Although cybersecurity defenses stop many attacks, there is never a 100% guarantee that they will catch all intruders. When an attacker exploits a vulnerability, the organization must first recognize the event and then use an incident response team to contain and eradicate it. Execution of each step in an incident response is laid out in the organization’s incident response plan. The plan outlines what must be done after a cybersecurity incident, including people involved in the response, teams responsible for data recovery, and investigations into what happened and who could be responsible.
Why is Incident Response Important?
A cybersecurity incident can cost organizations millions in discovery, containment, and the legal aftermath of losing records to an attacker. The way an incident is handled reduces the time an attacker persists on the network and reduces the number of future incidents. Numerous large companies have handled incident response poorly, and it’s caused them in legal reparations, fines, and additional government regulation.
Who Handles Incident Response?
An incident response team is critical during a data breach. The team can reduce the amount of damage and contain it faster than staff unfamiliar with threat response. The longer an attacker can persist on a network, the more complex a response could be due to increased malware and backdoors left by the attacker. The team comprises IT professionals and security experts familiar with the ways attackers work.
As the name suggests, an incident response team is responsible for cleaning up and securing the network environment after a successful attack. A computer incident response team (CIRT) can be made up of several key stakeholders within the organization or outsourced to a professional agency. They usually involve IT staff, including database administrators, operations people, and developers. A few possible incident response people are highlighted below:
- Key management: Management are the only people who can make decisions during a response. This could be allowing access to network resources or making changes to the production environment.
- IT auditors: Auditors ensure that procedures are followed pre-incident, but they also help identify what went wrong and how to stop an attack in the future.
- Information Security: IS staff helps identify the exploit and if the vulnerability exists. They can also advise IT staff on future information security protocols and procedures.
- Attorneys: Attorneys advise the organization on the right steps to take to avoid legal liability.
- Human resources: For insider threats, HR staff provides advice on how to handle employee issues.
- Public relations: Should the data breach require an announcement to customers, a PR team will create the communication necessary to let the general public know about the incident.
- Financial auditor: The monetary fallout for organizations can be assessed and determined by a financial auditor. A cost for a data breach might be required for certain legal investigations and to press charges.
Steps During Incident Response
The aftermath of a data breach can be a stressful, busy time for all people involved. Having an incident response plan and a disaster recovery plan that lays out all necessary steps will avoid mistakes, but not every company has a plan until a breach has already happened. The SANS Institute describes six major steps during incident response, which provide a general overview of what’s involved during a response. The following six steps and their details should be in an incident response plan:
- Preparation: Preparation is always done before an incident. Preparation involves documentation, highlighting who is involved in the response, the steps necessary for access to the system, and the management team responsible for providing authorization. Any tools necessary for the response are also documented.
- Identification: Knowing that an incident occurred requires proper monitoring and analysis. Subsequently, identifying the incident involves investigation into logs, audit trails, errors, authentication information, and firewall reports.
- Containment: Quick containment of an attacker is critical. A good incident response team will stop the threat from persisting. It’s not unusual for a persistent attacker to have multiple backdoors in case of detection. The sooner a threat is detected, the more effective containment will be, and the less likely the attacker will be able to create additional backdoors.
- Eradication: Eradication completely removes a threat from the environment. Fast containment and eradication reduce the amount of damage and data theft. Eradication is a delicate procedure that must remove the threat but avoid damaging the production environment to keep the business productive.
- Recovery: After the threat is removed, the organization might need to recover data and make changes to the system to put it back to a normal state. This step might not be quick to execute for large changes such as data recovery after its destruction. Testing may be necessary after cybersecurity incidents to ensure that the production environment is free from the vulnerability.
- Lessons learned: Without reviewing what went wrong, the same mistakes will likely be made. Lessons learned is a time to reflect on what could be done better during incident response and what changes should be made to ensure that the same attack is not successful.
Cybersecurity Incident Prevention
Ideally, an organization never faces a cybersecurity incident. While no cyber-defenses are 100% secure, an organization can take necessary precautions to avoid becoming a targeted victim. All administrators understand the basics: A firewall protects from outside traffic, use identity management and access controls, and use physical security to protect assets. What some administrators fail to implement is monitoring and intrusion detection.
Network monitoring, cloud security monitoring, and intrusion detection alert administrators to a potential attack. To avoid false positives, the alert generally goes to an analyst for further review. Too many false positives lead to analyst exhaustion, meaning a potential true threat could be overlooked from all the false positive alerts. Monitoring should be as precise as possible so that analysts can handle a breach as quickly as possible.
Intrusion detection tools are a component in monitoring. Monitoring tools log incidents, and intrusion detection with artificial intelligence determines if an attack is occurring. If the intrusion is persistent, an attacker could have access to the network for months. Attackers will sometimes exfiltrate data slowly to avoid detection, which is why it’s important to keep monitoring on any sensitive data based on benchmark access requests and any unusual authorization attempts.
Even with the right prevention tools in place, organizations should always review an incident response plan every year to ensure it contains accurate documentation and information. An incident response plan is critical for the success of the company, and it can save millions in legal fees, reparations to customers, and data loss.