Few things can be more damaging to an enterprise than a cybersecurity incident. Data leaks, malware, or any other type of incident demand a meticulously planned response plan, with an internal review, public response, and extensive investigation all accounted for. Here are some things to consider before developing a cyber security incident response plan, why it’s important, and some mistakes to look out for.
Jump to a section…
Creating a Cyber Security Incident Response Plan
Preparation
Detection & Analysis
Containment, Eradication, and Recovery
Post-Incident Activity
Issuing a Statement After a Cyber Security Incident
Precautionary Cyber Security Incident Steps
Learn more about how to protect against and respond to cybersecurity incidents with Symmetry Systems’ Cyber Security Incident Response: The Ultimate Guide.
Creating a Cyber Security Incident Response Plan
Cyber security incidents are on the rise. According to Security Magazine, 92% of data breaches in the first quarter of 2022 were due to cyber attacks, and this is the third consecutive year that the raw number of attacks has grown. This means that having a procedure in place in case of an incident is more important than ever.
While there’s no one-size-fits-all solution, the National Institute of Standards and Technology has developed a guide that will show you the foundational principles. Called the Computer Security Incident Handling Guide, the comprehensive document contains many of the finer points to consider when creating a cyber security incident response plan.
Preparation
Incident handlers should have the resources they need to communicate openly and efficiently. Analyze case studies for various high-profile cases, identifying the means by which they took place and how they were responded to. Use this information to inform your own process for discovering patterns, online communication, assembling a response team, and creating contingencies for a range of incidents. The greater number of resources you have available, the smaller the impact that an incident will have on your business.
Detection & Analysis
There are two signs of cyber security breaches as defined by NIST: precursors and indicators. Precursors are early signs of an incident that has yet to take place, while indicators show that one has occurred. Precursors are rare, and difficult to detect, but include announcements from the offending party and weblogs showing that a vulnerability scanner was used. Indicators may comprise antivirus scanner alerts, a network intrusion detection alert, or a host record showing auditing configuration changes.
Cyber security incident analysis is at the mercy of false positives. Every indicator needs to be carefully analyzed to determine if it’s legitimate, and even then those indicators may not equal a full-fledged breach. Most incidents don’t have easy indicators to detect, and each one needs to be analyzed with the same exhaustive process to ensure that it isn’t repeated. Automated systems can detect a data security breach, though your cyber security incident response plan should also include a team of specialists capable of performing analysis. During this process, the team will look for unusual behaviors, dissect normal behaviors, create a log retention policy to preserve evidence of the attack, and perform event correlation to capture data about the breach’s origins.
Containment, Eradication, and Recovery
Each cyber security incident response plan should have procedures in place to document and preserve evidence of the incident, plot the time and resources that will be necessary during the containment process, and determine a duration for the solution (i.e. how long a workaround to issues created by the incident will remain in place). Note that containment can result in some additional damage being done, depending on the type of incident that has occurred.
Eradication and recovery entail identifying any potential residual issues caused by the cyber security incident, closing vulnerabilities, disabling breached accounts, and solving any other issues within the host that need to be addressed. In some instances, eradication will be addressed during the recovery process, which should be performed in a phased approach so that remediation steps are prioritized.
Post-Incident Activity
The final step of a successful cyber security incident response plan is to reflect. What caused the initial breach? What higher-level procedures need to be put in place to stop such incidents from happening again? Companies respond to each question in different ways, but finding the root of the problem, addressing it, and moving forward is crucial. One solid next step for nearly any company that doesn’t already have one is building a Zero Trust network framework. In any case, failure to make meaningful changes may lead to similar breaches in the future.
Issuing a Statement After a Cyber Security Incident
Don’t let your clients find out about a cyber security incident months after it occurs. Yes, an incident is going to be damaging to your company’s reputation to some degree, but it will be far worse if you fail to inform them directly. Failing to report incidents, specifically data breaches, is at best disingenuous, and at worst a crime under new GDPR regulations if the cyber security incident contains customers’ personal data. Some states have created databases to document cybersecurity breaches, which companies can also use as a framework for how best to inform clients of the time, nature, and extent of a cyber security incident once it has taken place. Employees should also be informed about incidents as early in the communication process as possible.
Precautionary Cyber Security Incident Steps
While there’s no guaranteed way to stop cyber attacks from affecting your company, modern solutions extend far beyond stopgaps. Data security companies can help ensure that your information is protected, giving you more peace of mind about potential breaches. Symmetry System’s DataGuard platform does just that, giving corporations a direct line of sight into all their data, recommended next steps for cyber security and compliance risks, and an ongoing detection and response service. Contact us today to learn more.
Share this entry