Incident Response is a set of actions aiming to detect and eliminate a cybersecurity breach and recover from it. Like all other Cyber Operations, it requires a systematic approach to be efficient and successful. For this purpose, every organization should have an Incident Response Plan which is the most important element for approaching cybersecurity incidents systematically to overcome it even before they cause damage to organizations’ reputation, finance, and data.
Every minute of downtime caused by a successful cyber attack can cost a business $427.
The issue is not whether there will be a cybersecurity incident, but rather when it will happen if the right steps are not taken. Every organization, regardless of its size, needs a incident response plan to respond to a cyber attack in order to protect itself. In a case where the necessary measures are not taken, cybersecurity breaches may damage organizations in various aspects.
Incident Response Damages
Mainly, it causes great financial damage. By one estimate, every minute of downtime caused by a successful cyber attack can cost a business $427. According to IBM Security’s “2019 Cost of a Data Breach Report”, the average total cost of a data breach is $3,92 million, and the total cost of cybercrimes worldwide keeps increasing dramatically.
Cybersecurity Ventures estimates that it will cost $6 trillion annually by 2022, while back in 2015 it was $3 trillion on a year basis.
Cybersecurity breaches do not cause damage only in financial aspect. According to Ponemon Institute’s Study, 61% of marketing executives believe the biggest cost of a cybersecurity incident is the loss of brand value and stock price drop. Besides all these financial and reputational losses, organizations may also face legal issues and penalties due to not complying with the regulations.
Breaches may also have long-tail costs. Although the majority of breach costs show up in the first year after a cyber incident, almost one-third of costs appear after the first year. Cybersecurity incident response plans that are not handled and deployed properly can cause huge damage that will take a very long time to recover.
Effective Incident Response Plan is one of the most important factors which help organizations mitigate the cybersecurity breach costs and damages.
Companies that self-reported their security posture as superior and quickly responded to the breach recovered their lost stock value after an average of 7 days.
In Incident Handler’s Handbook, SANS Institute proposes a 6-phase plan framework that is admitted as a standard for Incident Response Plan.
Incident Response Plan Steps
Preparation
This phase is the most crucial phase and it is about preparing the team to be ready to handle any incident. The preparation phase includes:
-
Crafting a policy which consists of a written set of principles, rules, and/or practices.
-
Preparing an incident response plan/strategy to handle breaches.
-
Creating a communication plan (including law enforcement units).
-
Documentation which is able to answer Who, What, When, Where, Why, and How questions. This is to be sure that for every situation there is a checklist and a set of rules and guides.
-
Creating a team, Computer Incident Response Team (CIRT), that is made up of several people coming from various disciplines (attorneys, PR consultants) to handle any kind of problem that is related to the incident.
-
Adjusting access control to be sure that Computer Incident Response Team (CIRT) has the permissions to step in at the moment of the incident.
-
Providing tools and platforms which means preparing a “jump bag” containing all necessary hardware and software that can be utilized during the incident response action.
-
Training the team to be able to handle the incident response plan properly and conducting some drills to ensure that each individual within the Computer Incident Response Team (CIRT) is able to perform their duties during any incident response action.
Identification
This phase deals with the detection of whether an extra-ordinary activity is belonging to the field of cybersecurity by gathering all relevant data from various sources. If a particular event is determined to be an incident, it should be reported as soon as possible in order to allow enough time to the CIRT to collect evidence and prepare for the upcoming steps.
Containment
The purpose of this stage is to limit and mitigate the damage and prevent the destruction of any evidence which may be needed for judicial processes. There are three steps in this phase:
-
Short-term Containment: The average time between detection and containment is 69 days. Such a long time may cause the incident to turn into a disaster for the organization. In this step, the network segment of infected workstations is isolated to limit the incident before it gets worse.
-
System Backup: In this step forensic image of affected system(s) is taken with digital forensic tools such as IREC Tactical, Binalyze AIR, and etc. Evidence collected from infected system(s) can be used for legal processes and useful for lessons learned phase.
-
Long-term Containment: In this step the affected systems can be temporarily fixed in order to return them to production.
Eradication
This phase deals with removing malware from all affected systems, identifying the root cause to prevent similar attacks, and updating the defense system by taking necessary precautions and installing patches to fix vulnerabilities.
Recovery
Recovery phase deals with bringing all infected systems back into production carefully and ensuring that it will not lead to another incident. It is important to test, monitor, and validate the systems to verify that they are not being reinfected by some other means.
Lessons Learned
The purpose of this critical phase is to complete any kind of documentation that could not be done during the incident which may be beneficial for future incidents. The SANS lessons learned process includes:
-
Completing documentation: It may not be possible to document all aspects of an incident while it is going on, and achieving comprehensive documentation is very important to identify lessons for the future.
-
Publishing an incident report: The document should be written in a form of a report which is able to answer the questions that may come up during the lessons learned meeting.
-
Identify ways to improve CIRT performance: Extract items from the incident report that were not handled correctly and can be improved next time.
-
Establish a benchmark for comparison: Derive metrics that can be useful in future incidents from the report.
-
Lessons learned meeting: Conduct a meeting within two weeks with the CIRT and other stakeholders to discuss the incident and lessons learned that can be implemented immediately.