How to Build Your Cybersecurity
Incident Response Plan
When a cyberattack strikes, how fast can you respond?
Ransomware attacks are up threefold in 2021. A recent NCC group reports that the number of ransomware attacks analyzed by the team has increased by 288% between January-March 2021 and April-June 2021.
Cybersecurity risks are out there as a plague on businesses of all sizes and is an evolving threat using mature hacker tools and strategies to attack businesses daily. With the current state of cybersecurity, and its growing importance to leadership, it is essential now more than ever to have an incident response plan.
Why do you need an incident response plan?
An incident response plan defines the process of detection and the appropriate steps to take in response to a security event to stop and remediate the damage and return to business as soon as possible. The plan must follow the business requirements while also ensuring that the most effective and comprehensive measures are taken to detect, stop and recover from an incident.
A survey by Wakefield Research on behalf of Red Canary, Kroll and VMware shows more than one-third (36%) of the organizations surveyed still do not have a structured incident response plan (IRP) in place.
Minutes matter when businesses encounter cybersecurity attacks so building an incident response plan can directly affect the impact of a security breach. Resulting effects can range from small inconveniences to major financial and reputation damage and can even lead to bankruptcy.
“If you fail to plan, you are planning to fail” … Benjamin Franklin
Warning Flags of a Cyberattack
You may already have been hacked. Here are some common indicators of a cyberattack activity, that most may overlook if they are not proactively monitoring your systems:
• Sudden large bandwidth usage
• Excessive activity outside of business hours
• Event logs with suspicious event IDs and activity
• Multiple logins that failed or with the same privileged account
• Access from unknown or unexpected IP addresses or countries
• Unusual password activity
These are more common indicators, but a lot of cyberattacks are missed because companies may believe that a firewall and antivirus software is all they need to protect themselves from attacks.
The 7 Steps to a Cybersecurity Incident Response Plan:
Step 1 – Identify Critical Assets
The heart of a business is its data and processes. What assets are critical and are essential for business operations, client interaction, financial processes, all departments’ data that are critical to a business? What roles, and users’ permission levels are used to access these critical assets?
If a cyberattack allowed access to these critical data assets, risk increases and so should your incident response increase. Identifying these assets will aid in focusing your incident response on the most critical assets to minimize the damage of an cyber-attack.
Step 2 – Identify Key Roles
It is essential you identify who and what roles will be involved in a cyber incident and their responsibilities. It is never just the job of the security team, but every department in a company may play a role depending on the scope and depth of an attack. Senior management, legal, operations, IT and any role involved in public relations. While planning, consider third party services that can provide managed detection and response (MDR) services that can also help 24/7/365 in managing a security incident, contain and to help a business to fully recover.
A primary and secondary modes of emergency communications should also be agreed upon since the company’s communications will most likely be affected and timely communications is essential for containing a breach.
Step 3 – Identify the Threats and Vulnerabilities
To create an effective incident response plan, you must identify the possible threats and vulnerabilities that you face. With the critical assets identified in “Step 1 – Identify Critical Assets”, you can frame your plan around protecting these critical assets from the threats/vulnerabilities identified.
Your understanding of the risk exposures and any security gaps will be essential to building a robust incident response plan.
Definitions:
- Threat is defined as one where a bad actor or an employee wishes to steal or damage a company asset.
- Vulnerability is defined as a weakness in a computer or network system, process, or people that can be exploited. Vulnerabilities can come in many forms like out-of-date software patches, antiquated processes, lack of firmware updates, or physical access to a network or asset.
- Breach is where the secured privately held company information is exposed to unauthorized actors.
A threat can take advantage of a vulnerability to gain access, steal or damage company assets like hardware, processes, or financial assets, or to cause financial or reputation loss or even compliance issues. You need to identify the types of security incidents that you would most likely be exposed to and the potential impact of these incidents.
Last month’s article on “Best Practices to Prevent Ransomware” presented the proactive steps to prevent not only ransomware but also cybersecurity issues in general. Evaluation of your critical assets’ computer and network security must be reviewed to pinpoint what vulnerability gaps need to be remediated.
Step 4 – Credential Management
In many cases, weak authentication and credential management is due to lack of oversight of credential lifecycle and policy. This includes user access, password policies, authentication interfaces and controls. Unauthorized access can occur through privilege escalation to sensitive systems and services that shouldn’t be available in many cases.
Privilege accounts where applications, systems and networks are accessed and controlled are typical areas where hackers will gain access to promote their privilege and access. The use of multi-factor authentication, stringent password format and life cycle can reduce the chance for an attack.
Monitoring the use of privilege accounts should be performed and investigated if nontypical access is detected. Logins during off hours or higher number of logins could be an attack in progress. Limiting admin privileges to as few administrators as possible will help to reduce the number of access account that need monitoring.
Step 5 – Visibility and Threat Hunting
Many businesses struggle with a cyberattack simply because they cannot see across their network and systems to be cognizant of where and what Is being attacked. The use of endpoint and network logs will be needed. Since an attack could span over weeks or even month(s), then older logs may be needed and should have been stored offline.
Cyberattacks can occur anytime, day or night, 24/7, 365 days a year, so investing in A.I. enabled endpoint detection and response (EDR) solutions will help to find and react to threats before you know it. This type of endpoint protection can provide the visibility you need to know where they entered and what the cyber attackers are targeting.
Prior to an attack, the IT staff must be sure that they have the experience and ability to understand the scope of an attack and identify the entry points or they may find themselves struggling.
Most businesses invest into a Managed Threat Response service (MTR) that employs the use of endpoint detection and response (EDR) solutions that communicate with a Security Operations Center (SOC), where an expert team of incident responders will immediately delve into threat hunting. Whether it is an infection, compromise, or unauthorized access attempting to circumvent your security controls.
The MTR team of threat hunters and response experts will:
• Proactively hunts for and validates potential threats and incidents
• Uses all available information to determine the scope and severity of threats
• Applies the appropriate business context for valid threats
• Initiates actions to remotely disrupt, contain, and neutralize threats
• Provides actionable advice for addressing the root causes of recurring incidents
Step 6 – Identify the Responses
Back in “Step 3 – Identify the Threats and Vulnerabilities”, the known threats and security gaps are identified. You can now identify what would trigger a response and what responses can be taken for each of your threat scenarios. Consider any network or investigative tools you may employ to gain visibility and investigative abilities when forming your responses. Note that triggers and responses may vary greatly depending on the depth and scope of an attack.
Incident response scenarios may include some of the following:
- Cyber-attack possibly in progress: The incident response team must determine if and how an attacker has gained access and to what assets they are accessing. In the last article on “Best Practices to Prevent Ransomware”, we specified that you should create a detailed network map and document to illustrate how the business data flows on the network. This will aid in identifying the way to isolate and eliminate the intruder and damage.
- Critical system is breached: When a critical system containing sensitive data or access is breached, it is possible that essential business systems must be brought down or isolated from the company network to isolate the bad actors. This will interrupt business operations and proper communication to employees and clients will be necessary. Responses may vary depending on which critical system is breached.
- Data breach: If the bad actors are successful in accessing sensitive data, then it should be determined exactly what was accessed and stolen and how they got in. This will involve the right response to satisfy the legal, regulatory requirements as well if the need for client notification is necessary. Responses to an incident may vary depending on the type of data breached.
- Ransomware Attack: If data or systems are encrypted then the steps to recovery should be activated to recover as soon as possible. Determining the method of access and all systems and assets effected must be identified quickly to reduce additional harm and to remove the entry point of the attacker. A ransomware attack may require some interaction with law enforcement or insurance carriers. What triggers an interaction with outside organizations will need to be documented.
Types of possible response actions may be:
• Identifying and locking down any privileged accounts used by attackers
• Locking down the entry points used by the attackers.
• Locking down the affected systems
•Blocking and malicious processes or programs.
• Cleaning off any files or tools the attackers used to enter and attack.
•Reconfiguration of affected devices or processes
•Restoration of network and systems configurations affected by the attack
Documentation of your threat scenarios, triggers, responses, and roles involved are typically documented in spreadsheets. Different roles may be involved depending on the severity and impact of an attack.
The goal is to plan out the full sequence of procedures to detect, isolate, eradicate and return to business as soon as possible while satisfying any regulatory, legal or client communications requirements.
Step 7 – Practice, Practice, Practice
Practice makes perfect. Keep practicing the various scenarios periodically to help you to close any gaps in the plan and tune the tools employed. Increase training on areas that seem weak to prepare for future incident response plan (IRP) activations. Cyberattacks are inevitable and how you respond to an attack will be the difference between a quick recovery or major impact on your business.
Summary
Many businesses are not equipped or staffed to handle a cyber incident. To stop and eradicate a cyberattack takes experience, staff, and time. To ensure you can properly respond, consider working with an outside resource such as a managed detection and response (MDR) provider. MDR providers offer 24/7 threat hunting, investigation, and incident response delivered as a managed service.
Through MDR solutions, businesses gain greater visibility across the entire network, with the advantage of investigation capabilities to quickly aid in incident response.
Our next article will provide a valuable checklist to use for a ransomware attack- Part 3: Ransomware Response Checklist– What to do if a ransomware attack occurs.
By Paul Garrison/Founder, Crescent IT Systems