Cyber security incident response plans require frequent workouts if they are to be fit for purpose.
Businesses are more aware than ever of how cybercrime can impact their reputation and their bottom line. Regular reports such as the Verizon Data Breach Investigations Report and the NCSC Incident Trends Report continue to flag those cyber-threats and trends that should be on every organization’s radar.
However, while knowledge is essential to an understanding of vulnerabilities and the cyber-threat landscape, being prepared to deal with a cyber-security incident requires an approach that is highly organised. Frequently this is delivered in the form of an Incident Response (IR) plan.
The six phases of incident response
Typically there are six phases that every IR plan should contain:
- Planning and preparation. Organisations should start by creating a set of IR plans for different types and severity of cyber security incident that includes key internal stakeholders such as organisational leaders and owners plus functional specialists such as marketing and HR. In addition, the plan needs to include appropriate third parties such as specialist IT and communications support, insurance companies and if appropriate regulators.
- Detection and validation. When an incident is detected, there will be a need to classify it by severity level and source so that appropriate plans can be initiated.
- Containment and eradication. Once the appropriate plan has been initiated, the focus should be on containing and eradicating cyber-security threats. In addition, there will be a need to ensure appropriate communication internally, and possibly externally depending on the nature of the incident.
- Collection and analysis. Once containment has been achieved, the focus will shift to collecting and analysing evidence that can shed light on the cyber-security incident, assist with recovery, and strengthen remediation and recovery activities in any future incidents.
- Remediation and recovery. With the required data collected and analysed, remediation and recovery measures can be taken that will ensure normal operations are restored as quickly as possible.
- Assessment and adjustment. The final phase is a learning phase where lessons learned from the incident are fed back into the IR plan to improve cyber-security metrics, controls and practices.
Keeping plans alive
But IR plans are not always the saviours they are meant to be. As Bryan Sartin, Executive Director, Verizon Global Security Services, puts it: “Companies think that having an IR plan on file means they are prepared for a cyber-attack. But often these plans haven’t been touched, updated or practiced in years and are not cyber-incident-ready.”
The reality is that having an out-of-date plan is just as bad as having no plan at all. IR plans need to be treated as “living documents”, regularly updated. And breach scenarios need to be practised in order for them to be truly effective.
In a world of fast-changing technology, keeping plans up to date is difficult. John Grim from the Verizon Threat Research Advisory Center advises that "IR plans can be kept current by including stakeholder feedback, lessons learned from breach simulation testing, and intelligence insights on the latest cyber-tactics being used. This enables the plan to constantly re-create itself reflecting the ever-changing cyber-security landscape.”
But even up to date plans are useless if they are not practised. And a huge 60% of organisations fail to practise their incident response plans, meaning that when an incident happens, there is almost inevitably confusion about roles and actions and delays in implementing the necessary remediating actions.
Organisations carry out fire drills because doing so means that in the event of a fire people are less likely to panic and more likely to know what to do. Practising plans also means they can be tested: if you don’t practise them how will you know if there are conflicts or areas that are unclear or that simply don’t work?
Cyber security incident response plans are not so very different from fire evacuation plans in this respect. Verizon put it like this: Be Prepared, Be Proactive and Practise, Practise, Practise.
The Verizon Incident Preparedness and Response report gives organizations strategic guidance on creating effective and efficient IR plans. It includes five breach simulation kits consisting of real-world scenarios that provide organizations with the content to facilitate their own mock incidents where they can practise and perfect their IR plans. These scenarios include crypto-jacking, insider threat, a malware outbreak, cyber-espionage, and a cloud-related cyber-attack. The complete report including the breach simulation kits are available to download on the VIPR Report resource page.