Planning to Fail Well
Incident response has always been a critical component of an effective Information Security Program, but operating without an effective Incident Response Plan in today’s world is like jumping into the deep end without knowing how to swim. New types of security-related incidents are emerging and at a more frequent pace. Not all incidents can be prevented. Understanding how to effectively manage and transition through the process of incident response will help minimize damage to the organization and its reputation. A Trustwave Global Security Report found that of “the majority of data breach victims surveyed, 81 percent, report they had neither a system nor a managed security service in place to ensure they could self-detect data breaches, relying instead on notification from an external party. This was the case even though self-detected breaches take just 14.5 days to contain from their intrusion date, whereas breaches detected by an external party take an average of 154 days to contain.”
The Two Biggest Incident Response Questions
Attackers patiently wait for the right moment to steal protected information, making it important to know your network. Understanding the difference between a normal day on your network and when an attacker is doing something malicious can be the key to stopping or mitigating the damage. Here are the two biggest questions to ask yourself:
- If someone was in your network, would you know?
- If a bad guy was sending information out the back door of your network, would you be able to tell?
NIST Cybersecurity Framework
The National Institute of Standards and Technology (NIST) has created the Cybersecurity Framework to give organizations a way to assess and improve their cybersecurity posture. The NIST Cybersecurity Framework can also be applied to Incident Response by utilizing the five major components of the Framework - Identify, Protect, Detect, Respond, and Recover – to build a better Incident Response Plan. The process is broken down as follows:
The Identify component stresses the importance of knowing your assets, environment, and exposure. As it relates to Incident Response, you must know what you have and what the threats are in the wild in order to protect your assets and your customer information. You cannot secure something that isn’t accounted for. Considerations for aligning your Incident Response Plan to the NIST Cybersecurity Framework include:
- Since we cannot secure assets without knowing what they are, a comprehensive asset inventory is needed to identify assets, where they are located, and what information those assets store, transmit, and process.
- A qualitative and quantitative IT Risk Assessment is needed to show how the organization is using controls and how controls are applied to known threats to reduce risk.
- Once the IT Risk Assessment is in place, a Risk Mitigation Strategy can be created to outline the levels of risk an organization is willing to accept.
- Threat intelligence is also needed to assist in identifying known vulnerabilities that may lead to an incident.
The Protect component takes the information found in Identify and building controls such as:
- Access Controls are critical at this stage and should be utilized. Examples can include administrative, physical, and technical or logical controls.
- Educating users about threats such as Social Engineering, viruses/malware, and physical security helps to mitigate risk across the board.
- Controls that are being implemented now by the organization to mitigate risk around the threats identified by the risk assessment must be understood.
The Detect component stresses the importance of knowing when something bad is happening. Items to consider for this section include:
- The ability to detect the presence of unauthorized users or devices on your network. Additionally, make sure you understand what is leaving your network to identify anything that shouldn’t be leaving. Understanding what “normal” on the network looks like is critical for being able to detect incidents early in the lifecycle.
- Notification of and blocking data when it is leaving the network through unauthorized channels is also needed.
- A powerful component to understanding your network is a Security Information and Event Management (SIEM). A SIEM logs and monitors everything on your network and presents it in a manner that makes it easy to spot patterns and trends.
The Recover component stresses the importance dealing with the incident efficiently and methodically. Items to consider include:
- Understanding the new concepts like the Cyber Kill Chain, which helps aid recovery by analyzing the different stages of a cyber-attack, which allows you to get out in front of an incident.
- How do you stop the attack? Establishing good communication throughout the institution will help to ensure your plans are followed properly.
- Establishing a relationship with a digital forensic service within proximity to your location before an attack occurs can help reduce cost and provide you with an understanding of what has happened during the attack.
- Reviewing and testing of the Incident Response Plan through tabletop discussions can ensure key employees are aware of their responsibilities during an incident.
The Respond component stresses the importance of planning a successful recovery. Items to consider include:
- Organizations that learn from incidents hold a lessons-learned meeting post-incident to discuss what can be done better, how that type of incident may be avoided in the future, and any action to be taken to prevent the next attack.
- Documentation of events in a consistent manner will also be valuable for later review.
Key Incident Response Takeaways
The NIST Cybersecurity Framework provides a template in creating or improving an organization’s Incident Response plan. Key points include:
- Understanding what you have through a complete Asset Inventory
- Utilizing an IT Risk Assessment in order to measure how controls affect the institution’s overall risk
- Keep up on threats by subscribing to a threat sharing program (US-CERT, FS-ISAC)
- Setting baselines and monitoring to know if someone is inside your network and if they are accessing your institution’s data
- Prevent data from leaving the network without your knowledge
- Knowing how to respond and who to contact when an incident occurs
- Be sure that you’re planning to fail well
Written by: Eric Chase
Senior Information Security Consultant, SBS CyberSecurity
Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
How SBS Can Help
SBS also offers Emergency Preparedness services to assist in creating or improving your Incident Response Plan, along with Business Continuity, Disaster Recovery, or Pandemic Preparedness.
Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.