Incident Response Plan is a set of actions aiming to detect and eliminate a cybersecurity breach and recover from it. Like all other Cyber Operations, it requires a systematic approach to be efficient and successful. For this purpose, every organization should have an Incident Response Plan which is the most important element of incident response for approaching cybersecurity incidents systematically to overcome it even before they cause damage to organizations’ reputation, finance, and data.
The issue is not whether there will be a cybersecurity incident, but when it will happen and no organization is exempt from cyber threats as long as they depend on IT. So every organization, regardless of its size, needs a plan to respond to a cyber incident in order to protect itself. Because if the necessary measures are not taken, cybersecurity breaches may damage organizations in various aspects. First of all, it causes great financial damage. By one estimate, every minute of downtime caused by a successful cyberattack can cost a business $427. According to IBM Security’s “2019 Cost of a Data Breach Report”, the average total cost of a data breach is $3,92 million. And the total cost of cybercrimes to the world keeps increasing dramatically. Cybersecurity Ventures estimates that it will cost $6 trillion annually by 2021, while it was $3 trillion in 2015.
Cybersecurity breaches do not cause damage only in financial aspect. According to Ponemon Institute’s Study, 61 percent of marketing executives believe the biggest cost of a cybersecurity incident is the loss of brand value and stock prices drop an average of 5 percent immediately after a data breach disclosure which also means customer losses. Besides all these financial and reputational losses, organizations may also face legal issues and penalties due to not complying with the regulations.
Breaches may also have long-tail costs. Although the majority of breach costs show up in the first year after a cyber incident, almost one-third of costs appear after the first year. So cybersecurity incidents that are not handled properly can cause huge damage that will take a very long time to recover.
Incident Response Plan is one of the most effective factors which help organizations mitigate the cybersecurity breach costs. Companies that self-reported their security posture as superior and quickly responded to the breach recovered their lost stock value after an average of 7 days. In Incident Handler’s Handbook, SANS Institute proposes a 6-phase plan framework that is admitted as a standard for Incident Response Plan.
This phase is the most crucial phase and it is about preparing the team to be ready to handle any incident. The preparation phase includes:
- Preparing a policy which consists of a written set of principle, rules, or practices.
- Preparing a response plan/strategy to handle incidents.
- Preparing a communication plan which shows to contact with whom and when (including law enforcement units).
- Documentation which is able to answer Who, What, When, Where, Why, and How questions should they ever arise to be sure every necessary action to be taken (like checklists).
- Creating a team, Computer Incident Response Team (CIRT), is made up of several people that consist of different disciplines (like attorneys, PR consultants) to handle any kind of problem that is related to an incident.
- Adjusting access control to be sure that CIRT has the permissions to step in at the moment of an incident.
- Providing tools that means preparing a “jump bag” containing all necessary hardware and software can be utilized during an incident.
- Training the team to be able to handle the incident properly and conducting some drills to ensure that each individual within the CIRT is able or knows how to perform their duties during an incident.
This phase deals with the detection of whether an extra-ordinary activity is a cybersecurity incident by gathering much data from various sources. If a particular event is determined to be an incident, and then it should be reported as soon as possible in order to allow the CIRT enough time to collect evidence and prepare for the preceding steps.
The purpose of this stage is to limit and mitigate the damage and prevent the destruction of any evidence which may be needed for judicial processes. There are three steps in this phase:
- Short-term Containment: The average time between detection and containment is 69 days and such a long time may cause the incident to turn into a disaster for the organization. In this step, the network segment of infected workstations is isolated to limit the incident before it gets worse.
- System Back-Up: In this step forensic image of affected system(s) is taken with digital forensic tools such as IREC Tactical, Binalyze AIR etc. Evidence collected from infected system(s) can be used for legal processes and useful for lessons learned phase.
- Long-term Containment: In this step the affected systems can be temporarily fixed in order to return them to production without the accounts and backdoors that allowed for the intrusion.
This phase deals with removing malware from all affected systems, identifying the root cause to prevent similar attacks, and updating the defense system by taking necessary precautions and installing patches to fix vulnerabilities.
This phase deals with bringing all infected systems back into production carefully and ensuring that it will not lead another incident. It is important to test, monitor, and validate the systems to verify that they are not being reinfected by some other means.
The purpose of this critical phase is to complete any kind of documentation that could not be done during the incident which may be beneficial in future incidents. The SANS lessons learned process includes:
- Completing documentation: It may not be possible to document all aspects of an incident while it is going on, and achieving comprehensive documentation is very important to identify lessons for the future.
- Publishing an incident report: The document should be written in a form of report which is able to answer the Who, What, Where, Why, and How questions that may come up during the lessons learned meeting.
- Identify ways to improve CIRT performance: Extract items from the incident report that were not handled correctly and can be improved for next time.
- Establish a benchmark for comparison: Derive metrics that can be useful in future incidents from the report.
- Lessons learned meeting: Conduct a meeting within two weeks with the CIRT and other stakeholders to discuss the incident and lessons learned that can be implemented immediately.