Top 3 Most Critical Ways To Prepare For A Cyber-Security Incident
When a cybersecurity incident affects your organisation, the first few hours of the Incident Response (IR) will shape how the rest of the engagement will proceed. In this blog, I will cover the top three factors that can make an IR go smoothly if done well, and severely hamper IR efficiency when not done correctly.
Most companies need third-party professional help to respond to a cyber-security incident effectively. However, it is challenging for most to identify a trusted organisation with a qualified team of experts who can react appropriately whilst protecting sensitive corporate and attack-related information. At Digital14, we have a strong team of IR consultants that is called in to lead IR engagements on a regular basis. Our IR retainer clients have a hotline they can contact, and we get called many times each year. As such, we have plenty of experience to draw from.
Getting the following three factors right makes the difference between a quick resolution and eradication, and a longer, costlier IR without a satisfactory resolution.
1. Management buy-in
Overall, the most critical factor is C-level executive buy-in to support an IR. This is crucial because we often encounter situations where security leadership, including the CISO, technical team leads, and administrators are hesitant to provide us with a properly filled out IR scoping questionnaire. The IR scoping questionnaire is the single most important document, allowing your team the opportunity to share the most relevant details ahead of the project, and enabling the IR team to draw up the most effective plan of action quickly.
With C-suite cooperation and support, the rest of the organisation will provide the IR team details without typical hesitation and delay, allowing them to go to work using the most efficient approach. The best thing about this, it doesn’t cost any money.
In the case where you need help in gaining management buy-in, we can assist you. Depending on your current needs, we can either help you with an Incident Response Readiness engagement, and Incident Response Plan or Table Top Exercises, involving all relevant stakeholders while preparing your organisation for an effective IR. The outcome of these exercises is usually a fully supportive C-suite and board.
2. An Incident Response Plan
Benjamin Franklin was quoted, “If you fail to plan, you are planning to fail”. This is absolutely true with Incident Response. A solid and up-to-date Incident Response Plan (IRP) documents the phases of an incident response lifecycle. It requires looping in the relevant stakeholders to agree on:
Incident prioritisation and classification guidelines: this is essential so that only real security incidents are treated as such, and that those matching the description are given the right priority right from the start.
Roles and Responsibilities: mapped out roles and responsibilities makes an IR process more effective because there is less risk of stakeholders not being aware of their responsibilities.
A communication plan: the communication plan provides a blueprint of who needs to be contacted and at what time. It covers internal escalation paths, as well as an outline of how to contact a third-party IR services provider if needed. It also specifies which communication channels to use in the case internal channels are suspected to be breached and monitored by attackers.
Industry vertical compliance requirements: business sectors often have industry-specific requirements for dealing with cyber incidents. The IR team and the organisation’s stakeholders need to be aware of all relevant industry sector and national compliance requirements when it comes to dealing with incidents.
IR best practices: all stakeholders should know them, and where possible, be implemented ahead of incidents happening. Some areas that should be covered as a minimum are: enforcement of appropriate controls, ensuring the IR team is properly resourced, and the preparation of network and host baselines.
Once an incident takes place, all stakeholders can refer back to the Incident Response Plan and follow the guidelines relevant to their roles.
For improved preparation, your Incident Response Plan must be tested periodically in the context of a tabletop exercise. This allows the organisation to progress from a plan to building muscle memory.
Another vital area for effective IR engagements is having enough visibility of host and network data. In many organisations, this is still lacking, leading to many hours being spent on manual analysis on a host-by-host basis.
For host data, many great EDR technologies in the market will provide your internal security staff and external IR teams the ability to effectively poll every host for key information that is essential for an effective IR.
For network data, we recommend implementing a Network Security Monitoring (NSM) solution at the very least, which captures metadata and stores it for an extended period. This is relatively inexpensive to set up and will prove invaluable when the IR team is tasked with investigating a breach and may need to dig into historical network events.
Deploying the right host and network telemetry solutions will require some planning, effort to roll out, and does cost money. But if you have been breached before and have lost important business-critical information and money as a result of the breach, making investments in telemetry may become a lot easier to justify.
Digital14 can assist you with recommendations, design and implementation of the right telemetry solutions for your organisation. We can also run a one-time or continuous threat assessment for you. In such engagements, we bring our own telemetry tools, and you can get a firsthand perspective on the types of threats that are already present in your infrastructure, and how a telemetry solution can help you identify them.
Of course, there are many more factors that can greatly improve efficiency during an Incident Response. Our next three factors are: up-to-date asset inventory, logs, and tabletop exercises.
I’ll jump into these in more detail in a future post.