Cyber incident response preparation is often a weak area in many organizations. In this article, Peter Alexander looks at how to develop an effective incident response plan and overviews five steps that should be taken during an incident.
It’s the call that IT teams dread: an employee is reporting that their PC screen is flashing red, with a message telling them that their files are encrypted and that they need to pay a ransom to get them unscrambled. What should they do next?
The actions that the organization takes over the next few minutes, and hours, will be critical in determining just how big – or small – an impact the cyber attack will have. What’s more, a cyber attack does not only negatively impact the company’s physical IT systems: it also causes stress and puts employees under pressure too.
A recent paper from the University of Haifa found that cyber attacks have a strong psychological impact on all staff, increasing their levels of anxiety, stress and panic - which can then lead to mistakes being made, and, in turn, further damage.
So how should organizations go about eliminating these human, panicky and emotional reactions to cyber incidents, and develop a more coordinated, conditioned response?
Training is never in vain
A key example is the rigorous training that airline pilots are given in dealing with unexpected events: they are provided with extensive checklists and procedures that cover virtually every eventuality, from running out of fuel, to engine failure, to structural damage. And those procedures are practiced again and again, both in simulators and in flight conditions, so that in a real-time emergency situation, their response becomes an automatic reflex action. The result is that when an incident happens, the first thing the pilot and co-pilot will do is turn off the warning alarm, so that they can think clearly and start running through the appropriate checklist.
Enterprises need to undertake similar, rigorous, planning to help them respond quickly and accurately to breaches or attacks. They should prepare an incident response (IR) plan, and assemble an IR team that includes all relevant internal stakeholders - such as IT and security specialists, HR and PR teams, plus in some cases, specialist external resources. Also, preparation alone isn’t enough: the execution of the plan needs to be practiced, through realistic training drills.
Five key steps
To help organizations develop faster, more effective responses, here are five key steps that they should follow, whether in a training exercise or in the wake of a genuine incident.
1. Recognize the incident is happening
The critical first step is for staff to take the attack seriously and move swiftly, but without panic. Think of the ideal response to a fire alarm in an office building: everyone should immediately stop what they are doing and make their way to the exits without pausing to gather their possessions or empty their desks. A cyber incident should be granted the same instant attention and focus. As soon as it is identified, all staff need to be alerted, smoothly and efficiently, and given clear, calm instructions as to what to do next, whether that is simply stepping away from their desks, or shutting down their PCs or devices.
2. Gather the resources you need
This means mobilizing the security tools and technology, as well as the trained staff which make up your organization’s security infrastructure and getting them to focus on mitigating the incident. Clearly, not all staff will need to be involved in this stage, so it’s all about pulling together the right experience and expertise – fast. Your incident response plan should set out which personnel need to be involved, and if any external security resources are to be used.
Of course, assembling the combination of tools and talent isn’t cheap. But the investment and time required to build effective defences / defences is dwarfed by the real-world costs of cyber attacks, in terms of remediation of immediate damage and subsequent fallout. with companies on average experiencing two cyber attacks per week which breach their defences, it’s clear that it’s far better to invest in preventing attacks, than to pay the far higher costs for a cure after the fact.
3. Execute your IR plan
This is the active stage, in which you should work through your incident response plan step by step to determine what the nature of the attack is, how it breached your defences, how it can be isolated, and how the damage can be remediated. For organizations that do not have an incident response plan to hand, it may be best to call in external specialist help at this stage.
Too often, organizations stop at stage three. But communication regarding the attack is vital – not only to all your internal stakeholders and employees, but also where necessary to external stakeholders such as partners, customers and investors. This is becoming a regulatory requirement: the upcoming General Data Protection Regulation (GDPR) for example, requires that cyber attacks are communicated externally within 72 hours of a data breach being identified. All stakeholders, both inside and outside your organization, need to understand what has happened and what the implications are for them – in language pitched at their level of technical understanding.
This is a specialist stage, which should be left in the hands of your communications team. The recent revelations about Uber’s 2016 cyberbreach and the subsequent cover-up are a lesson in how not to communicate – and the consequences that might follow.
Once again, this is a truly crucial element of incident response that is too often neglected. Every cyber attack should generate serious lessons for the organization in question. After an attack active steps should be taken to repair the vulnerability, modify and improve the exploited process, retrain any staff that may have made a mistake, and put in place, or update the existing IR plan. Inability to learn from and take steps to improve cyber protection after suffering an attack leaves the organization vulnerable to a similar attack occurring again.
Effective incident response is about training and practice. Developing an incident response plan and keeping it updated involves work and investment – but during a cyber attack, that investment will pay dividends. Whether you decide to handle your incident response internally or draw on external expertise, it’s important to make a plan now, and test it against possible attack scenarios. This will help to eliminate panic during an attack, limit the damage and fall-out from the incident and get your business ‘back to normal’ as fast as possible.
Peter Alexander is CMO, Check Point.