Cyber-attacks can harm an organization’s finances, reputation, and much more. A cyber security incident response is a systematic way of responding to cyber-attacks and is composed of ten essential steps.
What are the steps of a cyber security incident response? The ten steps of cyber security incident response are as follows:
- Information Risk Management
- Secure Configuration
- Error Security
- Managing User Privileges
- User Education
- Incident Management
- Malware Prevention
- Monitoring
- Address Removable Media Controls
- Address Home & Mobile Working Security
The remainder of this article will discuss cyber security incidents and the details of each step of incident response. In addition, you will discover ways to build an ideal cyber security management system.
What is a Cyber Security incident?
Before delving into the steps for cyber security incident responses, it is vital to understand what cyber security incidents or cyber security attacks entail.
A cyber security incident has no universal definition, but according to Open EI[1], a cyber security incident is “any malicious act or suspicious event that compromises, or was an attempt to compromise, the Electronic Security Perimeter of a Critical Cyber Asset, or disrupts, or was an attempt to disrupt, the operation of a Critical Cyber Asset.”
Most people regard cyber security incidents as Advanced Persistent Threats (APTs) or malicious attacks. Yet, many organizations have conflicting opinions about what it means. In addition, a cyber security incident is not the same as an information security incident. Therefore, not all information security incidents are cyber security incidents.
For greater understanding, consider the following table, which outlines the differences between the two types of incidents:
| Cyber Security Incident | Information (IT) Security Incident | |
| Type of Crime | A severe crime by organized-crime groups | Petty crime by petty-criminals |
| Attacker | State-sponsored attack | Group of attention-seeking petty-criminals |
| Response | Requires escalation and reporting | Does not require escalation and reporting |
| Expert Intervention | Requires experts for effective response | Does not require experts for effective response |
| Type of Support | May require government support for effective response | Does not require government support for effective response |
What is a Cyber Security incident response?
A cyber security incident response has to do with how security events on a computer or computer network are detected and the execution of an appropriate response to the events. It is a methodological approach to responding to and managing a cyber-attack.
Importance of Cyber security Incident Responses
There are many reasons why cyber security incident responses are essential:
- A cyber-attack may damage an organization’s reputation, resources, and time;
- An attack may have a negative consequence on the organization’s customers and brand image.
- It could also cause loss of money, alienation of customers/loss of customer loyalty, and the exposure of an organization’s sensitive data.
As mentioned earlier, the cyber security incident response helps quell the negative effects of cyber security incidents. For example, frequent cyber-attacks on a target may attract stiff law enforcement regulations. This is why an organization must set up an incident response team to execute an effective cyber security incident response, which may help discover perpetrators and their motives.
What is an incident response team?
SANS institute[2] states that “a company should look to their Computer Incident Response Team (CIRT)” to tackle cyber security incidents. This team usually comprises of upper-level management professionals, IT auditors, information security, and other security staff.”
An organization’s HR team, legal department, and communications or PR unit must support the response team for effective incident response.
10 Steps of Cyber Security Incident Response
To help protect an organization from cyber-attacks or to conduct an effective cyber security incident response, the organization must endeavor to take the below measures; they are ten steps to protect an organization’s information, network, systems, and technologies that were first published in 2012 and has since been adopted by the FTSE350.
1. Information Risk Management
Firstly, create an effective risk management regime for the organization. This should be done in consideration of the organization’s information assets, finance, operations, and regulatory risk consequences.
For effectiveness, the organization’s board of directors must approve the information risk management policies. Its execution must be a top-bottom approach, from the board and senior managers down to all other employees. They must all be aware of the newly-introduced risk management policies and practices. It should also involve contractors, suppliers, and other stakeholders.
2. Secure Configuration
The next stage is to find a suitable means to identify baseline technology builds and processes to ensure configuration management. This will help improve the security of systems immensely. It involves setting up a strategy to rid systems of irrelevant functionalities and fixing vulnerabilities through patching. Failure to do this will lead to the exposure of the organization’s vulnerabilities and attracting threats to business confidentiality and integrity.
3. Network Security
At this level, you should try to protect the data storage and processing unit of your organization, which could be the target of an attacker. The connection of your organization’s systems or technologies to the internet exposes them to a likely attack.
Also, these threats may spread throughout the organization if they are found in the network. Therefore, create and execute policies and relevant technical and architectural policies to limit the chances of such an attack.
4. Managing User Privileges
This is the stage where you modify existing data access rights or system privileges of users’ accounts. Considering that the misuse of elevated system privileges may lead to an attack, it is essential to provide users with a reasonable level of data access rights suitable for the execution of their tasks in line with their current position in the organization.
5. User Education and Awareness
This stage involves the sensitization of all personnel of the organization on the dangers of misusing system privileges, which could lead to an attack and threaten the security of the organization. The employee manual must expressly capture user security policies and consequences.
It is recommended for periodical/regular training and awareness programs to imbue members of the organization with a culture of security consciousness.
6. Incident Management
Next is to set up effective incident management processes and policies that ensure the continuity of business. This would ensure that the organization prepares for the prevention of likely future incidents. It also ensures that the impact of an eventual attack is cushioned.
During this phase, it is highly recommended to invest in sourcing for experts that would make up the incident management response team and set up a workable policy and process.
This team of specialists should be trained in non-technical and technical aspects of incident response and must be skilled in reporting cyber incidents to the appropriate law enforcement agency. The following is a list of the necessary information that must be provided when reporting cyber incidents:
- Date of incident
- Time of incident
- Location of incident (address, building number, room number, and others)
- Type of incident
- How the incident was discovered
- Contact name
- Contact phone number
7. Malware Prevention
Next is to develop and implement relevant anti-malware policies to reduce the risk of malware exposure. Malware (malicious software) is a generalized term for any code which may trigger some anomalies in a computer system. Unfortunately, the risk of malware exposure is very high as it comes with the exchange of information in cyber space.
Therefore, the security policies should accommodate regular scanning of the organization’s as well as the client’s systems to prevent malware attacks. This can be done with the aid of up-to-date antivirus software.
8. Monitoring
Monitoring organizations’ systems is an essential stage in cyber security incident response. It is the catalyst for the detection of an attempted or an actual attack on systems. Besides, systems monitoring helps to ensure that the organization is in line with established policies and comply with legal requirements.
Hence, the security policy must involve a plan for regular monitoring of inbound and outbound network traffic for malicious activities. This could be done using Host Intrusion Detection Systems (HIDS), Network Intrusion Detection Systems (NIDS), and Prevention Systems.
9. Removable Media Controls
Removable media controls must also be addressed in any cyber security incident response. This is because it is a great medium for malware attacks and the export of an organization’s sensitive data.
The newly introduced policies for upholding the organization’s security must help establish the roles that removable media controls play in the day to day running of a business—whether it may be avoided entirely or not. If it plays an essential role, then its use must be strictly regulated. You could use a standalone media scanner to scan them for malware.
10. Home and Mobile Working
At this level, the management of risks that arise from a mobile or remote system is essential. Users must be trained on secured means of using their devices when working remotely. It is a pertinent medium for the prevention of future cyber security incidents.
The best practice is to train users on ways to secure their devices in line with the established security policies. It is recommended to apply a secure baseline built to mobile devices. Also, you could use the appropriate configured Virtual Private Network (VPN) to protect the data-in-transit and data-at-rest.
Challenges in Responding to a Cyber Security Incident
As mentioned earlier, most organizations and government parastatals often think that they can effectively respond to a cyber-attack until they finally experience one. In a bid to understand what may go wrong during a cyber security incident response, consider the following; they are some of the challenges organizations and parastatals face during cyber security incident response:
Wrong Response Team
It is usually disastrous when the wrong response team handles cyber security incident responses. The following are some of the factors responsible for appointing a wrong response team:
- Selecting team members with inadequate experience
- Unsuitable team size (either too small or large)
- Wrongly assigning roles to team members
Regardless of what may lead to this, the wrong team will be ineffective when responding to a cyber security incident. There will be an overlap of efforts and gross mismanagement of time and resources if the wrong team is handling incident response.
Wrong Incident Response Objectives and Plans
Many organizations sometimes develop incident response plans that are both ineffective and unsuitable. The common challenge is that an incident response team may adopt a template which itemizes and elaborates steps to take. However, such a model may fail to help handle an incident that is unique to the organization’s needs.
This could slow down the incident response process and overcomplicate issues. This could cause cyber security attacks to escalate and hinder the incident response team from handling incidents effectively.
Inadequate Budget for Incident Response
An organization’s budget to manage an incident could be inadequate. It is common for an organization’s planned budget for responding to an incident to be smaller than the actual IT expenditure.
According to the IAPP-EY Annual Privacy Governance Report of 2018[3], there has been a decline in the average privacy budget from $ 2.1 million in 2017 to $1 million in 2018. One of the reasons for this decline is that most organizations spend huge sums on regulatory compliance.
Untimely Detection of an incident
The first problem the incident management team of an organization can face is the lack of detection of evidence for unusual occurrences.
There are several forms of cyber security incidents, including attempts by unauthorized users to access sensitive servers and outgoing network traffic discrepancies. Hence, it is very easy for incidents to go on without any notice.
Merely detecting a cyber incident is not enough; it should be detected in a timely manner. A timely detection may help to quickly contain the impact on the business and reverse its cause. However, this is not the case most times.
For example, according to the M-Trends 2019 Report[4], the global median incident detection time between October 1, 2017, and September 30, 2018, was 78 days.
Use of Inadequate Response Tools
An organization will experience a delay or a hindrance in responding to cyber-attacks if incident response tools are inadequate, underutilized, unmanaged, or untested. The following are some of the likely consequences of using inadequate response tools:
- Challenges with identifying possible incidents
- Inability to estimate the potential business impact of an incident
- Inability to determine the depth of information that has been compromised or disclosed to unauthorized parties
- Problems analyzing gathered information on a potential incident
- Challenges with the identification of compromised systems, networks, and information
- Issues with identifying cyber perpetrators and their motives
Organizations need to keep an inventory of response tools with a timely renewal of license and component upgrades. Also, it is recommended to train the members of a response team regularly and thoroughly across the toolset.
More importantly, the response tools must be assessed in view of the current degree of the cyber-attack to determine their effectiveness in a response.
Difficulty in Identifying Insider Threats
Insider threats are more difficult to detect; therefore, most organizations are even more susceptible to them. The factors for insider threat, among others, are the alarming rates of IT complexities, multiple users with unwarranted access privileges, and increasingly sensitive data-access devices.
Insider threat is a worrisome issue as the 2018 Insider Threat Report[5] confirmed that “90% of organizations feel vulnerable.” Therefore, the incident management team of an organization needs to take extra caution to deal with insider threats during an incident response.
Strict or Dynamic Security Breach Notification Laws
Another challenge that the incident management team of an organization will face is with the relevant national or international security breach notification laws. These laws are constantly changing so much that Thomas Reuters, in their “Cost of Compliance 2018”[6] survey, revealed that there are over 200 regulatory updates every day.
In a bid to comply with data privacy laws, an organization experiencing cyber security incidents would be slow-paced when responding to incidents.
Moreover, security breach notification laws contain established steps that an entity under cyber-attacks must take, including the stipulated timeframe to notify concerned customers about the breach.
Adherence to these mandates may escalate the impact of an attack on the organization’s business, but also attract penalties from relevant government agencies if neglected.
Absence of Database to Segregate Critical Assets
When there is an absence of a database to segregate critical assets, the incident management team will find it challenging to handle a cyber security incident. A data management process must be in place to generate a dedicated asset list for the team when tackling cyber-attacks.
Increasing Incident Management Capabilities
This section examines the best practices when responding to cyber security incidents. These practices are in three phases: preparation, response, and follow-up.
Preparation
Adequate preparation means that the organization can effectively identify the criticality of key assets/technologies and analyze threats to them. It also involves the implementation of some complimentary controls for the effective protection of these assets.
There are five steps to take during the preparation phase of cyber security incident management capability:
1. Conducting a Criticality Assessment.
This assessment will help the organization identify critical information assets, determine which threats are most likely to affect them, and the likely level of business impact should an attack occur. This knowledge will assist the incident response team in applying relevant technical controls to limit the chances and impact of incidents affecting these assets.
2. Performing a cyber security incident threat analysis.
A practical incident threat analysis involves the identification of what a cyber security incident means to an organization. This will help develop related examples of such threats (malware and social engineering, for example) and an understanding of the threat level to the organization.
It is essential to consider several perspectives to identify the level of threat. This includes the PLEST (Political, Legal, Economic, Socio-Cultural, and Technical Environments) of the organization. It also involves considering the nature of the business, key stakeholders, and assets, among others.
3. Determining the implications of people, processes, information, and technology.
At this level, the organization should consider the people, processes, information, and technology at the organization’s disposal to handle cyber security responses. Security policies must be established, IT infrastructure procured, and the staff and other stakeholders of the organization must be educated on security measures. These steps will help prepare for cyber-attacks.
4. Developing a relevant control framework.
Firewalls, access control, malware protection, and backups are some of the controls that could be implemented to reduce the chances of cyber-attacks. Setting up these controls (which are sometimes overlooked) can make a difference in reducing an organization’s vulnerabilities. The more specialized controls include multi-factor authentication, digital certificates, whitelisting, and technical monitoring tools.
5. Reviewing the level of readiness for incident response.
Although the level of preparedness depends on the type of organization, the evaluation of readiness for incident response must be done in the areas of:
- People
- Process
- Technology
- Information
- Preparedness
- Response
- Follow-up Activities
It is essential to evaluate readiness based on the organization’s actual requirements against its capabilities. It also helps when an organization compares its level of readiness with that of other, similar organizations.
Respond
There are four recommended steps to take at the “respond” level. They are:
1. Identifying the cyber security incident.
Identification of a cyber security incident is always a challenge. Some go on for a long duration, being undisruptive, but seeking to steal sensitive information. Others occur in separate parts of the organization. However, through alerts from technical monitoring systems (such as antivirus software) and other similar means, cyber security incidents can be detected. Also, it is pertinent to identify the magnitude of such incident at this stage.
2. Establish objectives and investigate the situation.
Once an incident has been identified, the objectives of an incident response must be established by answering the following:
- Who launched the attack?
- When was the attack launched?
- What is the magnitude of the attack?
- What is the objective of the attacker?
- What methodologies is the attacker using?
3. Take relevant action.
The first action to take is to contain the negative impact of an incident. Thereafter, the cause of the incident can be eradicated, while the gathered evidence could be preserved in compliance with relevant laws such as the Computer Misuse Act of 1990.
Containment of an attack includes blocking unauthorized access, blocking malware sources, isolating systems, and firewall filtering. Incident eradication includes carrying out malware analysis and identification of affected hosts for remediation. Evidence preservation involves logging location of stored evidence, time and date of evidence handling occurrence, and so on.
4. Restore data, connectivity, and systems.
This is the stage that the affected organizations’ technologies/assets are restored, tested, and vulnerabilities are remedied to prevent future attacks. It involves rebuilding systems, reconnecting networks, and restoring/recreating/correcting information.
It also involves using an appropriate recovery plan, which includes:
- Thorough systems testing
- Infected systems rebuilding
- Password reset on compromised accounts
- Removal of temporary constraints imposed during the containment period
Follow-Up
An essential part of the follow-up is to evaluate actions taken during incident response, document them, and build on them. It contains the following steps:
1. Re-investigation.
Investigating a cyber security incident afresh makes for clarity and newer discoveries about what happened. Also, it can provide clearer facts for improving controls for the prevention of future occurrences.
The following should be considered when investigating again:
- Carrying out problem cause analysis, using current reality tree (CRT), failure mode, effects analysis (FMEA), and other techniques.
- Performing root cause identification, using why-because analysis (WBA), cause and effects diagrams, or other techniques.
- Identifying the magnitude of the attack on business, such as the impact on finances, brand-image, and so on.
2. Report
Reporting cyber security incidents to the relevant stakeholders includes:
- Full description of the type of attack and actions that were taken
- Financial, reputational, and other impacts of an attack on business.
- Recommendations on additional measures to take to prevent future attacks
3. Post-incident analysis.
The evaluation of actions and steps taken to contain an attack and eradicate cause must be considered in the following areas:
- Did staff and management perform well in dealing with the cyber security incident?
- Was documented procedure followed and adequate in dealing with the incident?
- What actions or steps were taken that hindered recovery?
- What lessons were learned?
4. Communicating and building on lessons learned.
This step involves drafting a report on the conclusions that were deduced after re-investigation and analysis. It also includes developing an action plan on how the organization will ensure better resilience towards future cyber security incidents.
Such an action plan must include technical and non-technical ideas or projects to limit the chances of successful attacks in the future. Furthermore, it must also explain the way through which the organization may respond more effectively and rapidly.
5. Regular update of documents, information, and controls.
Reviewing incident management methodologies, management controls, and others is pertinent in the follow-up exercises.
6. Performing trend analysis.
This helps in the evaluation of patterns and trends of cyber incidents at the national and international levels. It concerns the identification of common factors of incidents, estimation of effectiveness of incident controls, and estimated impacts of incidents.
In summary, trend analysis puts an organization on top of cyber security incidents around the world and ultimately helps the organization prepare for a similar attack.
Conclusion
The ten steps of cyber security incident responses are essential to contain and eradicate the cause of cyber security incidents. Organizations are usually ill-prepared for responding to incidents, but by identifying likely challenges of incident responses, an organization can handle cyber-attacks very well.
References:
[1] https://openei.org/wiki/Definition:Cyber_Security_Incident
[2] https://www.sans.org/reading-room/whitepapers/incident/paper/1065
[3] https://iapp.org/resources/article/iapp-ey-annual-governance-report-2018/
[4] https://vision.fireeye.com/editions/02/global-webinar-series-2019.html
[5] https://crowdresearchpartners.com/wp-content/uploads/2017/07/Insider-Threat-Report-2018.pdf
[6] https://www.reuters.com/article/bc-finreg-cost-of-compliance-change-unce/cost-of-compliance-2018-regulatory-change-and-continuing-uncertainty-idUSKBN1KE1ZM
https://blog.eccouncil.org/10-steps-to-cybersecurity-as-defined-by-gchq/
https://www.forcepoint.com/cyber-edu/incident-response
https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/introduction-to-cyber-security/executive-summary
https://www.crest-approved.org/
https://iapp.org/resources/article/iapp-ey-annual-governance-report-2018/
https://www.businesswire.com/news/home/20190304005229/en/FireEye-2019-Mandiant-M-Trends-Report-Finds-Organizations-Across-the-Globe-Are-Faster-to-Identify-Attacker-Activity-Compared-to-Previous-Year
https://crowdresearchpartners.com/wp-content/uploads/2017/07/Insider-Threat-Report-2018.pdf
https://www.reuters.com/article/bc-finreg-cost-of-compliance-change-unce/cost-of-compliance-2018-regulatory-change-and-continuing-uncertainty-idUSKBN1KE1ZM
