Editor’s note: With the increased prevalence of ransomware and other cyberattacks, now is the time to take a moment to review your cyber response plan and examine the security of your key information security systems. Hyperproof has updated this popular article on September 8, 2021, with fresh information to help cybersecurity professionals respond effectively to security incidents.
Cybersecurity incidents are a fact of life for businesses now; the first six months of 2021 alone saw 1,767 data breaches that exposed more than 18.8 billion records. That’s a stark increase from the same time period a year prior when an already huge 4.1 billion records were exposed.
Hackers these days deploy sophisticated technology and ever-changing tactics to steal valuable information from businesses. Businesses are struggling to fend off cyber threats, as evidenced by the fact that even organizations with strong security measures in place have experienced data breaches. In fact, only 23 percent of all businesses in 2019 had cyber response plans in place, according to a survey conducted by Ponemon Institute.
What is a Cybersecurity Incident Response Plan?
A Cybersecurity Incident Response Plan is a document that gives IT and cybersecurity professionals instructions on how to respond to a serious security incident, such as a data breach, data leak, ransomware attack, or loss of sensitive information. According to the National Institute of Standards and Technology (NIST), there are four phases to most effective incident response plans: Preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity.
Why Every Business Needs a Cybersecurity Incident Response Plan
In the past year,ransomware attacks have garnered attention as organizations of all industries were hit.Whether you’re a small company or one as large as Colonial Pipeline or T-Mobile, it’s not really a matter of “if” you will experience a cybersecurity incident, but “when.” And nobody storing or processing sensitive data is too small or too secure to be hit by a breach.
Not having a detailed CSIRP in place will hurt you in a couple of different ways when you’re hit with a breach: first, your security team and management team will be scrambling to understand and respond. Without a plan in place, they’ll be prone to making expensive mistakes.
Depending on the type of information exposed and the size of the breach, you might be legally required to take certain steps and notify not only those affected but also government agencies or other organizations. Not having a CSIRP in place will create a lot of opportunities for you to miss steps and expose yourself to additional fines or legal action.
Second, if your business experiences a significant breach, you will have to go through an external investigation or audit.
Not having recorded evidence of a CSIRP will signal to auditors that you aren’t taking the prospect of a data breach seriously.
What’s more, some data privacy regulations such as the California Consumer Protection Act (CCPA) require an incident response plan. So, if you don’t have a CSIRP in place, you will be in violation of the CCPA.
Some industry-led security frameworks also require organizations to have a CSIRP in place. For example, if you were pursuing ISO 27001 certification and didn’t have a CSIRP in place, you wouldn’t pass the audit. Annex A of ISO 27001 has a specific requirement for an information security incident response plan. So, unless you can give your auditor a reason why your business doesn’t need a CISPR in place, you have to have one to obtain the ISO 27001 certification.
Ultimately, whatever size your business is, whatever industry you work in, and wherever you are in terms of growth, you need to have a cyber incident response plan in place to keep your business safe and to help your business effectively recover from a security incident.
New Cybersecurity Risks Prompted by COVID-19
Now that the novel coronavirus has forced most organizations into a remote-only operating model, it’s important for your IT security staff to be on high alert and understand the new risks facing your organization. Malicious cybercriminals could take advantage of public concern surrounding the novel coronavirus by conducting phishing attacks and disinformation campaigns.
Phishing attacks often use a combination of email and bogus websites to trick victims into revealing sensitive information. Disinformation campaigns can spread discord, manipulate the public conversation, influence policy development, or disrupt markets
Cybersecurity Tips As They Relate to COVID-19
During this time, your IT security team should remind employees to take precautions, reiterate key concepts covered in your security training, ensure that all monitoring systems are operating correctly and be ready to respond to any security incidents promptly.
The Cybersecurity and Infrastructure Security Agency (CISA), a key risk advisor to the nation, has published recent guidance on risk management for COVID-19. CISA has recommended organizations examine the security of information technology systems by taking the following steps:
- Secure systems that enable remote access.
- Ensure Virtual Private Network and other remote access systems are fully patched.
- Enhance system monitoring to receive early detection and alerts on abnormal activity
- Implement multi-factor authentication
- Ensure all machines have properly configured firewalls, as well as anti-malware and intrusion prevention software installed.
- Test remote access solutions capacity or increase capacity
- Ensure continuity of operations plans or business continuity plans are up to date
- Increase awareness of information technology support mechanisms who work remotely
- Update incident response plans to consider workforce changes in a distributed environment.
How Do You Write a Cybersecurity Incident Response Plan?
The National Institute of Standards and Technology (NIST) provides four phases of an incident response plan: Preparation; detection and analysis; containment, eradication, and recovery; and post-incident activity. It is important to recognize that preparatory activities and post-incident activities are equally important. In fact, NIST emphasizes both types of activities in their outline.
The key to an effective cybersecurity incident response plan (CSIRP) is to have one in place well before a breach occurs. The planning you do before a security incident occurs will help you respond to an incident as quickly and efficiently as possible.
First, your plan needs to detail who is on the incident response team—along with their contact information and what their role is, and when members of the team need to be contacted. Each member of this team, from the CEO to the members of the IT team, needs to understand their place on the team and what they need to do in the event of a breach. They also need to recall the details within your CSIRP so that when a security incident happens, they can respond quickly.
NIST’s official Computer Security Incident Handling Guide gives you a comprehensive view of all the things you need to determine before an incident ever happens. You might be surprised at how detailed the list is, but when a security incident is in progress, your team needs to be able to work as quickly as possible, and having to make a lot of decisions about how to handle a breach will slow them down. You also need to make sure you work productively and prevent choices that help hackers continue to exploit and infiltrate your systems. Pre-determining all of this information, along with regularly testing your CSIRP and doing drills with your team, will give you the best chance of shutting down an attack quickly and without further issues.
Incident prevention is the second part of the preparation phase. Hopefully, this isn’t news to you because you’ve already developed an information security policy to protect the sensitive information your business is being trusted with. However, the NIST still provides some recommendations for avoiding incidents, like regular risk assessments, host security, malware prevention, and more.
All information in your CSIRP should be kept in one place that is accessible to everyone on the incident response team, and it should be regularly updated as employees are added to and removed from the response team and as your business changes.
2. Detection and analysis
The detection and analysis phase in your CSIRP is triggered when an incident has just occurred and your organization needs to determine how to respond to it.
Security incidents can originate from many different sources and it’s not practical, or even possible, to create a plan to respond to every type of security incident possible. The NIST provides a list of some of the more common methods of attack that you can use as a starting point as you determine what steps to take in the event of a security event. You should also consider what vulnerabilities your company has and how likely an attack on one of those vulnerabilities is, and include those in your planning.
Additional resource: Understand the key steps of an IT security risk assessment.
Security incidents can be detected in a few different ways. Signs of an incident are either precursor (detected before an event happens), or indicators (detected during or after an attack). For example, you might notice a high number of failed login attempts and determine a hacker is attempting to guess a working username and password to penetrate your network (a precursor to a security incident). Or, maybe your antivirus software alerts you when one of your employees has clicked on a malware link and it has infected their computer (an indicator that there is a security event already in progress). Ideally, you would be able to detect every attack before it happens, but that isn’t always possible. Planning your response ahead of time is the next best thing.
Once you’ve determined that there is an incident taking place, the NIST has laid out a few ways that you can analyze and validate the incident to make sure you’re triggering the correct incident response. Your CSIRP should give directions for documenting the incident, however big or small, and prioritizing the response to the incident. For example, using the two examples from above, your response to someone trying to log in to a network would be different from an infected computer, and if both were happening at the same time, you would need to prioritize one over the other.
The final step in this phase is notification. Depending on what kind of information was affected, you may also need to notify certain parties such as law enforcement, the FTC, your customers, affected businesses, and others. You need to work with your legal and compliance teams to make sure you understand who needs to be notified and have a plan in place for notifying. If you don’t take the time to include this in your CSIRP, you risk running afoul of the state, federal, or international laws and creating additional issues for your business. CCPA and GDPR both require breach reporting, so you and your compliance team will have to help each other out there. Having an open channel of communication with your compliance team is invaluable in a lot of ways, especially when you are dealing with an incident.
3. Containment, eradication, and recovery
This phase is the heart of your CSIRP. Everything you do in response to an attack will revolve around containing the incident, eradicating the threat, and recovering from the attack.
The NSIT has provided a list of criteria you should consider when deciding on a containment strategy:
- Potential damage to and theft of resources
- Need for evidence preservation
- Service availability (e.g., network connectivity, services provided to external parties)
- Time and resources needed to implement the strategy
- Effectiveness of the strategy (e.g., partial containment, full containment)
- Duration of the solution (e.g., an emergency workaround to be removed in four hours, a temporary workaround to be removed in two weeks, permanent solution).
While you are working through this phase, you should also be gathering as much evidence as possible about the attack and preserving it for internal and external use. You can also work towards identifying the attacking host if it is prudent, but that can be time-consuming and even impossible in some scenarios. Your focus should always be on containing the incident as much as possible.
Eradication will involve different steps depending on what type of incident you’re experiencing, but essentially you will be eliminating whatever you need to in order to stop the attack, whether that means deleting malware, disabling breached accounts, closing vulnerabilities in your network, etc.
The FTC provides some steps you can take to secure your operations and eradicate the threat to your data security, including consulting with a data forensics team, securing any physical areas related to the breach, fixing information that’s been improperly posted to your website, talking to the people who discovered the breach, and more. When you’re trying to lock down your security during or after a data breach, you don’t want to wing it. This is the single biggest benefit to having a documented CSIRP: you will have all your bases covered and be much less likely to leave a vulnerability open during a breach.
Once you have eradicated the breach, you can begin the recovery phase. This includes making changes and updates to your security plan, addressing the vulnerability that enabled the security incident, and doing any training on the processes or procedures that employees need to know to prevent a similar event from happening again if that was part of the issue.
Eradication and recovery can take days, weeks, or months depending on the size of the breach. The NIST advocates for a phased approach, with the early phases increasing your overall security as quickly as possible and later phases focused on long-term changes and ongoing work to keep your organization safe.
4. Post-incident activities
After the incident has been stopped, security updates have been made, and your organization is back on track, your organization should take some time to debrief from the incident.
- Reflect on what has happened and talk about how you can identify similar incidents in the future and stop them sooner.
- Assess the severity and damage. It can be difficult to grasp the severity of an incident and the extent of damage it caused. In general, you’ll need to look at the cause of the incident. In cases where there was a successful external attacker or malicious insider, consider the event as more severe and respond according.
- Revisit your CSIRP and ask yourself and your team if there was anything that would have made the plan more effective.
- Begin the notification process. A data breach is a security incident in which sensitive, protected, or confidential data is copied, transmitted, viewed, stolen, or used by an individual unauthorized person. Privacy laws such as GDPR and California’s SB1386 require public notification in the event of such a data breach. Notify affected parties so they can protect themselves from identity theft or other fallout from the disclosure of confidential personal or financial data.
NIST has also provided an in-depth list of questions, metrics, and recommendations for recovering from an incident that will help you guide your team in recovering from a security incident in a meaningful way and learning from it, and not just simply moving on with your work.
How Often Should You Review Your Incident Response Procedure?
You should review your security incident response plan annually at a minimum to ensure your business’ security measures are working as designed and are consistent with industry best practices and the pace of technology changes. However, your incident response procedure needs to evolve when changes happen, including:
- Complying with new applicable regulations, such as the General Data Protection Regulation (GDPR)
- Changes in data privacy and cybersecurity regulations by states
- Adopting new technologies
- Changings in the structure of internal teams involved in security matters
- New types of threats such as public health crisis cause organizations to move toward a distributed workforce
- A data breach at the company
As you conduct a review of your organization’s policies and procedures, it’s essential to ask the following questions:
- Are the procedures hard to follow?
- Have you begun using new technologies or processes that are not yet written into your response procedures?
- Does proper implementation of the policy and procedures require more employee training?
Cybersecurity Incident Response Plan Checklist
Before we wrap up, we wanted to leave you with a CSIRP checklist in 7 steps:
- Conduct an enterprise-wide risk assessment to identify the likelihood vs. severity of risks in key areas. Make sure your risk assessment is current.
- Identify key team members and stakeholders.
- Define security incident types. Your plan should define what counts as an incident and who is in charge of activating that plan.
- Inventory resources and assets.
- Outline the sequence of information flow. Take a look at your assets. What are the steps that need to happen to kick off different processes?
- Prepare a variety of public statements. Make sure you’ve got the appropriate data breach notification letters ready to go in advance to minimize reputational damage from security incidents.
- Prepare an incident event log. Keep track of all steps taken during and after a cybersecurity incident so that you could gauge the efficacy of your response and glean lessons. This account will also support your legal team and law enforcement both during and after threat detection.
Additional resource: Internal Controls and Data Security: How to Develop Controls That Meet Your Needs
The Importance of CSIRP
Data breaches are a scary and costly reality, but if you put in the work of creating an airtight cybersecurity incident response plan before you are in the thick of a security incident, you’ll be more prepared to handle the incident and more likely to come out whole on the other side.
Compliance operations software like Hyperproof provides a secure, central place to keep track of your CSIRP, information security policy, and other evidence files that you’ll need to produce when regulators/auditors come knocking after a security incident.
Hyperproof can also help your organization quickly implement SOC 2, ISO 27001, GDPR, and other security/privacy frameworks, and remove a significant amount of administrative overhead from compliance audits.
See how Hyperproof Supports an Effective Security Posture