I want to take the opportunity to break down what goes into the preparation for incident response and what things could like from the perspective of an infosec professional.
Going back to NIST, there are a few things that are considered:
Part of a well-defined IR Plan includes things like creating an IR Policy and plan, and what tools will be used for performing incident handling and reporting. A determined team structure, who are the players?, lead Engineers? who is in charge of collecting forensic data? what happens during the eradication and recovery phases, and who is in charge? Should these functions be assigned to a team or an individual? – A well-described line of communication between teams and technical and executive teams (Yeah – Executives need to be involved)
One thing that is also considered as part of the preparation phase is training, this is particularly important and something that takes time and effort, but I’m very glad something like this is included as part of the framework.
Last but not least, having the ability to invest in protecting Systems, Networks, and Applications should be at the top of the list of priorities. Like everything in life, we prepare for something that we do not want to happen to us. From a business perspective, maintaining Systems, Networks, and Applications secure should be part of an Incident Response plan, or at least Accountability should be called out inside the plan, for example, who is in charge of any of the pieces mentioned above.
Now without much preamble, the planning and preparation are extensive, let’s take a look at the following breakdown of things to consider
Cybersecurity IR (Prepare): Develop an incident response plan
A well-defined incident response plan should outline the roles and responsibilities of the IR team, the steps to be taken during an incident, and the tools and resources that will be needed. The plan should be regularly reviewed and tested to ensure that it is up-to-date and effective.
Is is also very important to define the team or teams that need to be involved when responding to an IR event. You could have multiple frameworks or structures on how to handle it.
A Central IR Team is effective for Small companies. A Distributed IR Team or Teams, this one works effectively for organizations that are larger, maybe in multiple geographic locations, although this system functions in a distributed fashion, it will be required to have a single channel of communication between IR Teams that operate like this. Last a Coordinating IR Team, which operates more like a team that has no authority over the Teams Handling an Incident, however, this coordinating team provides guidance and advice.
Cybersecurity IR (Prepare): Train employees
Employees should be trained on basic cyber security principles and best practices, such as how to identify and report suspicious activity, how to create strong passwords, and how to protect company data.
Comprehensive cybersecurity training for companies of any size could have the following elements:
- Security Awareness Training
- Password Security Training
- Phishing Awareness Training
- Social Engineering Training
- Mobile Device Security Training
- Incident Response Training
- Data Protection and Privacy Training
Again, I think its important to understand that 1 size does not fit all, and this is also the case for the training provided for and required by employees
Cybersecurity IR (Prepare): Implement technical controls
Technical controls, such as firewalls, intrusion detection systems, and antivirus software, can help to prevent cyber-attacks and alert the IR team to suspicious activity. These controls should be regularly updated and tested to ensure they are effective.
Some examples of technical controls, recommendations, and best practices:
- Host Security: Hardening hosts with Standard configurations, patched and up-to-date software
- Network Security: The perimeter needs to be secured with a Zero Trust approach at the Edge, allowing only secure VPN Connectivity for remote access
- Malware Prevention: Software to detect and prevent malware, this software should be installed everywhere, host computers and servers like Email servers, application servers, and so on
Cybersecurity IR (Prepare): Conduct regular risk assessments
Risk assessments help organizations identify and prioritize potential threats and vulnerabilities. By regularly reviewing and updating their risk assessments, organizations can ensure that they are taking the necessary steps to protect against potential attacks.
Some of the items that could be found within a Risk Assessment Document:
- Impact Analysis: It’s important to assess the potential impact of a cybersecurity incident on the organization, including financial, reputational, and legal consequences.
- Likelihood Analysis: An analysis of the likelihood of a cybersecurity incident occurring should be conducted to help prioritize risk mitigation efforts.
- Risk Mitigation: Based on the results of the risk assessment, the organization should develop and implement a risk mitigation plan that includes measures to prevent, detect, and respond to cybersecurity incidents.
Risk assessments are very important and one of the things that you can use to understand how to handle an incident. There are a lot more moving parts and considerations within a Risk Assessment document than the ones considered above.
Cybersecurity IR (Prepare): Establish communication channels
It’s important to have clear and established communication channels in place in the event of a cyber-attack. This may include contact lists for the IR team, as well as procedures for communicating with stakeholders, such as customers and partners.
A quick list with considerations for establishing communications:
- Accessibility: Communication channels should be easily accessible to all members of the incident response team, including remote team members, and should provide a reliable means of communication at all times.
- Security: Communication channels should be secure to prevent unauthorized access to sensitive information. Encryption and authentication mechanisms should be implemented to ensure the confidentiality and integrity of communications.
- Scalability: Communication channels should be scalable to accommodate the needs of the incident response team as the size and complexity of the incident increase.
- Resilience: Communication channels should be resilient to ensure that communications can continue even in the event of network disruptions or other technical issues.
- Clarity: Communication channels should provide clear and concise communication between team members, and avoid jargon or technical language that may be confusing or misinterpreted.
- Coordination: Communication channels should facilitate coordination and collaboration between team members, allowing them to share information and work together effectively to resolve the incident.
- Documentation: Communication channels should allow for the documentation and tracking of incident response activities, including the exchange of information, decisions made, and actions are taken.
Cybersecurity IR (Prepare): Test the incident response plan
Regularly testing the incident response plan helps to ensure that the IR team is prepared to respond to an attack. This can involve conducting mock drills or “red team” exercises that simulate a real-world attack scenario.
This should be where we put our plan to the test, we do this to make sure all our bases are covered and to make sure that the plan works. The exercise should include all aspects reviewed previously as part of the Basics of Incident Response. You are looking to evaluate your preparation, and make sure that you have a communication plan. Having systems and operations in place to respond effectively will be crucial when testing the IR Plan.
Planning is not a one-time event – it is an ongoing process that requires regular review and adjustment to ensure that goals are being met and that the organization is adapting to changing circumstances
What to look forward to?
The next post should be a breakdown of things to keep in mind for Detection and Analysis
About the Author:
Andres Sarmiento, CCIE # 53520
With over 18 years of professional experience, Andres is a specialist in Unified Communications and Collaboration technologies, Enterprise Networks, and Network Security. He has consulted for numerous companies in South Florida, including Financial Institutions, on behalf of Cisco Systems. Andres has played a key role in several high-profile implementations, utilizing Cisco technologies such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security, and Hosted IPT Service Provider infrastructures.