Cyber Essentials #6 – Happened… meaning – Incident Reponse

As stressful as it is, in case of reasonable suspicion, assume that a break-in has occurred and start remediation. Relying on hope is the worst possible cybersecurity strategy. Plan, prepare and conduct cyberattack and incident exercises as you would with fire drills. It is connected with the plan of system activities and communication inside and outside the company. The staff must know who is to do what and in what order – under enormous time pressure.

1. Define the roles and responsibilities of incident responders and data and infrastructure recovery. Test it often. Incident response is primarily focused on protecting your information assets, while disaster recovery is focused on business continuity. After developing the plan, test it in a simulation (“war-gaming”) in which roles and responsibilities are assigned to people assigned to specific roles in the process. This ensures that the actual attack will not be a testing ground for your process.
   
2. Use Business Impact Analysis to prioritize resources and determine which systems need to be recovered first. Business Impact Analysis helps you identify and prioritize critical systems, information, and assets. This information identifies contingency requirements and priorities for critical information and services. It also enables planning of the effects of disturbances and determines acceptable downtime. Purpose: priority response and recovery.
   
3. Find out who you can turn to for help. Typically these are third party partners, suppliers, government/industry supporters, technical department, and of course law enforcement. Identify and document the partners you need help from as part of Incident Response, Disaster Recovery and Business Continuity. Complete resources and guidance on when, how, and to whom to report an incident for help.
   
4. Drive the development of an internal reporting structure to detect, communicate and contain attacks. Effective communication plans focus on the problems specific to security breaches. Standard reporting procedures will reduce confusion and conflicting information between management, employees and stakeholders. Communication should be continuous as most data breaches occur over a long period of time rather than immediately. Towards stakeholders – should come from the top management to show commitment to action and knowledge of the situation.
   
5. Take advantage of mitigation measures to limit the impact of cyber incidents. Communicate and implement your incident response plan, such as isolating a network segment, blocking infected workstations, or shutting down production servers and redirecting traffic to backup. And at worst – system shutdown. Test the systems to make sure they are up and running and are securely set up after the incident has been resolved. Learn from your mistakes. After each incident, conduct a retrospective lesson-learning session, the so-called Lessons learned. This will allow you to optimize your response in the future.

No matter how you prepare, due to the level of complexity you can only minimize losses – avoiding them is practically impossible. The two key conclusions are:

1. The more you invest in security processes and solutions, the following are:
• It will be harder for someone to infect your network or steal your data


• Faster Your team detects the incident and starts the remediation procedure


2. Practice is invaluable – don’t let the real incident be a testing ground for your team. The results can be catastrophic. Everyone needs to know what they are responsible for, how to do it – and not in theory.

As specialists in vulnerability scanning and penetration testing, we help our clients notice gaps in their processes and address them accordingly. A number of organizations we work with allow us to identify key trends and deviations from them – specific to specific industries.

Write if you want to know more.