“The more time you spend contemplating what you should have done… you lose valuable time planning what you can and will do.” ― Lil Wayne
I can’t be absolutely sure, but I can assume no one expected Lil Wayne to be part of a cybersecurity related article. While this quote can apply to many aspects of life, I think it has particular resonance when it comes to incident response planning. Businesses are becoming increasingly reliant on data to succeed. Accordingly, their dependence on computers is growing exponentially. Despite this, few business owners realize just how much responsibility they have for protecting the data that drives their business. Protecting data from unauthorized exfiltration (ie. theft) is equally as important as protecting the business’ ability to utilize the data it possesses (ie. availability). While creating, practicing, and implementing an incident response plan is no guarantee a business will not suffer some loss due to a cyber incident, it can provide much needed guidance in the face of such adversity. Better to plan for what you can and will do, than contemplate what should have been done after the business has suffered insurmountable losses due to a cybersecurity incident.
What is a cyber incident?
Before we can get into what an incident response plan is, we should first define the word incident in the context of cybersecurity. Many industries often use the term incident and event interchangeably. According to the National Institute of Standards and Technology (NIST), a cybersecurity event is “any observable occurrence in a network or system.” Any time someone (legitimately or nefariously) logs on to a computer on your business’ network or some kind of traffic passes through the business network (again legitimate or otherwise) is an event. Clearly, we do not want to implement an action plan every time your employees log in to their work computers.
In contrast, an incident is defined as, “A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.” Policies and practices are front and center of the NIST definition of an incident. This goes into the foundational function every cybersecurity program should address that we talked about in last week’s Qubit (5 Functions Every Healthcare Cybersecurity Program Must Have); identify. If your cybersecurity program has not yet identified computer security policies, acceptable use policies, or standard security practices how can you determine if there has been a violation or imminent threat of violation to them.
What is an incident response plan?
This is a good segue into what an incident response plan is and where it fits into those 5 functions mentioned above. As in life, there are many aspects of cybersecurity that do not fit in a tidy little box (despite what vendors may have you believe). NIST defines an incident response plan as, “the documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information systems(s).” An incident response plan has its origin in the identify function (knowing what you are responding to) and gets implemented somewhere between the detect and protect functions. In the definition for incident response plan, we see a shift from a violation or imminent threat of violation to your company’s cybersecurity policies and practices to malicious cyber attacks. We will treat the concepts interchangeably. What the definition fails to impart is the fact that once that violation or threat of violation has been identified, the incident response plan should be implemented and will remain in effect through the protect, respond, and recovery functions of your cybersecurity program. The incident response plan is based in, or is implemented across, multiple functions of a cybersecurity program. An additional limitation of the NIST definition is its use of “predetermined instructions or procedures” as language. The cybersecurity industry is shifting towards a playbook mentality instead of predetermined instructions. While a predetermined set of instructions implies a rigid response to an incident, a playbook implies an adaptable set of actions to be taken in the face of a fluid situation.
As an example, in football members of the defense and offense are represented by X’s and O’s with assumed movements on paper. However, when it comes to game time the defense may not act in the assumed fashion or a member of the offense may see an opportunity that was not accounted for as the play was drawn up. Changes can be made on the fly while still adhering to the basic tenets of the original intended play. The same holds true for a cyber incident response plan that has a playbook approach. The malicious cyber attacker can exploit an unknown attack vector that was not accounted for in the incident response plan. But the actions and reactions are close enough to the plan’s original intent that a cybersecurity team can adapt and overcome these unforeseen challenges.
What should be covered in an incident response plan?
In its simplest form an incident response plan can be broken down into 4 phases.
1. Preparation
2. Detection and Analysis
3. Containment, Eradication, and Recovery
4. Post-Incident Activity.
We won’t delve to deeply into each of the phases as some of them have been covered already and some are beyond the scope of this brief introduction.
1. Preparation
As mentioned earlier this phase would include creating, implementing, and training of cybersecurity policies and procedures. The preparation phase will also include the creation of an incident response team. Determining and documenting the roles of team members in an incident response. Finally, identification of business assets that should be covered by the incident response plan based on business operational needs and risk appetite would be integral to the preparation phase.
2. Detection and Analysis
An incident response plan cannot be activated without valuable input from the detection and analysis phase. Without this information it would be impossible to determine if there was even an incident to respond to. The incident response plan should clearly delineate what factors will determine cyber incident has occurred so that the incident response plan can be activated.
3. Containment, eradication, and recovery
This one is a bit of a cheat because it covers so many actions. In this phase of the incident response plan a cyber incident has been confirmed and the plan is activated. The incident response plan should provide guidance on how to contain the malicious cyber attack so that it does not spread throughout the business. Following containment, a methodology for eradication should be documented in the incident response plan and, importantly, a way of determining if the affected systems have been taken care of and can be brought back up to operational status so the business can continue.
4. The “final” phase of the incident response plan is post-incident activities. This should include an after-action reporting guide detailing what actions were taken with lessons learned. I know I make a habit of typing final in quotes and that is intentional.
Cybersecurity is cyclical. There will never be a point where a business has gotten to the final level of cybersecurity preparedness and leave well enough alone. Once we reach our final step in the incident response plan, we cannot afford the luxury of filing it away in a drawer and hoping that we will never need to use it. Businesses need to continually evaluate all aspects of their incident response plan. Have new systems been brought online that were not accounted for originally? Have people from the incident response team left their roles or even the company? Answering these questions periodically instead of in the heat of the moment (in the middle of a malicious cyber attack when you realize half your incident response team is no longer with the company) will ensure better outcomes when an incident occurs.
This is by no means a comprehensive introduction to incident response planning. Rather, this should give you some insight into the important role incident response planning can play in making sure your business can survive and overcome a malicious cyber attack. I started this Qubit with a quote from Lil Wayne and I will close it out with a quote from another great wordsmith from a different era. Benjamin Franklin said, “by failing to prepare, you are preparing to fail.”
Quantum Vigilance is here to help you figure out what you can do to better protect your business and your employees. We can provide guidance to help determine which cybersecurity risks you are exposed to and how to mitigate those risks. More importantly, we will provide guidance you will understand.