Cybersecurity

Cybersecurity incident response: Before, during, and after


Incident response planning has become a key requirement for all types of businesses, not just financial firms, as people try to maintain a strong security posture in the face of increasingly sophisticated cyber attacks. Knowing how to achieve this, however, is a detailed exercise in which companies must invest sufficient attention. 

This was the focus of a recent webinar hosted by Eze Castle Integration entitled, “Cybersecurity Incident Response: Before, During and After”, hosted by ECI Certified Business Continuity and Data Privacy Consultants, Matt Donahue and Jeremy Ross. 

An incident response lifecycle approach has four separate parts: i) Preparation, ii) Detection analysis, iii) Containment, eradication, and recovery, and iv) Post-incident activity. 

Such a lifecycle should not be viewed as static. Rather, it is an ever evolving, continuous process. A good incident response methodology emphasises preparation, not only to establish incident response capabilities so that an organisation is ready to respond, but also to prevent incidents to ensure that systems, networks, and applications are actually sufficiently secure.

Preparation: build a CIRT

Many organisations create what is called a computer incident response team, also known as a CIRT; a specialised group to respond to these incidents. At it' core, explained Ross, it is a “cross-functional team of internal and external experts tasked with responding to an incident. Also, they have to facilitate communication among themselves, notify regulatory agencies and implement policies and procedures so that situations are best handled according to best practices.”

The first component of a CIRT should consist of IT staff, such as network administrators, to help with investigations. They will be key to find out who owns and manages the system, who has the furnished skills, and who has administrator access. “Without IT, it would be impossible for your CIRT to actually gain access to the system,” added Ross.

The next component should include corporate communications representatives. This group will have a representative to speak on behalf of the company and deliver the message the company wants to present to customers and business partners.

“Next, we have legal representatives,” explained Ross. “You may have to report an incident to the appropriate regulatory bodies. However, you're going to want to engage legal staff before that to provide guidance on the legality of potential breaches, and the requirements of evidence collection, breach notification etc, especially now with GDPR and Gifford updated regulations around breach disclosure.”

Another component of CIRT should be information security staff. These will be individuals responsible for handling the details of the investigation: looking at the logs, figuring out what happened, and providing a forensic analysis, possibly with the help of external third party specialists.

The last component is to have a direct line to business representatives. Without their input, it would be impossible to figure out how the incident might impact a specific product or product line.

Detection analysis & containment 

Detection analysis work will typically overlap with containment, eradication, and recovery work. The two are fluid elements of a Cybersecurity Incident Response Plan. There is no single path through.

As Matt Donahue explained during the webinar: “Often, you're going to reassess when you try to contain, eradicate, or recover and confirm that it's happening correctly, ensuring that the indicators you have from your detection analysis are consistent, and that the changes you perceive are going to happen.

“If we are talking about ‘boom’ (the moment at which an attack happens and potentially wreaks havoc), a lot of times it's small indicators. Some of these can be internal alerts, some of them can be various types of logs that will show you the data. Eventually, these are like trip wires that will notify you that there is some discrepancy.

“Those are early notifications that one might receive internally. In addition, one might get something from business vendors, even perhaps an email from the FBI saying there is malicious activity.”

In this context, the best practice is to have a core group of people that can take that initial information and evaluate next steps. Donahue said: “You want to have a core group of people that are trained to get the message out and start the process. 

“Before communicating externally, it is critical to communicate internally to ensure that there's a consistent message. Ideally, you want to be proactively communicating so that all parties are made aware of what the situation is, as opposed to letting people use their imagination and make assumptions.”

In respect to containment of a cyber incident, there are various options.

One could quarantine data and systems, segregate them or shut them down entirely. Or, indeed, tolerate it.

This will be based upon one’s knowledge of what that resource is. 

Eradication & recovery

With respect to eradication, firms will need to gather all necessary evidence and remove the potentially harmful files. For example, in a malware attack, you must to clean up file directories, delete the infected ones, and basically clean up everything within the system to prevent the attack from doing further damage.

The last phase would be recovery. 

When someone has different systems or assets, they are going to need to be brought back online, back into a normal operating procedure. Talk about what is acceptable and what isn't, in terms of how quickly to move into a recovery time phase.

Post-activity

The final step in an incident response program is post-activity considerations, once the business has resumed normal activities. 

“Here you might want to look at some external assistance, especially if you are looking to use your insurance to help pay for some of the costs that have been associated with the incident. You might want to make sure everything is documented and do some forensic analysis so that you can show the insurer, ‘We did what we could, this is what the issue was’,” advised Donahue.

The preservation of evidence and proof that the proper steps were taken to contain an incident will be important if the regulators have to be informed. Showing that the Incident Response Plan was adhered to, even if the breach was substantial, will help to mitigate regulatory risk. 

“If people are going to be potentially filing investigation work, it's good to have evidence,” stressed Donahue.

Towards the end of the webinar, Ross ran through a mock phishing attack - one of the more common cyber attacks – by way of an example. 

Say an employee enters credentials into a platform using a link in an email sent from one of their colleagues. The IT team suspects that the link was contained in a spoof email and has instead directed the employee to a different portal. 

How should the incident response team respond to this?

First thing’s first, you're going to want to obviously determine the potential extent of the issue. 

“You're going to want to keep a close eye on the portal and start with resetting the account access and passwords for all permissioned users. 

“The next step would be to run scans and pull logs to determine if there's any further impact. If there are any lateral or horizontal moves being done by the attacker, you want to see them. That's why visibility into your network is key. It is going to really help when you get a small incident that could actually boom into something bigger. 

“So seeing those moves, running those scans and logs when you need them is going to be very critical,” said Ross.

He then advised to make such a phishing attack a learning lesson. Actually making sure employees know how to report suspicious emails to their IT teams sounds obvious, but it is not something people do enough. 

“It's good to report, because by doing so helps to protect others in your firm. If you report a phishing email that you received and IT logs it, it will eliminate the risk of anyone else in the organisation clicking on the link or downloading any images or malware,” advised Ross.

To speak to Eze Castle Integration’s incident response experts, contact us here: https://www.eci.com/contact/ 

 

specialreports
other gfm publications
GFM corporate logo