In order to minimize potential damage to an organization's assets, employees, customers, and reputation, it is critical that companies take quick and effective action upon the discovery of any suspected or actual cyber incident (e.g., any unauthorized access, use, or disclosure of data or other information security breach). To achieve an effective response to an incident, companies need an incident response plan in place, and employees who are trained to execute it before the need arises.
An incident response plan should at a minimum, address preparation, detection, analysis, containment, eradication, recovery, and follow-up capabilities. It should also address communication internally and with the public during and after the incident. Each of these elements is discussed briefly below in a ten-step plan.
1. Incident response training Detailed, practical, up-to-date training of all employees involved in an incident response is critical to be able to react quickly and effectively to a cybersecurity incident. Everyone with responsibility under the incident response plan should know his/her role in the plan and how to execute it.
2. Incident response testing and exercises Companies that regularly practice their incident response plan at least once a year are in a significantly better position to identify weaknesses in their incident response plans and address them before a real attack strikes. The feedback and lessons learned from trial runs should be reviewed and incorporated into existing incident response plans to make them more effective.
3. Intrusion Detection (or Prevention) Systems Intrusion Detection Systems that automatically scan, monitor, and search for incidents, when combined with manual scanning and monitoring (where automated processes are not feasible), can be part of effective incident response plans and help provide early warning of potentially malicious abnormal activity on the network. Intrusion Prevention Systems can go a step further by trying to stop such abnormal activity and minimize, if not eliminate, the effects of a cybersecurity attack. Because these systems are not perfect, they should be used to supplement a regular review of new vulnerabilities reports (from US-CERT or another reputable vulnerability alert system) and of system logs. System administrators should actively investigate any indications of unusual activity and should only filter logs after they are confident that the activities related to the log entries pose no threat to the organization.
4. Incident analysis A response to a suspected or actual incident starts with an analysis to determine the scope, nature, and origin of the incident, as well as the people, software, and hardware involved in the incident. The analysis should identify affected systems and data, the origin of the incident, any malware implicated, any remote servers that received data, a list of affected individuals, and any additional impact on the organization's networks, systems, and information infrastructure.
5. Incident documentation To ensure that incidents are resolved in a timely manner and that the organization complies with its own policies and applicable legal requirements, it is critical that any suspected or actual incident be properly documented, and that, to the extent that it is practical, documentation and communication be under the direction of the organization's counsel to maximize the legal protection of the communications. Identifying, collecting, and maintaining records regarding the organization's response to incidents should be standard operating procedure.
The documentation should include: a status report and a summary of all related incidents and responsive actions taken by the organization; an impact assessment; contact information for every individual and entity involved; a comprehensive list of the collected evidence; and a summary of incident prioritization, notification, containment, eradication, recovery, reporting, and follow-up actions to resolve the incident and prevent future recurrences. Depending on the nature of the incident, companies may consider additional steps such as:
- Arranging for a "forensic image" of the affected computer systems to help analyze what happened and what has been affected
- Locating backups and checking for any unauthorized changes to the network
- Using uncompromised media to store copies of retrieved and stored data- and safeguarding media from being compromised
- Preserving logs, ongoing notes, records and data- to be preserved, if possible, by a single designated custodian
- Recording any continuing activity for ongoing incidents and, subject to legal limitations, employment agreements, privacy policies, and pre-clearance from legal counsel, considering monitoring and recording communications between the intruder and targeted server in order to protect the entity's property or rights, or, with advance documented consent, of system users
6. Incident prioritization Multiple incidents occurring simultaneously or in a short time period can wreak havoc on an organization's systems and employee morale. If more than one incident adversely affects an organization at the same time, it may be necessary to prioritize the response based on the impact of each incident and the criticality of the services affected.
7. Incident notification In many cases, incidents (and even suspected incidents) may require notification of state and federal agencies and others. Organizations should identify a single point-of-contact and at least one backup contact to address incidents with the media, law enforcement, incident reporting organizations, and other third parties to ensure consistent and accurate responses. Training a designated organization contact to communicate effectively about the incidents and the organization's compliance before any security incident occurs is an essential part of an effective response plan - communications, if done poorly, can adversely affect the organizations reputation for years following the incident.
8. Incident containment Upon discovery, containment is critical to minimize the damage to the organization - stop the breach, contain the damage, secure the information, and recover compromised information. Effective incident response should take into consideration a wide range of factors, including severity, information type, causes, and risk. To be best prepared for an incident, organizations should assess how various incidents may affect the particular operations and assets of the organization, prioritize them, and be prepared to take different measures to safeguard the most valuable assets from further loss. A detailed containment strategy may include the following:
- A range of measures, from blocking access, to monitoring activity, to identifying the source or scope of the incident
- Re-routing network traffic
- Filtering or blocking a distributed denial-of-service attack
- Isolating some or all of the compromised network
- Restoring the network to a prior uncompromised state if back-up copy of important data has been preserved
- Preserving records of mitigation/response measures and related costs
9. Incident eradication The initial response, resolution, and containment may not be sufficient to completely eliminate the potential risk after an attack. The lingering effects of an incident can pose a risk to the organization immediately or long after the initial incident occurs. After the organization has carried out the most critical tasks of its containment strategy, a more in-depth eradication process may be necessary to eliminate any harmful remnants. These longer term steps may include the complete search and elimination of malware, temporary or permanent disabling of breached user accounts, and the rebuilding or restoring of affected systems.
10. Post-Incident Debriefing Each incident can help educate organizations to become smarter, draft more sophisticated and comprehensive security response plans, and improve their execution capabilities to detect, prevent, and respond to incidents. An organization should take full advantage of the lessons learned during and immediately following an incident to review and revise its incident response plans while the strengths and weaknesses of its response are fresh. After an incident, the organization should conduct meetings and training sessions with all involved parties to determine both the effective and ineffective components of the incident response during each phase: from detection, investigation, and diligence to containment and eradication. As part of the post-incident recovery phase, a thorough review of the organization's training programs and incident policies and procedures should be conducted and the board of directors should be briefed on the results. Modifications should be made to the incident response plan at the board's direction to incorporate these lessons learned. This may also be an opportunity for an organization to review if it has the right technology for the incident and for other reasonably anticipated security incidents and to incorporate such technology into its incident response planning.
These ten steps provide a general framework that any organization can look to as a guide for developing an incident response plan. However, each plan should be tailored to the organization's particular business model and customer base. Depending on the type of information your organization collects, stores, and processes, there may be additional regulatory or industry standards with which you must comply. For example, an organization that accepts credit cards is required to have an emergency response plan consistent with PCI Data Security Standards. An organization subject to HIPAA will need to consider the Privacy, Security, and Breach Notification Rule when crafting its plan.
Responding to security incidents is an iterative process. Lessons learned as part of an investigation or response, as well as any trial run of the plan, will aid the organization to better understand what happened, how to prepare for future incidents, and how to help avert future incidents.