What Your Business Must Know About Incident Response
Your business must be prepared for potential cyber attacks. They happen constantly and affect all companies in all industries that have computers and computer networks. They affect all businesses that use the internet.
Cyber attacks affect all possible network configurations, whether you just have a small LAN and a cloud network, or whether your business has a data center on-premises. If you have computers and ways to transmit data to and from those computers, cyber-attacks should be a concern for your business. The financial impact of something like a ransomware attack, data breach, or spyware can be devastating. This could cost your business millions in lost productivity, lost clientele, litigation, and reputational damage. So investing time and money in cybersecurity is always worthwhile.
It’s good to harden the security of your computers and networks as much as you reasonably can. However, you also must be ready for incident response, as cyber attacks are inevitable. Our buildings comply with fire code, and a sensible adult would never leave a burning candle or baking stove unattended. That’s all well and good, but you should also have working smoke detectors, fire extinguishers, and know how to call 911 to summon the fire department just in case. For the same reasons, your organization must be prepared for incident response in case cyber attacks occur. So I’m here to sum up the basics of cybersecurity incident response for you!
Incident Response, or IR for short, is your organization’s methodology for responding to cyber-attacks and other cyber incidents. Ideally, your company should designate an IR team, with a specific role delegated to each person. These will usually be people in your IT department, but should include key stakeholders from each department. Depending on your Cyber maturity, it is usually advisable to have a Security Consultant as part of the team. Most companies do not have the expertise needed to deal with anything other than a low level incident. Usually you will need a contracted security firm to deal with the initial response, mitigation, and containment, and further investigate after the incident. It is preferable to have this relationship established prior to an incident.
Your organization must be aware of the various types of cyber incidents that may occur and have specific plans for detecting and responding to each type of them.
The National Institute of Standards and Technology (NIST) has recommendations for the different steps that are involved in every effective cyber incident response. They are defined in NIST’s Computer Security Incident Handling Guide. I’ll summarize each of them in the following.
The first step is preparation. It may not be your IR team’s responsibility to prevent cyber attacks, but your team must be prepared to respond to them. So the first step should be in place before any incidents occur.
Know who to contact when an incident is detected. Every member of your IR team should have that information. These people are often network administrators, Chief Information Security Officers, Chief Technology Officers, law enforcement, Managed Service Providers, Security Operations Centers, whichever is applicable to your organization and the incident. IR team members and any parties that must be contacted when an incident is discovered should be able to communicate with each other and act quickly. Make sure that any devices on your networks that can be logged have logs. Make sure intrusion detection systems, firewalls, antimalware, and security information and event management systems (SIEM) or Loge Event Manager (LEM) are working and in place; however, they may be applicable. That’ll assure that if an incident occurs, it can be detected and responded to quickly. Make sure you have documentation for all of the hardware, software, network devices, and cloud platforms your organization uses. You should also make sure that people in your organization know how to report incidents, and that some people in your IR team have administrative access to your various systems. All while being mindful of the principle of least privilege, of course. Also,make sure everyone involved has specific security training, with periodic refreshers and reminders.
The next step is detection and analysis. The detection systems you’ve prepared in the previous step will detect an anomaly in network behavior, a data breach, malware, or some other sort of indication of compromise. The anomaly should be investigated as to whether or not it’s a false positive (which very often happens!). However, if it’s a true positive, further analysis should be done to understand its nature, implications, and source. Where did the incident come from?
There are various ways and means of detecting and analyzing cyber incidents, including but not limited to human beings observing suspicious activity, SIEM alerts, alerts from other types of security solutions, anti-malware, file integrity checking software, data loss prevention systems, and logs pertaining to user behavior, applications, cloud services, external storage, memory, network devices, and operating systems,
The third step is containment, eradication, and recovery. So you’ve found the metaphorical fire. Now it’s time to make sure that the fire is extinguished so it doesn’t spread!
Many types of incidents, such as malware and data breaches, can be contained. Your containment strategies will be different for each type of cyber attack. Within the containment process, you may have to shut down or disconnect network segments or particular computers, disable certain functions or user accounts, or redirect a cyber attack to a sandbox or honeypot.
Evidence needs to be gathered which can be used to investigate an incident in the following step. Who handled the evidence? Which logs pertain to the incident? What’s the pertinent identification information, such as IP addresses, MAC addresses, user accounts, serial numbers, or hostnames?
The sources of the incident may need to be eradicated, such as particular applications, user accounts, or malicious files.
Then you must recover from the incident. Restore systems to normal operation. Restore data from backups. Change passwords or other means of authentication. Install patches. Reconfigure firewalls. Do everything that applies to the particular nature of the incident.
The final step is the post-incident activity. You may hire an outside security firm to help investigate what happened and how similar incidents can be prevented in the future. Either way, members of your IR team must have a “lessons learned” meeting to prevent similar incidents in the future and perhaps to also improve your incident response procedures. What happened, and when? How did the incident happen? What were the vulnerabilities and exploits that were involved? How can your computers and networks be better security-hardened? Do any policies or procedures need to be improved? Does your staff need more security training?
If the general public finds out about a significant cyber incident, it could hurt your company’s profitability down the road. You may need to consult with media or public relations specialists. To be better prepared for potential litigation, you may need to involve lawyers who have experience in digital rights, technology law, and business law.
Your organization should research further into preparing incident response teams and procedures that are specifically suitable for your situation. But hopefully, this guide will get you started in your journey to becoming well prepared for incident response.
Corporate Information Technologies provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. Corporate Information Technologies can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.