Incident Response: Cyber Crisis Proficiency is Vital
Companies are increasingly of the mindset that a cyber breach is not a matter of ‘if’ but rather ‘when’. While every organisation continues to strive towards perimeter security and breach prevention, cyber breaches are now considered inevitable by most. The advent of ransomware, coupled with seismic growth in threat vector scale and frequency, increasingly mean that cyber attacks have the potential to pose an existential risk - to even the largest enterprises. While COVID-19 was cited as a factor in its collapse into administration, the cyber attack that preceded the pandemic actually inflicted a mortal wound on Travelex. Sadly, such instances of business closures due to cyber attacks are expected to be more common place in years to come.
The impact of a cyber incident depends heavily on an organisation’s ability to respond to, manage and contain a cyber attack. This makes incident preparedness and response critical to the cyber defenses of all businesses. Yet, incident response is also any area that many organisations are found to be considerably lacking in. According to Deloitte, most organisation lack the resources to develop and maintain the necessary cyber incident response capabilities in-house. Companies continue to be more focused on preventing a breach than responding to it – despite the inevitability of a breach occurring.
“Deficiencies in NIST controls pertaining to incident response is actually a recurring theme amongst Exagenica’s Delta RQ cyber risk clients.”
Preparedness Needs a Response Plan
Planning to respond to a cyber incident feels somewhat like an oxymoron. Every threat vector is different. The bad actors involved are equally unpredictable. Though an incident response plan is a vital part of incident preparedness. Both the SANS Institute and NIST Frameworks have slightly differing approaches to incident response planning – 6 steps and 5 steps respectively. Both cyber security standards comprise the same key plan components and the same flow. Though each has slightly different verbiage and clustering. The SANS Institute approach as an example, comprises the following key incident response plan phases which are executed sequentially:
Preparation: The definition of cyber response policies, procedures and an over-arching strategy which collectively form a plan for responding to cyber incidents. This phase includes defining incident response teams, tooling, system access and crisis communication methods – in addition to ensuring that all stakeholders receive the necessary training.
Identification: Combining everything from threat intelligence, machine data and intrusion detection systems to firewalls and deception technologies, this phase seeks to identify a cyber incident has occurred and gather information on its composition.
Containment: Damage limitation is the focus of this phase. Once an incident has been identified and reconnaissance completed, the incident response team are fully engaged and all stakeholders work collectively to contain the cyber attack - according to the incident response plan protocols.
Eradication: This phase aims to eradicate the cyber threat completely from the environment and may include the removal of affected systems or data. Prior to full system recovery any affected systems may be restored to a safe environment like a Sandbox – to demonstrate eradication is complete.
Recovery: The careful return of affected systems into the production environment without leading to another cyber incident. Systems are carefully monitored to validate that no residual issues remain.
Lessons Learned: This phase focuses on completing any documentation that remains outstanding from the incident, in addition to creating a report which forms a detailed, play-by-play account of the incident. An evaluation of incident response effectiveness is undertaken and final analysis of performance detailed in the report. Lessons learned phase includes making any recommendations on changes to incident response procedures, strategies or systems as well as training required to better mitigate cyber attacks in the future.
An inability to allocate sufficient resources to incident response planning is a common issue for most organisations, which in the current climate leaves them highly vulnerable. For larger information security teams, the resource effort involved in developing a rigorous response plan is still quite intensive. Smaller organisations however often struggle to allocate sufficient time to the creation of plans.
Attack Mitigation Requires a Skilled Team
A cyber incident can consume a considerable amount of time and organisational resources. It goes without saying that when it comes to a cyber attack, time is very much of the essence. The greater the dwell time a rogue actor is permitted inside the perimeter, the more damage they can ultimately do. Formulating an incident response plan is in some respects, the easy part. Relatively speaking of course. Executing said plan is a considerably more perilous undertaking with very little room for error.
Responding to an incident proficiently is an extremely specialised area that also requires the correct tooling and threat intelligence. Effective cyber incident response contains the time, customer and financial impacts of a cyber attack expediently - in addition to those associated with reputation and incident recovery. Deploying an inexperienced incident response team is a gamble that no organisation should ever entertain. A poor, uncoordinated response to a cyber incident can itself cause a crisis. It’s imperative that every business assess their incident response capabilities honestly. Failing to do so can have significant implications.
Hybrid Cyber Crisis Management Models
Recognising the incident response challenge faced by our clients, Exagenica partners with Check Point to provide outsourced and co-sourced models of cyber crisis management. Our incident response services span cyber crisis planning, attack mitigation and threat and compromise assessments through to post-incident forensics. Find out more on Exagenica’s Incident Response Services and how they can assist your organisation in achieving cyber crisis proficiency.