Cybersecurity Incident Management: What You Need to Know

Most security professionals ascribe to the “assume breach” paradigm. This paradigm acknowledges that an attacker can gain a foothold in your organization if not already there. The attack vector could be an unpatched vulnerability, a phishing attack, a malicious insider, or the 24+ billion stolen credentials on the dark web.

Defenders aim to identify and contain these breaches as quickly as possible. The longer it takes to contain a breach, the greater the damages and costs to an organization. According to the 2023 IBM Cost of a Data Breach Report, the global average cost of a data breach was $4.45 million ($4.9 million if the attack was by a malicious insider). Breaches identified and contained within 200 days of the initial breach cost organizations over $1 million less than those that required more than 200 days.

Faster containment is possible when organizations have a formal and tested incident response plan (IR plan). According to the IBM report, organizations with an IR plan and team identified breaches 54 days faster than organizations without plans. Organizations with high IR planning and testing levels reduced breach costs by over 34%.

The Importance of Planning for Cyber Security Incidents

An IR plan is a documented approach to address and manage cybersecurity incidents or attacks. A well-defined IR plan outlines the roles, responsibilities, and procedures to be followed during an incident, enabling a coordinated and efficient response. It includes identifying, investigating, mitigating, and recovering from security breaches, cyberattacks, or any unauthorized activity that threatens data and systems.

Understanding the Activities of Cyber Security Incident Response

The ISO/IEC Standard 27035 provides a five-step process for effective security incident management. This process includes preparation, detection and reporting, assessment and decision-making, response, and lessons learned. By establishing an incident response plan, defining roles and responsibilities, and implementing security controls, organizations can effectively prepare for handling incidents. A robust security incident management process is essential for reducing recovery costs, potential liabilities, and damage to the organization.

Our recommendations are based on this framework. Let's delve into recommended activities more deeply:

1. Preparation:

Preparation is the foundation of a robust incident response plan. This step involves establishing a dedicated incident response team, defining roles and responsibilities, and ensuring the availability of necessary resources. It is essential to conduct regular training and drills to keep the team well-prepared. For example, simulating a phishing attack can help identify potential vulnerabilities and improve response capabilities.

Best practices for preparation include documenting the network infrastructure, creating an inventory of critical assets, and establishing communication channels with relevant stakeholders, such as legal, public relations, and law enforcement agencies. Additionally, organizations should establish relationships with external incident response providers to leverage their expertise when needed.

2. The Detection and Identification Phase of Cyber Security Incident Management

The detection and analysis phase focuses on identifying potential security incidents promptly. This can be achieved by implementing robust monitoring systems, such as intrusion detection systems (IDS) and security information and event management (SIEM) tools. DLP and Insider Threat Management tools like the Reveal platform from Next observe and analyze all actions taken with data to identify and confirm activity that could put sensitive data at risk.

These systems generate alerts based on predefined rules or anomalous behavior, enabling quick identification of potential incidents. Behaviors include careless but non-malicious actions such as attempting to upload sensitive data to unsanctioned web applications or personal email accounts.

Once an alert is triggered, it is crucial to analyze the situation promptly. This involves gathering relevant information, such as log files, network traffic data, and system snapshots. Analyzing this data helps determine the scope and severity of the incident. For instance, if an IDS detects multiple failed login attempts from a specific IP address, it could indicate a brute-force attack.

3. The Containment Phase of Cyber Security Incident Management

Containment involves isolating the affected systems to prevent further damage and remove the incident's root cause. This step requires a deep understanding of the organization's network architecture and system dependencies. It is essential to have predefined procedures for isolating compromised systems, such as disconnecting them from the network or disabling compromised user accounts.

With Reveal, customers can isolate devices from the network to prevent the incident from spreading further, lockout user sessions, take screenshots to gather evidence, display messages, block uploads, and kill processes to protect the organization.

4. The Eradication Phase of Cyber Security Incident Management

During the eradication process, removing any malware, backdoors, or unauthorized access points is crucial. This may involve restoring systems from clean backups or applying patches to fix vulnerabilities. Documenting all actions taken during this phase for future reference and analysis is essential.

Sophisticated attackers will attempt to maintain a persistent presence on systems. Eradication steps include identifying the incident's root cause and removing the attacker's presence from compromised systems. The solution may require removing malware, applying patches, and wiping and reimaging systems.

5. The Recovery Phase of Cyber Security Incident Management

After containing the incident and eliminating the threat, the focus shifts to recovering affected systems and restoring normal operations. This involves verifying the integrity of restored systems, ensuring data availability, and conducting thorough testing before reintegrating them into the production environment.

Best practices for recovery include prioritizing critical systems, establishing recovery time objectives (RTOs), and regularly backing up data to minimize downtime.

The recovery phase of a cyber security incident response plan involves thoroughly testing and monitoring affected systems before they are returned to production. This phase ensures that any vulnerabilities or issues resulting from the incident have been addressed and resolved, minimizing the risk of future attacks or disruptions to the system.

It is also essential to communicate with stakeholders, such as customers and employees, to inform them about the progress and expected timelines for complete restoration.

6. Lessons Learned from Cyber Security Incident Management

The final step of the incident response plan involves conducting a comprehensive post-incident analysis and documenting lessons learned. The response team needs to investigate and document the incident to understand how it occurred, what data or assets were affected, and the extent of the damage.

This analysis also helps identify gaps in the incident response process and areas for improvement. In this analysis, it is crucial to involve all stakeholders, including the incident response team, IT personnel, and management.

Documentation of the incident response process, including all actions taken, is vital for future reference and compliance. This documentation should include a detailed timeline of events, analysis of the incident's impact, and recommendations for enhancing the incident response plan. Regularly reviewing and updating the incident response plan based on lessons learned is essential to ensure its effectiveness.

Organizations cannot waste time when an incident occurs. A written playbook of policies, processes, and responsibilities is a necessary first step. Once a plan is in place, teams should regularly practice responding to a simulated incident to ensure everyone knows the specific activities required of them. This will include categorizing the attack based on its potential business impact and reporting requirements to senior management and regulatory bodies.

Key Players in Cyber Security Incident Response

Effective cybersecurity incident response is not solely the responsibility of information security teams. Incident response teams require a coordinated effort across multiple disciplines in an organization, depending on the type of attack. Per the IR Plan, each participant will have specific responsibilities. Here's an example of a cross-functional incident response team.

• Security: Security personnel, or those interacting with external security teams, will confirm the attack, collect artifacts, and recommend remediation activities.
• IT: IT staff will work with security to identify affected systems, isolate compromised assets, and implement technical measures to contain the incident.
• Legal: Legal counsel guides the legal aspects of the incident response process, including data breach notification requirements, compliance with data protection laws, and potential liabilities.
• HR: If the breach involves employee information or violations of corporate policies, HR will work with legal and management to manage internal responses.
• Public/Investor Relations: This role handles external communication during the incident response, including statements to customers, partners, media, and regulatory bodies to protect the organization's reputation.
• Senior Management: Organizational leadership must be involved in decision-making and approving necessary resources for the incident response efforts.

Law enforcement agencies can also play a crucial role in the post-incident investigation. This collaboration may be necessary, especially in cases where sensitive customer records are exposed or stolen. Law enforcement's involvement ensures that all legal requirements are met and aids in the investigation process.

Requirements for Cyber Security Incident Response

Incident response plans will vary depending on the affected assets, organizational resources, and regulatory requirements. There are six critical factors to consider.

1. Remember to consider insider risks and threats. Not every insider is a threat, but anyone who handles sensitive data presents a risk. Even if you implicitly trust every employee, partner, and vendor, the availability of stolen credentials can provide criminals with access to your trade secrets, customer data, and financial records. Deploying a platform like Reveal that addresses external and internal threats in a single solution can simplify identifying and isolating threats.
2. Training is your first line of defense. Humans make mistakes. Training users to handle sensitive data safely can minimize preventable errors. Reveal’s incident-based training identifies risky actions and prompts users with targeted training and policy reminders at the moment of risk.
3. Practice makes perfect. Don’t wait until you are breached to test the effectiveness of your incident response plan. Practice your plan regularly to ensure everyone knows their roles and responsibilities. Remember to have backup personnel in case someone is unavailable.
4. Test containment capabilities. Failing to isolate affected systems or devices effectively can spread the incident to other parts of the network, making recovery more challenging. Reveal allows organizations to isolate devices, lock out users, and perform other tasks to contain attacks.
5. Collect data. Data forensics are required for breach investigations. Reveal’s Event Streaming facilitates post-incident analysis and forensic investigations. Security teams can replay and analyze event streams to reconstruct the events leading to a security incident, identify the root cause, and gather evidence for remediation, compliance, or legal purposes.
6. Lessons Learned. After any incident, conduct post-mortem reviews and assessments to identify lessons learned and areas for improvement in incident response processes. Expect that your plan will evolve as your business changes, as threats evolve, among many other factors.

See More with Reveal

Reveal provides IT and security teams with the tools to identify, block, and contain incidents. Rather than requiring pre-classification of all sensitive data before protection can begin, Reveal uses machine learning on each endpoint to classify data as it is created and used. Real-time visibility allows teams to reduce deployment complexity and time to value greatly. Machine learning on the endpoints allows Reveal to identify individual deviations. Was the keystroke pattern consistent with that user’s typical behavior, or was it more rapid and indicative of credential stuffing? After login, were the individual’s actions typical, or did they launch new software or visit unusual IP addresses? By stacking and correlating these activities as they occur – and against an individual’s baseline – Reveal can establish patterns, analyze behavior, and enforce controls quickly on and off the corporate network without a connection to a cloud-based ML engine. Reveal can establish patterns, analyze behavior, and enforce controls quickly on and off the corporate network without a connection to a cloud-based ML engine, ensuring effective cyber security incident management. 

Do you need a way to test your current DLP program? Assess the performance of your Data Loss Prevention (DLP) solution and ensure the accuracy of its policies with our DLP testing tool. Want to see how Reveal can address any issues with your existing DLP? Contact us to demo how Reveal helps with cybersecurity incident management today.