Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

How to implement a cyber incident response plan

By Sam Maccherola.

It is a sign of the changing security landscape that it is almost certain that sooner or later your organization will experience a security incident. Cyber criminals are ubiquitous and attacks will continue despite our resolute attempts to stop them – even organizations with the most steadfast defence in place are not immune. The emphasis now needs to be on accepting the risks as fact and responding as quickly and effectively as we possibly can and thus mitigated the effects of a hack or breach.

The following six steps are intended to guide organizations in properly managing cyber breaches when they occur:

Step #1: Preparation
The more prepared businesses are to act immediately, the better.

  • Perform a proactive ‘sensitive-data audit’: know where sensitive data resides and come up with a data protection strategy. These measures can save countless inventory hours that would have to be done in the heat of the moment after a cyber-attack, and should include personally identifying information (PII) such as credit-card data, any intellectual property, classified materials and any data under regulatory or compliance control.
  • Process maintenance: to make sure that response teams are always ready and up-to-date, they should understand sensitive data locations, keep systems patched and up-to-date, conduct ongoing vulnerability testing, and continually test and refine the process with regular ‘fire drills’.

Step #2: Detect and Expose
There are two ways to proactively and effectively validate cyber threats: endpoint security analytics and security automation:

  • Endpoint security analytics: leveraging data from all servers and end-user devices, endpoint security analytics can give complete visibility of endpoint activities across the network, in order to detect anomalous behaviour, risks areas, and security threats before damage can spread.
  • Security automation: Integrating network-enabled cyber forensics tools with SIEM systems helps to quickly reveal and validate suspect or mutating software on any endpoint on the network. The cyber forensics tool should be able to work quickly across platforms, as speed is essential to finding and collecting actionable volatile data.

Step #3: Triage
Once a problem has been identified, the next step would be to scope the threat to understand the extent of the compromise and its ongoing capabilities. The biggest threats should be dealt with first, followed by determining whether any PII /or intellectual property have been compromised.

Step #4: Classify and Contain
The focus during this stage should be on the containment of the threat. Typically a forensics team that can handle malware with reverse-engineering capabilities will be brought in, as the main goal is to determine how to eradicate malware off the network. Many incident response teams create a sandbox to observe the malware and understand what it does and how it behaves, which will help in determining the best way to contain it.

As part of the analysis, the forensics team will remotely collect malware and relevant data with network-enabled forensic tools, collect and preserve volatile data as potential evidence, capture the crucial malware and artefacts, determine whether it is polymorphic or metamorphic, discover hash values and registry values and recommend remediation steps.

Step #5: Remediate
Once the malware has been identified, as well as which and how much sensitive data has been breached, it is time to remediate. The incident response team can begin remediating systems by deleting all malicious or unauthorised code. At this time, they should also conduct a post-attack sensitive-data audit of the affected machines to ensure data resides only where it safely belongs in your network.

Once the incident has been remediated, continuous monitoring of the network’s activities will be instrumental in determining whether or not the remediation steps taken were sufficient to successfully return systems to their original, optimal state.

Step #6: Report and Post-Mortem
Here, the incident response team should consult relevant data breach-notification regulations and policies for each of the industries in which the organization operates. Legal, IT, PR, and executive teams should have a breach-notification plan in place and be ready to take the appropriate steps when you present your incident report to them.

The post-mortem report will be vital to all concerned with business reputation, viability, and operations and should be as clear and non-technical as possible. It could include a list of lessons learned from the incident, including what the organization intended or planned to do, what went wrong, and what can be improved upon.

The author: Sam Maccherola is general manager, EMEA & APAC, Guidance Software. www.guidancesoftware.com

•Date: 15th November 2013 • World •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here