[By Chris Debigh-White, Chief Security Officer at Next DLP]
The majority of security experts adhere to the “assume breach” paradigm, which recognizes the possibility, if not the inevitability, of an attacker gaining access to an organization. This breach could occur through various means, such as unpatched vulnerabilities, phishing attacks, insider threats, or the exploitation of the billions of stolen credentials harvested from previous breaches.
With the “assume breach mindset,” a defender’s primary objective is to detect and mitigate these breaches as quickly as possible. According to the 2023 IBM Cost of a Data Breach Report, the global average cost of a data breach was $4.45 million ($4.9 million if the attack was by a malicious insider). Breaches identified and contained within 200 days of the initial breach cost organizations over $1 million less than those that required more than 200 days. The time taken to address a breach is directly proportional to the extent of damage and financial impact on an organization.
The same IBM report found that organizations that have a formal and regularly rehearsed incident response plan (IR plan) could detect breaches 54 days sooner than those without any plan. Moreover, organizations with robust IR planning and testing procedures were able to reduce the costs associated with a breach by over 34%.
Defining an Incident Response Plan
An IR plan is a documented approach to address and manage cybersecurity incidents or attacks. A well-defined IR plan outlines the roles, responsibilities, and procedures to be followed during an incident, enabling a coordinated and efficient response. It includes identifying, investigating, mitigating, and recovering from data breaches, cyberattacks, or any unauthorized activity that threatens data and systems.
Cybersecurity Incident Response
One well recognized process for incident response and management is the ISO/IEC Standard 27035 which provides five-steps focused on preparation, detection and reporting, assessment and decision-making, response, and lessons learned. It’s important that organizations take it a step further, and dive into each recommended step more deeply:
- Preparation
The cornerstone of a strong IR plan lies in thorough preparation. This phase includes the formation of a dedicated, clearly-defined IR team, along with the allocation of all necessary resources. Regular drills and training sessions are vital in maintaining the team’s preparedness, with activities like simulated phishing attacks to uncover potential weaknesses and enhance the team’s capability to respond effectively.
Adopting best practices in preparation involves comprehensive documentation of the organization’s network infrastructure and compiling a detailed inventory of vital assets. Setting up communication pathways with pertinent stakeholders, including legal departments, public relations teams, and law enforcement agencies, is also imperative. Furthermore, building relationships with external incident response specialists and providing additional expertise when confronting complex cyber security challenges is advised.
- The Detection and Identification Phase
The primary goal of detection and identification is to swiftly pinpoint potential security incidents supported by tools like intrusion detection systems (IDS) and security information and event management (SIEM) tools. Additionally, data loss prevention (DLP) and Insider Threat Management tools observe and analyze all actions taken with data to identify and confirm activity that could put sensitive data at risk.
By generating alerts based on predefined rules or anomalous behavior, security teams can then gather relevant information, such as log files, network traffic data, and system snapshots, and analyze the situation to determine the scope and severity of the incident.
- The Containment Phase
In the containment phase, isolating affected systems is vital to mitigate further damage. This requires an in-depth understanding of the network architecture, system interdependencies, and established protocols for swift isolation, like network disconnection or account deactivation. Utilizing data protection tools enhances this process, enabling organizations to disconnect devices, terminate user sessions, capture evidence, block uploads, and halt harmful processes, thereby effectively safeguarding against the escalation of the incident.
- The Eradication Phase
It’s imperative to remove all forms of malware, backdoors, and unauthorized access. This often requires system restoration from clean backups or the application of security patches. Documenting each action for future analysis is crucial. Given the persistence of sophisticated attackers, this stage includes identifying the root cause of the breach.
- The Recovery Phase
In the post-incident recovery phase, the focus is on restoring affected systems and resuming normal operations, which includes validating system integrity, ensuring data availability, and thorough testing before reintegration. Effective recovery entails prioritizing critical systems, setting clear recovery time objectives (RTOs), and regular data backups to minimize downtime. Comprehensive testing and monitoring are crucial to address residual issues and reduce future risks. Concurrently, transparent communication with stakeholders about recovery progress and timelines is essential for maintaining trust and clarity.
- The Reflection/Learning Phase
The final step of an incident response plan is to conduct a detailed post-incident analysis and document the lessons learned to identify ways in which the IR process and overall security of a company can be improved. This does not mean pointing fingers and assigning blame. Reflection involves the response team thoroughly investigating the breach, assessing the affected data or assets, and evaluating the extent of the damage. Such analysis is crucial for identifying gaps in the response process and determining improvement areas, necessitating the involvement of all relevant stakeholders, including the response team, IT personnel, and management. Additionally, the psychological safety of all participants is paramount in order to ensure that this phase is not just a tick box exercise.
Thorough incident response documentation, encompassing all actions and timelines, is vital for future reference, compliance, and plan enhancement. Regular updates and reviews of the incident response plan, integrating these insights, are essential to ensure ongoing effectiveness. Organizations must respond promptly to incidents, with a well-crafted playbook of policies and processes and regular practice drills to ensure teams are well-versed in the required actions, including incident categorization and reporting protocols.
Incident Response Goes Beyond the Security Team
Effective cybersecurity incident response is not solely the responsibility of information security teams. Incident response teams require a coordinated effort across multiple disciplines in an organization, depending on the type of attack. Those outside of the organization, like customers, law enforcement, and service providers will play a big part too. While security teams will confirm the attack and recommend remediation activities, legal will guide data breach notification requirements, compliance with data protection laws, and potential liabilities. HR will work with legal and management to plan internal responses when considering insider threats. Per your IR Plan, each participant and their teams will have specific responsibilities that are essential to have practiced prior to an incident.
Must-Haves for Effective Incident Response
Incident response plans will vary depending on the affected assets, organizational resources, and regulatory requirements, but a few core pieces will always be necessary. Training will always be the most effective first line of defense and practice makes perfect in incident response. Additionally, teams must never forget to consider insider threats while constantly testing containment capabilities.
In the event of a breach, always collect data for investigations. Adequate logging and monitoring is paramount to the availability of this data. If not performed, there will be nothing to collect. This should be addressed in the preparation phase and reflected upon in the lessons learned phase by conducting post-mortem reviews and assessments to identify areas of improvement.
For security teams and the entire organization, having an IR plan in place, and regularly testing and improving upon that plan, is what every organization should do regardless of the potential costs of a breach. By combining an organization-wide incident response team with a well-coordinated IR plan, companies can actively reduce the impacts of data breaches.
