Incident response (IR) is the approach taken by an organization to prepare for, detect, contain, and recover from a cybersecurity breach. An incident response plan is going to help you ensure an orderly, effective response to cybersecurity incidents, which in turn can help protect a cooperatives data, reputation, and revenue.
How you respond to an incident will ultimately determine the impact of an incident.
Being attacked or targeted for a cyber attack is already bad enough, but failing to take action will only make it worse. In some cases, failing to respond correctly can even cause your insurance company not to accept your claim. Failure to respond can make the incident last longer, the consequences more severe, muddle communications with members and leadership, and leave your cooperative looking like you have something to hide. Remember, “Grey’s Law” states that “Any sufficiently advanced incompetence is indistinguishable from malice.” When people are convinced you acted inappropriately or lied to them, even when you didn’t, they get mad and they sue.
As an example, think back to the famous Equifax hack… Who do you blame for losing your data? The faceless hackers, or Equifax? Most people blame Equifax.
Equifax has become a shining example of why you need a sufficient IRP. Equifax response was terrible! They had misinformation coming from multiple sources. People were told one reason and then another. Equifax even (later) created a website to respond to the breach using a different design and even a different domain and website that looked more like a phishing scheme than it did a response to an attack. Equifax obviously had not planned for a data leak, and most people (in their lawsuits) found that to be unacceptable.
An incident response plan will help ensure the proper steps are taken, when they need to be taken.
It should include a few things:
It’s important to note that an IR plan’s value doesn’t end when the incident is over. The IR plan continues to provide support during possible litigation, security/incident audits, and historical information that feeds into a risk assessment process that will improve the incident response process itself.
Why You Need an Incident Response Plan
According to the Ponemon institute, it typically takes utilities 88 days to recover from a cyber security incident with 56% of utilities reporting having at least one operational shutdown due to a cyber attack per year.
Cyber incidents are not just a technical problem, for coops, they’re a reliability and membership trust problem. The sooner they can be mitigated, the less damage they will cause.
Because an incident response plan is not solely a technical matter, the IR plan must be designed to align with a cooperatives priorities promoting safety, reliability, and affordability!
The information gained through the incident response process can also feed back into the incident response process itself, to ensure better handling of future incidents and a stronger cyber security posture overall. When board members, insurance adjuster, members, media, judges, and auditors ask about an incident, a co-op with an incident response plan can point to its records and prove that they acted responsibly and thoroughly to an attack!
Although the needs are many, most organizations don’t have a plan!
According to a survey by Ponemon, 77 percent of respondents say they lack a formal incident response plan. Among the 23% that do have IR plans, only 32 percent of those organizations would describe their initiatives as “mature.”
These figures are concerning, especially when you consider that fifty-seven percent of organizations that have experienced multiple attacks say the length of time to resolve cyber incidents in their organizations is lengthening, and 65 percent say the severity of the attacks they’ve experienced is increasing.
When it comes to cybersecurity, speed is the main factor in limiting damage done. The more time attackers can spend inside a cooperatives network, the more they can steal, destroy, or infiltrate for later use. An IR plan will limit the amount of time an attacker has by ensuring responders both understand the next steps they must take and know the tools and proper authorities to ask for help.
According to the National Institute of Standards and Technology (NIST), there are four key phases to IR:
No organization can spin up an effective incident response on a moment’s notice. A plan must be in place to both prevent and respond to events.
To act quickly and completely while an incident is unfolding, everyone on the IR team needs to know their responsibilities and the decisions that are theirs to make.
The IR team should include a cross section of business and technical experts with the authority to take action in support of the business. Members should include representatives from management, technical, legal, and communications disciplines, as well as security committee liaisons. All departments affected by an incident should be in the loop and everyone should have a decision matrix to guide their actions during and after the incident.
The plan should also define who is in charge and who has the authority to make certain critical decisions. Those aren’t things to figure out–let alone argue over–in the heat of the moment.
Ensure plans and other supporting documents exist and are updated periodically to remain current. All relevant personnel should have access to the parts of the plan that pertain to their responsibilities and should be alerted when the plan is revised. There should be a feedback loop that is enacted after every significant incident in order to improve the plan continuously.
Have the capabilities to detect and investigate incidents, as well as to collect and preserve evidence. To determine if an attacker is in your environment, it’s critical that you have endpoint security technology that provides total visibility into your endpoints and collects incident data.
Without the right tools, and processes to guide their use, you’ll be ill-equipped to investigate how attackers are accessing your environment, how to mitigate an attacker’s existing access, or how to prevent future access.
Ensure the IR team has the appropriate skills and training. This includes exercising the IR plan from time to time. It also includes staffing the IR team, with either in-house staff or through a third-party provider, to accommodate the time away from the job necessary in order to maintain certifications and leverage other educational opportunities.
Threat intelligence capabilities help an organization understand the kinds of threats it should be prepared to respond to. Threat intelligence should integrate seamlessly into endpoint protection and use automated incident investigations to speed breach response. Automation enables a more comprehensive analysis of threats in just minutes, not hours, so an organization can outpace advanced persistent threats (APTs) with smarter responses.
Without a thorough IR plan, or a properly trained team to execute it, mistakes can be made all too easily. Discover the 5 Most Common Mistakes to Avoid in Cyber Incident Response
The second phase of IR is to determine whether an incident occurred, its severity, and its type. NIST outlines five steps within this overall phase:
Don’t let the simplified list above fool you. The detection and analysis phase can be extremely challenging. Here are a few reasons why:
SkyHelm’s TITAN platform is used extensively for incident response – especially during the detection and analysis phase. Its cloud-based architecture enables significantly faster incident response and remediation times and provides remote visibility across endpoints throughout the environment, enabling instant access to the “who, what, when, where, and how” of an attack. Services like TITAN streamline the detection and analysis phase by combining SkyHelm’s endpoint security technology with the people, expertise and processes necessary to remediate an incident quickly.
The purpose of the containment phase is to halt the effects of an incident before it can cause further damage. Once an incident is contained, the IR team can take the time necessary to tailor its next steps. These should include taking any measures necessary to address the root cause of the incident and restore systems to normal operation.
These decisions have the potential to impact productivity, and IR teams must approach them with caution. An IR plan will ease their decision-making process by having a set of predetermined strategies and procedures for containment that are based on the organization’s level of acceptable risk.
Develop containment, eradication, and recovery strategies based on criteria such as:
At all times, these processes should be documented and evidence should be collected. There are two reasons for this: one, to learn from the attack and increase the security team’s expertise, and two, to prepare for potential litigation.
Every incident should be an opportunity to learn and improve, but many organizations give short shrift to this step. Adversaries are always evolving, and IR teams need to keep up with the latest techniques, tactics, and procedures.
A lessons learned meeting involving all relevant parties should be mandatory after a major incident and desirable after less severe incidents with the goal of improving security as a whole and incident handling in particular. In the case of major attacks, involve people from across the organization as necessary and make a particular effort to invite people whose cooperation will be needed during future incidents.
During the meeting, review:
Document the important points made during the meeting, assign action items, and follow up with an email record to those who could not attend.
The results of these meetings can become an important training tool for new hires. They can also be used to update policies and procedures and create institutional knowledge that can be useful during future incidents.
We’ve included a framework for developing your own incident response plan based on what we’ve discussed. I know it can be daunting and we’re here to help. That said, there are multiple other organizations with experience in creating incident response plans that focus on other organizations besides electric cooperatives. If you find yourself struggling, reach out and get it done!
Most cooperatives don’t have a full-time cybersecurity person with the experience to develop or execute an effective plan on their own. If they are lucky enough to have a dedicated team, they are likely exhausted by floods of false positives from their automated detection systems or are too busy handling existing tasks to keep up with the latest threats.
SkyHelm prides itself on being a leader in incident response and brings control, stability, and organization to what can become a chaotic event. SkyHelm works closely with organizations to develop IR plans tailored to their team’s structure and capabilities.
Through this guidance, we help companies improve their incident response operations by standardizing and streamlining the process. We’ll also analyze an organization’s existing plans and capabilities, then work with their team to develop standard operating procedure “playbooks” to guide your activities during incident response. Lastly, our services team can help battle-test your playbooks with exercises like penetration testing, red team blue team exercises, and adversary emulation scenarios.