How to Create an Effective Cyber Incident Response Plan
Written by: Black Kite
Cyber crime is a growing and disruptive business. Recent attacks on critical infrastructures have proved its effect is hardly scoped to the digital assets of an organization. Risk now goes beyond the business and stakeholders, now impacting millions of associates and consumers—making a cyber incident response plan more crucial than ever.
Take, for example, the recent Colonial Pipeline attack, which created fuel shortages along the east coast. Not only was the organization itself forced to pay millions to recover its stolen data, it faced widespread supply shortages, as the pipeline operator was responsible for transporting nearly half of the transport fuels for the entire region.
Following the attack, Biden signed an executive order to create a framework for improving critical infrastructure cybersecurity, encouraging the private sector to follow suit. As a result, organizations across the country are taking bold steps to supplement and unify cybersecurity efforts in order to reduce future occurrences.
The order aims to create a standardized cyber incident response playbook for federal departments and agencies. As is the case with any initiative of this magnitude, it won’t happen overnight. In order to truly optimize cybersecurity programs, each phase of the plan should be addressed separately: preparation, detection, containment, investigation and recovery.
STEP #1: PREPARATION
You don’t have to be an oil giant to find yourself on a cybercriminal’s list. Any organization can fall victim to ransomware, and preparation is the key to an effective incident response plan. As risk managers, we know to adopt a “prepare for the worst” mindset.
Too many times, however, we make the mistake of limiting ourselves by addressing only our internal threats. Threat actors are smart. They know they don’t need to bother trying to infiltrate organizations with state-of-the-art security systems when they can just gain access through their weaker links— their suppliers, vendors, or other third parties.
The proof is there. Consider the SolarWinds, Accellion and Qualys incidents. Take a look through the long (and growing) list of data breaches caused by third parties. Effective risk management requires working with your supplier ecosystem to safeguard the supply chain from top to bottom.
Which organizations pose the most risk to your organization? Find out today with a free cyber risk assessment.
STEP #2: DETECTION AND REPORTING
Cybercriminals will always look for a way in. During this stage, threat intelligence including OSINT becomes critical. Hackers gather intelligence and conduct pentesting before they attack, leveraging common internet-wide scanners such as Shodan, ZoomEye, Binaryedge to understand critical vulnerabilities before they attack a system.
It is common, especially among ransomware gangs, to outsource pentesters for reconnaissance activities to their target. Early-stage identification of fraudulent or phishing domains, leaked credentials, publicly visible critical ports and vulnerabilities caused by out-of-date systems can be enough to raise a red flag and take a proper cause of action for remediation.
Black Kite makes it easier than ever to understand your network from a hacker’s perspective.
Request a demo
If there’s anything you take away from this, it should be the need to understand whether an event within your network suggests any unusual activity. Generally speaking, this phase gene focuses on security event monitoring in order to discover, notify, and report possible security incidents.
STEP #3: CONTAINMENT
Once the incident is identified, the next step is to contain the issue. The goal is to keep the breadth and scale of the incident under control. One of the most critical steps in this stage is identification and isolation of the affected systems to prevent a ripple effect.
Cyber criminals spend approximately 300 days inside a company before venturing outside the target systems. To make matters worse, it takes an average of 315 days to detect and contain a data breach caused by a malicious attack. More persistence means more damage, and raises the stakes for its victims.
Monitoring security events through firewalls, data loss prevention and correlating alerts within a SIEM solution are of great help in detecting attacks at an early stage and deploying the proper resources to thwart further damage. In fact, the average cost savings of a fully deployed, automated security system versus one without security automation is over $3.5 million.
Once the scope of the infected systems are identified, organizations tend to have three options to choose from. They can shut down the network, disconnect the system from the network whilst continuing to run standalone operations, or simply continue to allow the system to run as-is.
Organizations rely on backup data in case of a cyber attack. However if these systems are accessible from the user interface, they are most likely to be infected as well. If there is no data isolation such as hidden drives or air gaps, back-ups may be deleted or infected with malware.
STEP #4: ANALYSIS AND INVESTIGATION
This diagnostic process is the initial step toward understanding what went wrong in the first place. Root-cause identification is critical to prevent similar occurrences from happening again in the future. Was it caused by a phishing email, or a credential stuffing attack, or an unpatched out-of-date system?
Forensic teams can be hired to help streamline this process. Internally, organizations should equip themselves with system logs, application logs, network logs and copies of drives. These references make it easier for teams to identify the root cause for any cyber incident.
STEP #5: RECOVERY
This stage refers to getting back to normal in terms of service restoration, as well as system and/or network validation. Essentially, it means certifying the system as operational. There’s no doubt that the aftermath of an attack can be devastating, yet the faster you detect and contain an attack, the faster you can return to business-as-usual.
An attack itself is often only the tip of the iceberg. Halting business operations, productivity losses, forensic costs, legal costs, and lost business as a result of eroded consumer trust are the major cost items in a cyber attack. Every piece of the puzzle must be considered when crafting your incident response plan.
No matter how mature your risk management program may be, today’s threat landscape has evolved. Organizations must adapt accordingly and put intelligence at the core of their cyber security framework. Start today and let Black Kite pinpoint exactly which entities pose the most risk to your organization.
Request a Cyber Rating