Incident Response and Planning

The effectiveness of CISOs is measured in terms of the resilient cyber-infrastructure they build and their capability to respond to the incident.

In a world where attack surfaces are increasing exponentially, attackers are developing sophisticated and intrusive attack tactics, and cyber attacks have become more prevalent, it is just a matter of “when” an organization comes under security breaches. Besides, security breaches in some renowned firms such as Equifax, Uber, SolarWinds, etc., have sent a clear message that the impact of cyberattacks is damaging and disruptive, and it is impossible to prevent all security incidents. 

No one wants to go through a security breach. But, the latest trends and cybersecurity statistics show a massive rise in hacked and breached data using common attack techniques such as phishing, social engineering, supply chain compromise, distributed denial of service (DDoS), malware, and ransomware. So, CISOs should apply due care and due diligence to tackle such issues. 

One way of doing so is to implement an incident response plan to help detect incidents, minimize loss and destruction, mitigate the exploited weaknesses, and restore IT services. Thus, effective incident response is a vital part of CISOs job.

CISOs own the incident response plan and make decisions about the people, processes, and technologies to create a solid, well-documented, well-communicated, trained, and tested response plan. In the event of a security incident, this plan will assist in responding timely, identifying, minimizing damage, exposure, and cost of a cyber-attack. In addition, the plan will outline the course of action to prevent similar attacks from occurring in the future.

However, for the incident response plan to be successful, it is crucial to include various foundational items. NIST Computer Security Incident Handling (SP 800-61)  is a great starting point to plan for the response phases (Preparation, Detection, Containment, Eradication, Recovery, and Lessons Learned).

1. Preparation

This is the most crucial phase to protect an organization from cyberattacks, where CISOs first plan in advance to prevent incidents by ensuring that systems, networks, and applications are sufficiently secure; and second, outlines the procedures to handle the security incidents when they are to occur.

CISOs carry out the following to ensure that the organization is prepared to respond to an incident.

• Creates security policies and incident response plans and gets them approved by management.
• Ensures that the incident response plan is well documented, outlining everyones’ roles and responsibilities.
• Ensures the incident response team is properly trained and has participated in mock drills to evaluate its effectiveness.

2. Identification/Detection

Not all events are security incidents. So, in this phase, cyber defenders identify the actual incident that needs investigation by applying deep and specialized technical knowledge/experience.

Incidents may be detected through various means, such as IDS/IPS, EDR, XDR, antivirus software, log analyzers, etc. When this happens, the incident response team should analyze and validate each incident and document the following

• incident’s scope (which networks, systems, or applications are affected)
• who or what originated the incident?
• what tools or attack methods are being used?
• what vulnerabilities are being exploited?
• impact of the incident
• has any other areas been impacted?

A detailed document of the above cases will help the team prioritize other activities, such as containment and eradication of the incident and a deeper analysis of the effects of the incident. Moreover, the above finding will enable the team to appropriately notify concerned parties that could include

• Chief Information Officer (CIO)
• Head of information security
• Local information security officer
• Other incident response teams within the organization
• External incident response teams (if appropriate)
• System owner
• Human resources (for cases involving employees, such as harassment through email)
• Public affairs (for incidents that may generate publicity)
• Legal department (for incidents with potential legal ramifications)
• US-CERT (required for Federal agencies and systems operated on behalf of the Federal government)
• Law enforcement (if appropriate)

3. Containment

One of the primary goals of the incident response team is to limit the effect or scope of an incident so that it doesn’t spread across the network and cause further damage to the business. 

So, containment indicates decision-making skills that vary based on the type of incident (e.g., shut down a system, disconnect it from a network, disable certain functions, etc.).

CISOs should create separate and well-documented containment strategies for each major incident type by considering various criteria such as

• Potential damage to and theft of resources
• Need for evidence preservation
• Service availability (e.g., network connectivity, services provided to external parties)
• Time and resources needed to implement the strategy
• Effectiveness of the strategy (e.g., partial containment, full containment)
• Duration of the solution (e.g., emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks, permanent solution).

4. Eradication

After an incident has been contained, eradication is necessary to ensure all traces of malware or security issues are removed. Here, cyber defenders will find the root cause of the breach and eliminate components of the incident, such as deleting a malware, blocking known indicators of compromise, disabling breached user accounts, identifying and mitigating all exploited vulnerabilities, and hardening systems.

5. Recovery

The next step is to recover the system to a fully functioning state, which can be as simple as a system reboot for minor incidents or may require a complete system rebuild for a major one. However, in this phase, administrators restore systems to normal operation and, if possible, remediate vulnerabilities to prevent similar incidents from happening in the future. 

Some recovery strategy includes action as 

• restoring systems from clean backups, 
• rebuilding systems from scratch, 
• replacing compromised files with clean versions, 
• installing patches, 
• changing passwords, and 
• hardening network perimeter security (e.g., firewall rulesets, boundary router access control lists).

6. Lessons Learned

Learning and improving is the final step in incident response, where the incident and the response are analyzed to identify key takeaways. Here, a detailed document is prepared to outline the pros and cons of the response plan, i.e. what went wrong and what went right. The output of this stage can be fed back to the first step, which is preparation.

According to NIST Computer Security Incident Handling Guide, this phase seeks to get answers to the following questions

• Exactly what happened, and at what times?
• How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?
• What information was needed sooner?
• Were any steps or actions taken that might have inhibited the recovery?
• What would the staff and management do differently the next time a similar incident occurs?
• How could information sharing with other organizations have been improved?
• What corrective actions can prevent similar incidents in the future?
• What precursors or indicators should be watched for in the future to detect similar incidents?
• What additional tools or resources are needed to detect, analyze, and mitigate future incidents?

Finally, as cyberattacks have become more targeted and damaging, incidence response has become an important component in cybersecurity. As a result, a CISO's role in developing and executing an effective incident response plan is vital.