Developing Tailored Incident Responses: The Prepare Step
Written by: Chad Bellin, Chief Product Officer, CyberSponse, Inc.
In the 2014 US State of Cybercrime Survey, PwC found that almost one-third (32%) of respondents said insider crimes are more costly or damaging than incidents perpetrated by outsiders. Yet many companies do not have an insider-threat program in place, and are therefore not prepared to prevent, detect, and respond to internal threats.1
As we discussed in our last blog, the key to empowering your firm to defend against internal attacks as well as external cyber breaches is to develop an incident response workflow for each attack type. The workflow should include all seven steps of the Incident Response Life Cycle—as defined by NIST2 guidelines:
- Post-Incident Handling
In this blog, we will take a closer look at the Prepare step, in which you establish your incident response capabilities for each type of attack. The first component of Prepare involves determining the core operations (Ops) team members and their roles as well as extended team members and their roles.
The Ops team should include hands-on people in your organization that would handle the incident—such as your vulnerability manager, threat manager and risk manager—while the extended team should include your executive lead, the professional services lead and various response support resources such as legal, public relations and human resources personnel. The role that each person performs when an attack occurs should be clearly defined.
Some people may fulfill more than one role, but if possible, it’s best to divide the assignments as much as possible to ensure clear lines of responsibility and accountability. Not all resources will be required to intervene for every attack, but by identifying them ahead of time, you will always know who to turn to if they are needed in the heat of the moment. Be sure to keep in mind that the heat of the moment may fall outside of “normal” work hours. So be prepared to have backup personnel identified for each role as well.
As you identify the various team members, you may need to assign different people for each of the nine major types of attacks listed below. But when possible, it’s best to use the same teams for all attack types. This is usually possible since the Prepare stage is virtually identical for all nine major attack types:
|· Malware||· Virus||· Elevation of Privilege|
|· Unauthorized Access||· Root Access||· Phishing|
|· Improper Usage||· Denial of Service||· Data Theft|
Teams and players may differ for a number of reasons. A few examples could be due to different lines of business requirements, geo-location requirements, or even external business relations requirements.
The next component of the Prepare step is to define the escalation path your company will follow for both external attacks and internal attacks. This includes documenting the attack, who should address issues first, and how to escalate the issue when additional help is needed. The process should also include how the rest of the team members will be informed and—if necessary—the affected employees, customers and business partners.
A handy resource during the Prepare stage is the NIST Computer Security Incident Handling Guide that’s cited below in the footnote section—see Section 3.1. The guide provides a list of tools and resources that may prove valuable during incident handling. For example, smartphones are one way to have robust emergency communication and coordination mechanisms. As recommended by NIST, an organization should have multiple (separate and different) communication and coordination mechanisms in case of failure of one mechanism.2
As noted above, Prepare is just one of the seven steps to ensure sufficient threat mitigation that enables your business to limit the extent to which business assets, sensitive information and intellectual property are compromised—and to return IT operations back to normal as quickly as possible. To learn about the remaining six steps, be sure to watch for future blogs. In our next one, we will discuss the Detect step.
For more information on developing incident response workflows for your business, visit www.incidentresponse.com. To view the complete CyberSponse blog series, visit:
- Managing cyber risks in an interconnected world: Key findings from The Global State of Information Security® Survey 2015, PwC, 9/30/2014: http://www.dol.gov/ebsa/pdf/erisaadvisorycouncil2015security3.pdf
- NIST Computer Security Incident Handling Guide: Special Publication 800-61 Revision 2.