase will likely occur at or around the same time as the incident containment and business continuity phases. The idea is that the steps in this phase are to help eliminate the attack and eradicate the incident. Below are some examples of these types of steps:
- “Remove malicious applications from compromised devices.”
- “Download back-up data or patch any data found to be modified from the incident.”
- “Inform employees of eradication finalization.”
Recovery and Post-Event Steps
The aftermath of an incident is a good time to review everything that occurred and take note of lessons learned. Below are some examples of recovery and post-event steps:
- “Review forensic evidence to determine flawed safeguards.”
- “Assess the total cost (financial and operational) of the incident.”
- “Re-evaluate cybersecurity strategy and incident response plan.”
- “Schedule updated employee awareness training.”
See how ePossible can help you with your incident response planning by scheduling an appointment today. For more cybersecurity and technology content, check out additional articles on: