Step 4: Respond

No organisation can ever be truly ready for a cyber-attack, but preparation for the immediate aftermath can make a significant difference to the initial impact and long-term outcome. In the event of a cyber-attack, a coherent, tested and holistic response strategy can mean the difference between an organisation holding its nerve or going into complete meltdown.

NIST describes the respond function as “including appropriate activities to take action regarding a detected cyber security incident.” Ensuring that the respond function is correctly established gives the best chance of containing and minimizing the impact of such attacks. That starts with having a plan, ensuring it is tested and can be quickly deployed, and importantly – setting out responsibilities in such an eventuality.

The NIST framework, within this respond function, requires that response processes and procedures are executed and maintained in order to ensure a timely response to detected cybersecurity events.

As Benjamin Franklin once said, ‘failing to prepare is to preparing to fail‘ and response planning is all about knowing what to do after the detection. This involves having a robust, tested process, knowing who does what, whom to notify and how to initiate the response plan. Those tasked with responding must know the plan and be positioned to take action to stop the incident and minimize business interruption.

In this phase, you need to look at the indicators that an attack has already happened or is occurring right now. This should be aligned to your wider risk and security operations with tooling configured to alert accordingly. Such indicators could include alerts from your antivirus software alert or vulnerability scanning tools. An increasing challenge is that these alerts and scans can often produce false positives, alert on the right information or scenarios and not be indicative of an ongoing attack. It is therefore critical to have the ability and resources to analyse these signs and determine what’s really going on.

A common mistake is to act without such analysis, attempting to shut down activities and wasting time chasing down log events that turn out not to be an incident. For that reason, your incident response team needs to develop the right tooling, processes and playbooks to enable the analysis of attack method, so called ‘attack vectors’ in order to properly categorize and prioritize various events.

It is important that your team reviews the NIST cyber security framework as it gives excellent guidance in terms of making such categorization based on functional or information impact, as well as recoverability.

This is the phase where the response team, having gathered the information and gained an understanding of the incident, tries to contain, combat and recover from the threat. It typically involves taking action to prevent further damage, such as disabling network access for infected computers, closing ports, isolating traffic or blocking IPs. Depending on the type of incident, there may also be a need to implement immediate action such as resetting passwords for users with accounts that were breached, or block accounts of insiders that may have caused the incident.

Many incidents involve responding to malicious software, such as ransomware, viruses or trojan horses, designed to cause damage, steal data or make extortion demands. A recent 2019 UK Government report 1 showed a third of businesses had a cyber security breach or attack in the prior 12 months with malware, including ransomware attacks impacting 27% of these businesses.

In recovering from such incidents, it’s important to maintain backups of the impacted systems, have appropriate and risk-driven business continuity plans and to review and update incident playbooks which allow your business to preserve evidence for further forensics or legal cases should this be required. Careful decisions need to be made around service restoration with two critical requirements:

• Carry out system/network validation and testing to certify all systems as operational.
• Re-certify any compromised component of the systems as both operational and secure.

Post-incident activity is the postmortem that helps determine what happened, why it happened, and applying the lessons learned so that you can prevent it from happening again. It should include all relevant stakeholders conducting a detailed review that results in documented updates to security procedures and if necessary, business practices, with a clear objective to lessen the impact of such incidents in the future.

Reviews should be based on the collected incident data, rather than emotional finger pointing and focus on identifying the exposed areas of weakness whether that’s deemed to be human error, systems failure or shortcomings in security practices. Equally important is to assess the effectiveness of response and to determine if incident response plans provided for sufficiently quick and appropriate action, with everyone involved knowing their roles and responsibilities.

Following the post-incident review, there may be clear actions to be immediately taken such as specific staff training or changes to delegation and authority for future emergencies. It is important each of these is carefully considered and feeds into constantly evolving business and technology plans.

Next: Step 5. Recover – Business interruption is the greatest risk; access experts to recover quickly