The Cyber Incident Response Lifecycle
Authored by Head of the Northeast Region for AXA XL’s Cyber & Technology Maura Wiese and is Director of Cyber Security for S-RM
In the wake of the COVID-19 pandemic, the need for organizations to engage in crisis preparation has never been highlighted so acutely. As organizations have moved to a remote working model - one that may be here to stay - their incident response planning should have adapted to this new reality. This means accounting for the new risks that come with it as well. A major cybersecurity incident represents a true crisis for any organization, and forward-thinking organizations should prepare appropriately.
Multiple frameworks have been developed to guide organizations in this planning, including those put forward by the National Institute of Standards and Technology (NIST), SysAdmin, Audit, Network, Security (SANS) and Community Emergency Response Team (CERT) organizations. However, at their core, these frameworks are similar. We find the NIST framework is particularly easy to engage with and clearly articulates all phases of the incident response cycle. Below is a breakdown of the incident response lifecycle as per the NIST framework.
We will use these steps to discuss the incident response lifecycle and demonstrate how preparations made long before an incident occurs, can mean the difference between an organizational disaster and a methodical reaction governing the chaos.
1.1 The fundamentals
In many cases, fortune favors the well-prepared rather than the bold. Invariably, there will come a time where a risk will materialize, and a cyber incident will occur. Preparation is where the foundations of any future response process lie. In this phase, you should adopt a risk-based approach to cybersecurity, by taking the time to:
Understand your organization’s technological and business environment;
Identify and track threats; and,
Document risks to your organization.
Now that you’ve defined your risks and identified your critical assets, you’ll need to implement an actionable plan that empowers your teams to tackle incidents should they occur. A major cyber incident presents a particular challenge. It is typically charged, stressful, and chaotic for the internal teams involved, which typically include several internal and external stakeholders.
The worst time to plan for an incident is in the midst of one. However, an appropriate incident response plan, when regularly drilled and tested, will embed some of the response flow into your team’s muscle-memory. This will allow them to more efficiently bring order to the chaos of any response.
While the specific format of the plan is fungible, it should:
Contain an actionable response flow: The reader must be able to follow how a response should proceed chronologically in actionable, concrete steps. The inclusion of a flow chart and checklists can provide clarity and prevent missteps in the heat of an incident.
Describe how incidents should be classified: Clear criteria should be included to appropriately classify incidents. Common incident classifications include those that are critical, high, moderate, or low in severity. Not all incidents require the same focus, allocation of resources, or response teams. Low and moderate incidents can often be addressed within the IT teams in operational playbooks, while incidents of higher severities will often require wider skillsets, additional allocation of resources, crisper management, and potentially third-party support.
Establish clear communication channels: Incident response plans must clearly lay out what, when, and how information should be escalated by operational teams to other functions and stakeholders. Formal communication enables everyone to stay on the same page and reduces misunderstandings during a response. Small miscommunications can exacerbate an already challenging situation into a full-blown disaster.
Assign and describe roles and responsibilities: During an incident, all stakeholders should be aware of their roles and responsibilities. Formalized roles and responsibilities should be clearly outlined in a section of the incident response plan. They should go beyond the core technical team and cover all stakeholders involved in a response. Such stakeholders may include those from legal, marketing, public relations, manufacturing operations, and human resources.
Include third parties: These can include local law enforcement or regulatory bodies, insurance providers, external legal counsel such as breach coaches, public relations resources, and cybersecurity forensics firms.
Develop more prescriptive playbooks: Identify the most common incidents, or those tied to your critical risks, and define actionable playbooks to guide you operationally through a response related to these risks. These playbooks should contain more prescriptive steps than those found in the main response flow. For example, a major retailer may want to have a playbook for payment information being leaked, and a manufacturer may want to have playbooks covering ransomware scenarios to help ensure minimum downtime.
Take into account other planning: Incident response plans rely on and feed into other organizational planning. Relevant IT-focused business continuity and disaster recovery plans, as well as crisis management plans, should be referenced and tied to any incident response plan. Any triggers for activating these plans should be clearly defined and included to allow for a more seamless crisis response integration.
Having a thoughtful response plan is essential, but not practically valuable to an organization unless it is properly socialized among those likely to be involved. The socializing format for incident response plans can vary. For the technical teams, which will be at the core of the response process, a full examination of the plan, multiple Q&A sessions, and scenario-based dry runs are likely warranted. For leadership teams, additional quick-reference material outlining their roles, responsibilities, and expected activities can be invaluable to prepare them for incident response.
1.3 Practice makes perfect (testing)!
Maximum value is derived from the plan by periodically testing it and updating it through continuous improvement. When training has been completed, the plan should be put to the test in some form of tabletop exercise.
For newly developed plans, these can be less intense sessions; for example, walking the plan through a series of scenarios and reviewing it for completeness and flow. In the case of more developed programs, a more intensive exercise can be developed. Here, the response team’s decision making, knowledge, and communication is tested by a series of “injects” which modify the situation as it unfolds. Either approach can be improved by leveraging a third party to design and manage the exercise. The third party can bring additional expertise in terms of scenario realism and free up team members to participate instead of facilitating the session.
Functional testing of technological solutions enabling an efficient response, such as backup restoration, is equally paramount. This can take the form of parallel interruption tests. Here, a second set of infrastructure is set up and tested so as not to interrupt the organization’s day to day operations. In the case of a full interruption test, the organization’s actual infrastructure is tested. Full interruption tests are inherently more disruptive but offer the most actionable feedback on your restoration plans.
2 DETECTION & ANALYSIS
2.1 Detection methods
The detection phase uses technical or administrative security controls to detect malicious activity in the environment. Some common activities under this phase are explored below.
Network monitoring: Whether this is a foundational control - like maintaining a firewall - or more advanced solutions - like implementing an Intrusion Detection System (IDS) - tracking the activity of devices and users on the network is essential. The rise of behavioral tracking supported by machine learning has made generating impactful alerts from these solutions easier, smarter, and more streamlined than ever before. However, such monitoring has its limitations. Consider the massive shift to work-from-home models in the wake of the COVID-19 pandemic. As a result, many of these network monitoring controls have been hamstrung, as much of the network activity which can generate alerts now takes place beyond the reach of on-premise security solutions.
Endpoint monitoring: Traditional anti-virus solutions, as well as more advanced behavioral solutions, can alert you to infections on specific devices. Because they do not rely on the device being present on a corporate network, they can partially close the visibility gap caused by the shift to remote working.
Dark web monitoring: Third parties typically provide this service as a breach detection method by monitoring the dark web and other underground marketplaces for stolen corporate information and alerting you if and when it is found. This type of monitoring can be essential because it serves as a last line of defence for detecting an incident before it potentially becomes publicly acknowledged.
There are other controls which can be implemented, and the steps taken during the preparation phase should allow your organization to determine which of these controls should be prioritized.
2.2 Alerting processes
Having the right incident response plan in place in conjunction with a well-trained workforce greatly increases the likelihood that when teams detect malicious activity, they will recognize it, triage it appropriately, and know how to alert the wider organization. In such cases, staff will be able to follow documented processes to determine the incident severity, what teams need to be involved, and what third parties need to be alerted.
For example, alerts from your monitoring services indicating that a ransomware incident is underway can result in panic. However, by having a team well versed in how to implement your response plan you increase the likelihood of that panic being set aside and appropriate action taken. Your organization will only benefit by being able to start working through the problem using steps developed at a calmer time.
Retained third parties like breach coaches or forensics firms can provide additional insight and lessons learned.
3 CONTAINMENT, ERADICATION, AND RECOVERY
As can be seen in the NIST response framework flow above, detection flows into containment, eradication, and recovery, with the implication that each may be repeated multiple times during a given incident. This is intended to acknowledge the reality that, as the response process unfolds, new issues will likely be detected and addressed.
Let’s consider the same ransomware incident referenced above. In our example, imagine that the initial detection of the infection, containment of its spread, efforts to eradicate the ransomware itself, and recovery from backups, are all in motion. As this is occurring, the forensic investigation could surface that the attacker has ongoing access to other systems, representing a new detection and requiring the process to begin again. Without prior planning, this new thread of response can be lost in the minutiae of actions already underway, leading to missed steps and future headaches.
Reporting and communication are paramount during this phase. With communication methods and cadence already known and defined in your incident response plan, leadership and other stakeholders can be kept apprised of the situation. This will enable them to make informed decisions, with minimal disruptions to the operational team carrying out the response.
When recovery has been completed across the organization, it can be tempting to simply put the incident behind you. However, doing so will be detrimental to your organization’s growth, as well as your preparedness to tackle similar incidents in the future. Understanding the cause of the incident, reviewing how your program can be improved, and implementing the improvements constitute an essential feedback loop. This feedback loop should be formalized in your incident response plan.
Retained third parties like breach coaches or forensics firms can provide additional insight and lessons learned. Legal knowledge offered by breach coaches can improve your understanding of the legal environment your organization operates in and allow you to adapt your practices accordingly. Additionally, forensic firms often bring with them a breadth of experience from having responded to incidents across multiple sectors on a daily basis. They are therefore well-placed to provide insight into how your specific incident unfolded, as well as best-practice advice for how to respond going forward. Such insights should be incorporated in any post-mortem exercise to continuously improve your incident response plans, processes, and procedures.
A serious cybersecurity incident can present you with one of the worst days in your professional life. However, with appropriate planning and preparation, your organization will be able to efficiently respond and recover from a major incident. Doing so will go a long way toward minimizing the impact of the incident as much as possible, and be the difference between an organizational disaster and a laudable success story.
To speak to some at AXA XL about Cyber insurance, CLICK HERE, leave a message and youTalk-insurance will pass your enquiry on.
About AXA XL
AXA XL is the P&C and specialty risk division of AXA which provides property, casualty, professional and speciality products to industrial, commercial and professional firms, insurance companies and other enterprises, here in the UK and throughout the world. With underwriting teams based in the US, UK, EMEA and Asia Pacific regions, we can make decisions close to the markets you serve and work with you to tailor cover to your business needs.
We help businesses adapt and thrive amidst change. Rather than just paying covered claims when things go wrong, we go beyond protection into prevention so your business can go beyond the unexpected.
AXA XL promotes Ana Dores to Chief Underwriting Officer, International Financial Lines – APAC Europe30 Jun 2022
- 27 Jun 2022
- 23 Jun 2022
- 20 Jun 2022
- 16 Jun 2022
- 13 Jun 2022
- 9 Jun 2022
- 6 Jun 2022
- 26 May 2022
- 23 May 2022