As cyber attacks continue to rise, more companies are investing in cybersecurity, with global spending on security-related hardware, software, and services expected to exceed $151 billion by 2023. A key component of a comprehensive cybersecurity strategy is an incident response plan.
However, the 2019 Cyber Resilient Organization Study discovered that 77 percent of respondents do not have a cybersecurity incident response plan applied consistently across the organization. Additionally, 54 percent who do have an incident response plan in place do not regularly test it, making it less likely their team will respond effectively and in a timely manner.
An incident response plan is a wise investment. A recent study found that taking the proper steps to prevent an attack can save organizations up to $1.4 million per attack.
Here we take a closer look at incident response, what it can do for your organization, and what a proper plan looks like.
What is incident response and why is it important?
Incident response is “an organized approach to addressing and managing the aftermath of a security breach or cyberattack.” An “organized approach” indicates you have an incident response plan in place, outlining the steps that should be taken in the event of an attack. Obviously, that’s not always the case.
In these instances, companies often need to call upon an emergency incident response team. The right expert team will work quickly and around the clock to identify the attack, minimize the effects, contain the damage, and reduce the risk of future attacks.
But rather than waiting and then reacting, it’s wise to be as proactive as possible and have a formal incident response plan in place. Such a plan helps you identify a potential attack more quickly and ensures that you respond appropriately.
Every attack is unique. But even so, an incident response plan will prepare your team for a variety of scenarios. The faster you respond to an attack, the less your business will be damaged.
Quick and effective incident response:
- Does a very thorough investigation into all areas of the network/systems
- Coordinates efforts to identify and recover resources according to business criticality
- Remediates vulnerabilities that have been exploited
- Minimizes losses (both in terms of data and money)
- Restores business operations more quickly
- Reduces the chances of a future attack
- Preserves your reputation
The most common types of attacks include:
- Phishing—An attacker tries to trick an employee into giving them sensitive information, such as passwords. Phishing is often done through email, phone calls, or text messages.
- Ransomware—An attacker encrypts your data and demands a ransom in order to release it. In some cases, the attacker also threatens to release your data to the public if you don’t pay the ransom.
- Business Email Compromise—An attacker gains access to a business email account and sends email to other employees, clients, and partners, pretending to be the email account owner.
- Malware—A software that an attacker installs on your network or applications to cause some kind of damage.
- Distributed denial of service (DDoS)—An attacker disrupts the normal flow of traffic to a network or server by inundating it with a large volume of traffic. The resulting “traffic jam” prevents regular users from gaining access.
What does an effective incident response plan look like?
An incident response plan should be specific to your organization’s risks, but there are certain elements that should be included, regardless of your industry or size:
- The roles and responsibilities of the incident response team.
- The tools and technologies required to recover lost data and systems should a breach occur.
- The actions that should be taken in various attack scenarios and breaches (including the actions specific people should take in a given attack and when those actions should be taken).
An effective incident response plan covers six steps:
Preparation
Proper response to an attack requires planning. Everyone involved in the incident response must be prepared to handle a variety of attacks. One of the most effective ways to do this is to conduct a tabletop cybersecurity incident simulation. This includes not only IT staff, but also non-IT staff, managers, and executives who may need to take action, such as working with insurance, establishing priorities, and authorizing high-dollar expenditures for response and perhaps ransoms.
A quality Incident Response firm will already have relationships with ransomware negotiators and data recovery experts. These relationships ensure your company is prepared to deal with various types of attacks quickly and effectively.
Detection and Analysis
You may not be sure if an attack is actually occurring. Signs of an attack include:
- Suspicious/unexpected money transfer
- Suspicious/unexpected vendor account change request
- Multiple failed login attempts (brute force)
- Abnormal remote login sessions
- Unauthorized email forwarding rules
- Logins from an unfamiliar domain
- Unopenable files
- Abnormal information system behavior
- Increased quantity and quality of phishing attempts
- Duplicate Invoice complaints from multiple customers
When an incident has been identified, an alert should immediately go out. Proper detection and analysis involves:
- Analyzing email service configurations and logs
- Analyzing hardware configurations and logs
- Scanning hardware and software for malicious code
- Performing custom queries on all endpoints to identify any malicious behaviors
- Reviewing current configurations for network architecture device(s)
Containment
Once an attack has been identified, it needs to be contained as quickly as possible to minimize the damage. Containment involves such activities as:
- Monitoring tooling and your email service
- Identifying and isolating affected hardware and software
- Implementing white and black lists to prevent attacker activity
- Resetting passwords
Containment requires your team to gather data on the affected systems and perform an in-depth analysis to determine how the attacker gained entry, a timeline of the attack, and the scope of the attack’s impact.
Eradication
It is important to locate the cause of the incident, so it can be removed from the affected network or application. This often requires:
- Implementing policies to prevent malicious binaries from executing
- Remediating malicious binaries
- Rebuilding and reimaging machines and bringing them back onto the network.
- Removing hardware that has been infected and cannot be restored
Recovery
The impacted systems can be released back into production once the affected network components have been either cleared or replaced. A final check should be performed to make sure there are no remaining threats.
Post-mortem
All security incidents should be documented. This information can then be analyzed and used to improve your defenses against future attacks and improve your overall incident response program.
Similar to many other plans in your organization, incident response requires planning and guidance. An incident response management process should be created.
The incident response management program should:
- Provide oversight during the creation and maintenance of the incident response plan.
- Identify metrics that can be used to measure the effectiveness of incident response over time. Metrics may include the number of incidents identified and missed, recurring incidents, and remediation time.
- Ensure the incident response is tested on a regular basis to make sure each person knows their responsibilities and how to carry them out, and that the measures taken are effective.
- Regularly review the incident response plan to look for areas of improvement or new attack vectors that need to be addressed.
- Identify new tools and technologies that can help the organization improve cybersecurity.
There are also non-technical aspects of an attack that must be considered. An example is whether or not to pay a ransom being demanded. While we generally don’t recommend paying a ransom, there may be situations in which payment is unavoidable. In these cases, it’s important to work with a reputable negotiator to ensure a positive outcome.
Given all that goes into an effective incident response plan, most organizations choose to hire an external third party to provide these services. Many organizations also purchase cybersecurity insurance to help cover the costs of an attack. We recommend that all organizations obtain coverage. When researching insurance providers, it’s important to find out exactly what types of attacks are covered and the type of coverage provided in the event an incident should occur.
If you are the victim of an attack, the insurance provider will connect you with a panel incident response firm. While this can help, it’s not aimed at getting your business back up and running, and response times are often slow. When an attack occurs, you can’t afford to wait even 24 hours to act. Panel firms focus on the forensics side of the attack—identifying how the attacker gained access and what was compromised. They are not focused on remediation—minimizing the damage and taking the required steps to prevent a future attack.
A team of cybersecurity experts that has deep knowledge and experience in preventing and remediating attacks brings the remediation objective to the forefront, and the costs are usually covered by a proper cybersecurity insurance policy. When you have insurance, you can reach out to an expert team that can respond immediately. You don’t have to wait for the panel firm to act, you get the remediation you need to survive, and you know you will be covered.
When an attack occurs, the first steps you take (and how quickly you take them) are critical to your survival. An incident response plan prepares you for an attack, so you can be confident you will take the appropriate action to quickly and effectively defend your network and applications.
