Most security professionals ascribe to the “assume breach” paradigm. This paradigm acknowledges that an attacker can gain a foothold in your organization if not already there. The attack vector could be an unpatched vulnerability, a phishing attack, a malicious insider, or the 24+ billion stolen credentials on the dark web.
Defenders aim to identify and contain these breaches as quickly as possible. The longer it takes to contain a breach, the greater the damages and costs to an organization. According to the 2023 IBM Cost of a Data Breach Report, the global average cost of a data breach was $4.45 million ($4.9 million if the attack was by a malicious insider). Breaches identified and contained within 200 days of the initial breach cost organizations over $1 million less than those that required more than 200 days.
Faster containment is possible when organizations have a formal and tested incident response plan (IR plan). According to the IBM report, organizations with an IR plan and team identified breaches 54 days faster than organizations without plans. Organizations with high IR planning and testing levels reduced breach costs by over 34%.
An IR plan is a documented approach to address and manage cybersecurity incidents or attacks. A well-defined IR plan outlines the roles, responsibilities, and procedures to be followed during an incident, enabling a coordinated and efficient response. It includes identifying, investigating, mitigating, and recovering from security breaches, cyberattacks, or any unauthorized activity that threatens data and systems.
The ISO/IEC Standard 27035 provides a five-step process for effective security incident management. This process includes preparation, detection and reporting, assessment and decision-making, response, and lessons learned. By establishing an incident response plan, defining roles and responsibilities, and implementing security controls, organizations can effectively prepare for handling incidents. A robust security incident management process is essential for reducing recovery costs, potential liabilities, and damage to the organization.
Our recommendations are based on this framework. Let's delve into recommended activities more deeply:
Preparation is the foundation of a robust incident response plan. This step involves establishing a dedicated incident response team, defining roles and responsibilities, and ensuring the availability of necessary resources. It is essential to conduct regular training and drills to keep the team well-prepared. For example, simulating a phishing attack can help identify potential vulnerabilities and improve response capabilities.
Best practices for preparation include documenting the network infrastructure, creating an inventory of critical assets, and establishing communication channels with relevant stakeholders, such as legal, public relations, and law enforcement agencies. Additionally, organizations should establish relationships with external incident response providers to leverage their expertise when needed.
The detection and analysis phase focuses on identifying potential security incidents promptly. This can be achieved by implementing robust monitoring systems, such as intrusion detection systems (IDS) and security information and event management (SIEM) tools. DLP and Insider Threat Management tools like the Reveal platform from Next observe and analyze all actions taken with data to identify and confirm activity that could put sensitive data at risk.
These systems generate alerts based on predefined rules or anomalous behavior, enabling quick identification of potential incidents. Behaviors include careless but non-malicious actions such as attempting to upload sensitive data to unsanctioned web applications or personal email accounts.
Once an alert is triggered, it is crucial to analyze the situation promptly. This involves gathering relevant information, such as log files, network traffic data, and system snapshots. Analyzing this data helps determine the scope and severity of the incident. For instance, if an IDS detects multiple failed login attempts from a specific IP address, it could indicate a brute-force attack.
Containment involves isolating the affected systems to prevent further damage and remove the incident's root cause. This step requires a deep understanding of the organization's network architecture and system dependencies. It is essential to have predefined procedures for isolating compromised systems, such as disconnecting them from the network or disabling compromised user accounts.
With Reveal, customers can isolate devices from the network to prevent the incident from spreading further, lockout user sessions, take screenshots to gather evidence, display messages, block uploads, and kill processes to protect the organization.
During the eradication process, removing any malware, backdoors, or unauthorized access points is crucial. This may involve restoring systems from clean backups or applying patches to fix vulnerabilities. Documenting all actions taken during this phase for future reference and analysis is essential.
Sophisticated attackers will attempt to maintain a persistent presence on systems. Eradication steps include identifying the incident's root cause and removing the attacker's presence from compromised systems. The solution may require removing malware, applying patches, and wiping and reimaging systems.
After containing the incident and eliminating the threat, the focus shifts to recovering affected systems and restoring normal operations. This involves verifying the integrity of restored systems, ensuring data availability, and conducting thorough testing before reintegrating them into the production environment.
Best practices for recovery include prioritizing critical systems, establishing recovery time objectives (RTOs), and regularly backing up data to minimize downtime.
The recovery phase of a cyber security incident response plan involves thoroughly testing and monitoring affected systems before they are returned to production. This phase ensures that any vulnerabilities or issues resulting from the incident have been addressed and resolved, minimizing the risk of future attacks or disruptions to the system.
It is also essential to communicate with stakeholders, such as customers and employees, to inform them about the progress and expected timelines for complete restoration.
The final step of the incident response plan involves conducting a comprehensive post-incident analysis and documenting lessons learned. The response team needs to investigate and document the incident to understand how it occurred, what data or assets were affected, and the extent of the damage.
This analysis also helps identify gaps in the incident response process and areas for improvement. In this analysis, it is crucial to involve all stakeholders, including the incident response team, IT personnel, and management.
Documentation of the incident response process, including all actions taken, is vital for future reference and compliance. This documentation should include a detailed timeline of events, analysis of the incident's impact, and recommendations for enhancing the incident response plan. Regularly reviewing and updating the incident response plan based on lessons learned is essential to ensure its effectiveness.
Organizations cannot waste time when an incident occurs. A written playbook of policies, processes, and responsibilities is a necessary first step. Once a plan is in place, teams should regularly practice responding to a simulated incident to ensure everyone knows the specific activities required of them. This will include categorizing the attack based on its potential business impact and reporting requirements to senior management and regulatory bodies.
Effective cybersecurity incident response is not solely the responsibility of information security teams. Incident response teams require a coordinated effort across multiple disciplines in an organization, depending on the type of attack. Per the IR Plan, each participant will have specific responsibilities. Here's an example of a cross-functional incident response team.
Law enforcement agencies can also play a crucial role in the post-incident investigation. This collaboration may be necessary, especially in cases where sensitive customer records are exposed or stolen. Law enforcement's involvement ensures that all legal requirements are met and aids in the investigation process.
Incident response plans will vary depending on the affected assets, organizational resources, and regulatory requirements. There are six critical factors to consider.
Reveal provides IT and security teams with the tools to identify, block, and contain incidents. Rather than requiring pre-classification of all sensitive data before protection can begin, Reveal uses machine learning on each endpoint to classify data as it is created and used. Real-time visibility allows teams to reduce deployment complexity and time to value greatly. Machine learning on the endpoints allows Reveal to identify individual deviations. Was the keystroke pattern consistent with that user’s typical behavior, or was it more rapid and indicative of credential stuffing? After login, were the individual’s actions typical, or did they launch new software or visit unusual IP addresses? By stacking and correlating these activities as they occur – and against an individual’s baseline – Reveal can establish patterns, analyze behavior, and enforce controls quickly on and off the corporate network without a connection to a cloud-based ML engine. Reveal can establish patterns, analyze behavior, and enforce controls quickly on and off the corporate network without a connection to a cloud-based ML engine, ensuring effective cyber security incident management.
Do you need a way to test your current DLP program? Assess the performance of your Data Loss Prevention (DLP) solution and ensure the accuracy of its policies with our DLP testing tool. Want to see how Reveal can address any issues with your existing DLP? Contact us to demo how Reveal helps with cybersecurity incident management today.