Cyber Incident Response Management US Jul 21
Cyber Incident Response Management US Jul 21
Cyber Incident Response Management US Jul 21
A beginner’s guide
Introduction For the purposes of your incident response plan, you may want to come up with your
own definition for a ‘cyber incident’ that better suits your organization and business
For today’s organizations, which rely heavily on technology and the Internet to do goals, but the NIST definition should provide a good starting point.
business, cyber attacks are a very real threat. Worse, the cyber threat landscape is
complex and constantly changing. For every vulnerability fixed, another pops up, ripe
Related terms
for exploitation.
The term ‘cyber incident’ is often used interchangeably with the term ‘data breach,’
Virtually every organization holds valuable information, often in huge quantities, so which is actually a subset of a cyber incident. In a data breach, the confidentiality,
everyone is a target. It should therefore not come as a surprise that, according to a integrity, and/or availability of data has been compromised.4 Where the data in
2020 Mandiant report, 53% of attacks successfully infiltrate without detection.1 Those question identifies or can identify a specific natural person, this is referred to as a
attacks may include simple phishing emails, but even the most basic attack, if ‘personal information breach.’
executed successfully, can wreak havoc if you are not prepared. Just look at Colonial
Pipeline: It only took one compromised password to shut down the largest US fuel The term ‘cyber incident’ is also frequently confused with a ‘cyber event,’ which is in
pipeline.2 fact a superset of an incident. A cyber event is any observable occurrence on a
computer that might be recorded in an event log. Many of these are completely
ordinary, everyday activities, like receiving a file or logging in to a user account.
What exactly is a cyber incident?
NIST defines a ‘cyber incident’ as follows3: However, it is important to know what ‘normal’ looks like, so you can put a system in
place that alerts you to ‘cybersecurity events’ – anomalies that may signify a cyber
Actions taken through the use of an information system or network that result in incident or security breach (e.g. a login from an unexpected geographical area, or a
an actual or potentially adverse effect on an information system, network, and/or large quantity of data leaving your systems). Clearly, without having a way of
the information residing therein identifying potentially suspicious activities, it will be difficult to find out whether you
have suffered an incident, making it harder – if not outright impossible – to initiate an
Broadly speaking, this translates to four types of incident: effective response.
The consequences of an incident • Whether you have suffered an incident before (which is made worse if the
previous incident was relatively recently in the news)
Experiencing a cyber incident or data breach is more likely than you might think. Several of these factors can be mitigated if you have effective measures in place,
Earlier, we saw that 53% of attacks successfully infiltrated without detection during including for incident detection and response.
2019. However, since those statistics only account for incidents that have actually
been identified (and before the COVID-19 pandemic, it took companies an average of
207 days to identify a breach5), it is probable that the true number is considerably Case study 1: WannaCry
higher.
In May 2017, more than 200,000 computers across 150 countries were infected with
the ransomware worm ‘WannaCry,’8 including FedEx in the US, French Renault plants,
When your organization is breached, the consequences are typically threefold:
the Russian Ministry of Internal Affairs, Taiwan Semiconductor Manufacturing
financial, operational, and reputational. However, the latter two clearly contribute to
Company, and many more. Among the most affected organizations, however, was the
the cost of an incident. A 2020 report found that globally the average cost of a breach
UK’s National Health Service (NHS), with up to 70,000 devices affected in at least 80
amounted to $3.86 million.6 Nearly 40% of the total cost comes from lost business
(out of 236) NHS units.9 As a result, more than 19,000 operations were cancelled, and
opportunities, which can be caused by anything ranging from server downtime to staff
the overall attack cost the NHS an estimated £92 million (about $127 million).
having to remediate the effects of the breach, rather than get on with their usual
tasks.
As the NHS was so heavily affected, and the incident so well-covered (including by a
government investigation with a publicly available report), we can learn a lot from the
The reputational impact – and, by extension, the financial impact – will vary
organization’s experiences. As such, this case study focuses on the NHS.
depending on a number of factors, including but not limited to the following:
• Whether you attempted to cover up the incident or were transparent about the One big reason the NHS was heavily impacted was about 5% of its IT estate still used
fact it happened, and what steps you were taking to mitigate its effects and Windows XP, which Microsoft had stopped supporting in April 2014. (Best practice
prevent recurrence. dictates that unsupported firmware, hardware, or software must be removed or
• The number of records breached and/or duration of service unavailability. replaced.) However, the use of an out-of-date operating system was only part of the
reason the NHS was so badly affected by WannaCry. There was also a lack of effective
• How preventable the incident was (did a skilled hacker penetrate your systems,
incident response procedures.
or did you fail to patch known vulnerabilities?).
• How long it took you to discover the incident. While the NHS had an incident response plan, it had not been tested at a local level,
• Whether you discovered the incident yourself (this did not happen for 38% of so individual units were not sure about what actions to take, resulting in inconsistent
breached North American organizations in 20197). responses such as the incident being reported to different bodies.10 At a national
• The level of regulatory action (if any). This could be in the form of fines or class level, NHS England had not practiced responding to a major cyber attack (as opposed
action lawsuits. to incidents confined to a particular geographical area), so spent more time than
IT GOVERNANCE USA GREEN PAPER | JULY 2021 4
strictly necessary analyzing the problem before it could coordinate any kind of As part of Hydro’s remediation actions, it reviewed and cleaned all its computers and
effective response. In such a situation, every minute counts – not just because the servers, and safely restored them, using backups, in line with appropriate guidelines.
self-replicating worm is rapidly spreading, but also because a continued disruption in Note that such a restoration can only be done if you have the foresight to run backups
providing health care can cost lives. at an appropriate frequency – a point we will come back to later in this paper.
The UK government conducted an independent investigation, and was transparent Hydro also reorganized its security team to better detect and respond to future
about the lessons learned and its plans to make the NHS more cyber secure. One of attacks – a clear sign of incorporating lessons learned. Finally, the company noted that
the most notable actions was introducing a new security standard that all it has “robust” cyber insurance in place – something that is not possible without
organizations that access NHS patient data and systems must show they meet by assurances to the insurer that the policyholder has put adequate security measures in
submitting an annual assessment. place.
However, that is not all that should be commended about Hydro’s response. The
company was able to rely on a fallback – “work-intensive workarounds and manual
procedures” – to keep certain business areas “close to normal despite the attack.”13 It
was hardly ideal, but it worked, particularly as a temporary measure. Importantly,
Hydro gave itself an alternative to paying the ransom.
IT GOVERNANCE USA GREEN PAPER | JULY 2021 5
Mitigating the risks Detective measures are designed to alert you to anomalies that may signify an
incident – after all, you cannot react to an incident if you are not aware of it – while
At the end of the day, the best cure is prevention. Preventing incidents from responsive measures aim to mitigate the damage and get you back to business as
happening in the first place is the only guaranteed way of avoiding the damage and usual as quickly as possible. Together with your preventive measures, you can create a
costs associated with them altogether. multi-layered defense system that will enable you to mitigate the risks effectively.
Achieving this is easier said than done, however. If a skilled attacker is determined to
find a way into your systems, given enough time, effort, and resources, sooner or later
they will probably succeed. That said, the vast majority of cyber attacks are launched
by unskilled attackers, attempting to exploit publicly known vulnerabilities by using
automated software created by more skilled criminal hackers.
The vulnerabilities they try to exploit are often relatively straightforward to fix with
basic technical controls such as anti-malware software and patching. However, failure
to implement them can have dramatic consequences – the WannaCry attack and its
international repercussions is but one example.
Many other incidents are accidental, which are, by their very nature, avoidable. Often,
they are caused by carelessness or ignorance, like sending data to the wrong recipient
or falling for a phishing email. In both scenarios, the cause of the breach – human
error – can be addressed effectively with staff awareness training.
Of course, there is much more to prevention than this. For more detailed information,
take a look at our Cybersecurity and Business Resilience – Thinking strategically paper.
However, on the basis that sooner or later a determined attacker will break through
your preventive measures despite your best efforts, you should take action now to
ensure you can respond swiftly if and when you suffer an incident, enabling you to
minimize the damage. Those preparatory measures should come in two main forms:
detection and response.
IT GOVERNANCE USA GREEN PAPER | JULY 2021 6
Incident response plan While incident response plans are not uncommon, it is important to ensure they
account for cyber incidents as well as physical ones; otherwise, you will struggle to
A crucial part of cyber incident response management is having an incident response deal with the characteristics that are unique to cyber incidents, like not being
plan, which should at least include: geographically bound. As the NHS in the UK experienced with the WannaCry attack,
that characteristic, particularly if you are unprepared for it, can make it difficult to
• Roles, responsibilities, and dependencies identify cause or assess the incident’s full impact.
• Senior management support and ownership
• What your organization considers a cyber incident Having said that, be aware that cyber incident response management is not just an IT
function. Like any type of incident management, it is a business function that impacts
• Classifications for different severity levels
– and should therefore involve – a wide range of stakeholders, from both internal
• Escalation procedures, including a reporting process departments and external bodies.
• Authorization for shutting down business-critical activities
• Compliance and reporting requirements Another vital point is to test your plans on a regular basis – we recommend testing
them at least annually and after any significant changes. Testing does not just
• References to step-by-step instructions for playbook scenarios – since it is
highlight any flaws and give you the opportunity to fix them (or confirm that your
impossible to cover every type of incident in the plan itself, it should be
plans work), but will also familiarize staff with the plan and train them to respond as
supported by different playbooks that detail the actions to take for specific
efficiently as possible. This will avoid situations like WannaCry, when local NHS units
incident types, which the plan links or refers to
were unsure of the correct procedure due to a lack of exercise, so initially reported
the incident to different bodies, which delayed the start of an appropriate and
coordinated response.
More to the point, panicking when first becoming aware of a (possible) incident is a
very human response, and may lead to the wrong decisions being made. The only way
to combat that risk is by training staff, so they know what to do, even when under
pressure.
IT GOVERNANCE USA GREEN PAPER | JULY 2021 7
Incident response process Note that you do not need to have the necessary expertise internally to complete
each step. In fact, it is often more cost-effective to seek external help, not to mention
Some incident response plans also include a high-level incident response process that it can also give you access to more experienced practitioners. Nonetheless, it is
(such as Figure 1 below, but you can, of course, draw on any recognized framework important you know how to identify an incident and have a broad understanding of
like NIST SP 800-61 or ISO 27035). This can help create step-by-step playbooks for the different stages in the response process, if only so you know when to call for what
incidents particularly likely to occur, or that would be especially stressful and help.
complex to handle. A high-level process can also help in situations not covered by
any playbook scenario. Whether you rely on internal resources or external expertise, be sure to document
the actions you take as you go through the steps of your response (when your plan
has been triggered). This will help you complete any necessary reports (e.g. to the
Detect police or your insurers), as well as provide a useful resource when you review your
actions and plans, and incorporate improvements based on your experiences.
Triage The following sections will go through each of the stages in Figure 1. You may not
If applicable want to adopt all of these and/or add some not covered here, depending on your
Escalate organization’s approach to incident response.
Assess Report
Detect
False alarm
Remediate Unless you know that an incident has happened (or may have happened), you will not
be able to respond effectively, if at all. How you detect an incident will vary depending
on the nature of that incident – a stolen or lost laptop is quickest to discover via a
Recover staff report, for instance, while cyber attacks will likely require some form of security
monitoring. Where an anomaly is detected (multiple failed login attempts to a user
account, for example), an alarm is raised for someone to manually investigate.
Review
As mentioned previously, it is only possible for an anomaly to be detected if you know
what ‘out of the ordinary’ looks like. Equally, staff will only report an incident if they
Resolved
know what constitutes one and are trained to report it to the appropriate person or
Figure 1: A typical high-level incident response process
team.
IT GOVERNANCE USA GREEN PAPER | JULY 2021 8
Triage Report
Triage, which normally involves a manual follow-up to a cybersecurity event, needs to Where applicable, you need to report the incident to relevant stakeholders, such as
occur as quickly as possible after the initial report. This process must establish the FBI, regulators, insurers, partners, and customers. The FBI encourages victims to
whether you are dealing with a false alarm or a cyber incident and, if the latter, how report Internet-enabled crime for investigative and intelligence purposes.14 It also
to escalate it. It is important you document the process, showing how you reached points out that rapid reporting may help you recover lost funds. Where you have
your conclusions and providing information you may need later. regulatory reporting requirements, you must submit separate reports to the relevant
authorities.
Assess Depending on the level of risk posed to affected individuals, you may also be required
If it appears to be an actual incident, you need to assess the situation to determine to notify them directly. Supervisory authorities typically also encourage you to offer
what further steps you must take. What type of incident are you dealing with? What advice about steps people can take to mitigate the risks they may face. This can
systems and/or data have been affected? Understanding the nature of the incident include, for example, a warning to be wary of phishing emails that fraudulently claim
will help direct your remediation activities – for instance, if you are dealing with to represent your organization, and a recommendation to change their passwords as
ransomware, affected devices will need to be cleaned for malware and restored using soon as possible.
backups.
If the breach is significant enough that you need to inform affected individuals
Depending on the nature of the incident, you may also need to act quickly to contain (whether they are partners, customers, or otherwise), you may also have to issue a
the damage (for instance, if you are aware of an attacker moving through your public statement and/or provide comment to the press.
systems, you could force logout). Note the importance of planning ahead here: You
cannot force a logout, or complete various other containment actions, if you have not
enabled that feature in advance.
Where data has been breached, you also have legal reporting obligations to meet.
Within days or even hours of becoming aware of the data breach, you must establish
what data has been compromised, how sensitive it is, how many people are affected,
whether the data was encrypted, and other information that will determine the
impact of the breach. In turn, this will determine whether the breach is reportable.
IT GOVERNANCE USA GREEN PAPER | JULY 2021 9
Remediate Recover
Now that you understand what you are dealing with, it is time to remediate the Recovery is all about getting back to business as usual. At this stage, any trace of
situation and repair the damage. If you are dealing with malware, for example, you malware or other cyber threats should be eradicated, meaning that systems and
need to eliminate every trace of it, and likely harden and patch your systems before backups can be safely restored (although it is sensible to test impacted systems before
recovering them. connecting and using them as normal again). It is also a good idea to let users know
that everything is up and running again.
However you implement lessons learned, make sure you do review your actions.
Download our free There is no better way to improve, and gradually become a more secure and resilient
organization with time.
business continuity paper
IT GOVERNANCE USA GREEN PAPER | JULY 2021 10
10
Conclusion
Remember: Suffering a cyber incident is a matter of when, not if, but an effective
response can significantly reduce the impact. Achieving this requires you to think
ahead and put appropriate detective measures in place – after all, you cannot respond
to an incident if you do not know that one has happened.
Moreover, much like you cannot put a fire out if you do not have fire extinguishers or
sprinklers ready, an effective cyber incident response is out of the question if you are
not prepared with the right responsive measures. So, regularly back up your data, set
up remote wipe features, prepare any other necessary technical measures and
processes, and, above all, make sure staff know what is expected of them.
Speak to an expert
IT GOVERNANCE USA GREEN PAPER | JULY 2021 11
11
Cyber Security Complete E-Learning Suite Incident Response Management Foundation Training
Course
Ensure staff can spot and respond to cybersecurity and
privacy risks. Access all four of our cybersecurity staff Learn how to effectively manage and respond to disruptions
awareness e-learning courses and a game to train employees and take appropriate steps to limit the damage to your
on best-practice approaches. business, reputation, and brand.
Certified Cybersecurity Foundation Self-Paced Online Business Continuity Management Lead Implementer
Training Course Self-Paced Online Training Course
Perfect for those looking to start their career in cybersecurity, Learn how to implement an effective business continuity
this course covers all aspects of cybersecurity at a foundation management system (BCMS) that prepares your organization
level. Learn in your own time, at your own pace. for any disruption. Learn in your own time, at your own pace.
Cybersecurity and Business Resilience – Thinking strategically Business Continuity and ISO 22301 – Preparing for disruption
IT GOVERNANCE USA GREEN PAPER | JULY 2021 13
13
IT Governance USA is your one-stop shop for cybersecurity and IT governance, risk Training
management, and compliance (GRC) information, books, tools, training, and
We offer training courses from staff awareness and foundation courses, through to
consultancy.
advanced programs for IT practitioners and certified lead implementers and auditors.
Our products and services are designed to work harmoniously together so you can
Our training team organizes and runs Live Online and self-paced online training
benefit from them individually or use different elements to build something bigger
courses all year round, as well as in-house training courses, covering a growing
and better.
number of IT GRC topics.
Software
Toolkits
Our industry-leading software tools, developed with your needs and requirements in
Our unique documentation toolkits are designed to help organizations adapt quickly mind, make information security risk management straightforward and affordable for
and adopt best practice using customizable template policies, procedures, forms, and all, enabling organizations worldwide to be ISO 27001-compliant.
records.
Visit www.itgovernanceusa.com/shop/category/software for more information.
Visit www.itgovernanceusa.com/documentation-toolkits to view and trial our toolkits.
IT Governance USA is the one-stop shop for cybersecurity, cyber
risk, and privacy management solutions. Contact us if you require
consultancy, books, toolkits, training, or software.
@ITG_USA
/it-governance-usa-inc
@ITGovernanceUSA
© 2003–2021 GRC International Group PLC | Acknowledgement of Copyrights | GRC International Group Trademark Ownership Notification
Endnotes
1
Mandiant, “Mandiant Security Effectiveness Report 2020”, May 2020, https://www.fireeye.com/current-threats/annual-threat-report/security-effectiveness-report.html. Be aware
that statistics reporting on 2020 activity (2021 reports) will almost certainly be aberrant, with increased levels of cyber crime in response to the mass move to remote working, and
that 2019 figures (2020 reports) likely offer a more accurate reflection of the current cyber landscape.
2
William Turton and Kartikay Mehrotra, “Hackers Breached Colonial Pipeline Using Compromised Password”, Bloomberg, June 2021,
https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password.
3
NIST, “NIST SP 800-160 Vol.2”, November 2019, https://csrc.nist.gov/glossary/term/cyber_incident.
4
‘Confidentiality’ means that the data is only accessible to those who need access to it. ‘Integrity’ means that the data is protected from unauthorized modification, destruction, and
loss. ‘Availability’ means that the data is accessible to authorized persons as and when necessary.
5
IBM, “Cost of a Data Breach Report 2020”, July 2020, https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/.
6
Ibid.
7
Trustwave, “2020 Trustwave Global Security Report”, April 2020, https://www.trustwave.com/en-us/resources/library/documents/2020-trustwave-global-security-report/.
8
Ransomware is a payload that encrypts or otherwise prevents access to the user’s files until a ransom is paid (usually in Bitcoin). In WannaCry’s case, the payload was transmitted
by a worm: a self-replicating program (i.e. a program that can replicate without user interaction) that can function without having to be embedded in another program. This
combination of characteristics allows worms to spread widely within a short space of time.
9
Robin Henry, Rebecca Myers, and Jonathan Corke, “Hospitals to struggle for days”, The Sunday Times, May 2017, https://www.thetimes.co.uk/article/nhs-cyberattack-bitcoin-
wannacry-hospitals-to-struggle-for-days-k0nhk7p2b; and National Audit Office (NAO), “Investigation: WannaCry cyber attack and the NHS”, April 2018,
https://www.nao.org.uk/report/investigation-wannacry-cyber-attack-and-the-nhs/.
10
“Investigation: WannaCry cyber attack and the NHS”.
11
Norsk Hydro, “Cyber-attack on Hydro in brief”, October 2020, https://www.hydro.com/en-GB/media/on-the-agenda/cyber-attack/; Joe Tidy, “How a ransomware attack cost one
firm £45m”, BBC, June 2019, https://www.bbc.co.uk/news/business-48661152; and Reuters, “Norway says Norsk Hydro has been exposed to LockerGoga ransomware attack”,
March 2019, https://www.reuters.com/article/us-norsk-hydro-cyber-lockergoga-idUSKCN1R01KI.
12
“How a ransomware attack cost one firm £45m”.
13
“Cyber-attack on Hydro in brief”.
14
FBI, “The Cyber Threat“, accessed July 2021, https://www.fbi.gov/investigate/cyber.