Incident Response: How to Prepare for Attacks and Breaches
Make sure your organization is prepared for attacks and breaches by putting together an incident response plan and incident response team.
If a hacker breached your network today, what would you do? What if a company employee unwittingly infected your systems with ransomware? What if attackers defaced your website or launched a distributed denial of service (DDoS) attack? What if an advanced persistent threat (APT), like a foreign government, targeted your organization?
For organizations of all sizes, attacks like these are not a matter of if, but when.
According to the Ponemon Institute's Cost of Data Breach Study, sponsored by IBM, companies worldwide face a 26 percent chance of having a material breach involving at least 10,000 records within the next two years. And the researchers found that around the world, the average total cost of a data breach is $4 million, or $158 per record. In the U.S., the costs are even higher, averaging $221 per record, for a total of $7.01 million per breach.
The Verizon 2016 Data Breach Investigations Report identified more than 100,000 security incidents last year, including 3,141 that resulted in confirmed data breaches. It concluded, "No locale, industry or organization is bulletproof when it comes to the compromise of data."
Given that your organization is going to experience security incidents, attacks and probably even breaches, you need a cyber incident response plan.
What is incident response?
In order to define "incident response," you first need to understand what constitutes a security incident. The Verizon report defines an incident as "a security event that compromises the integrity, confidentiality or availability of an information asset." An incident could include an attack, that is, an intentional attempt to gain unauthorized access to damage or destroy a network. Or an incident could be a simple accident, such as an employee leaving a company laptop in a cab. An incident may or may not involve a breach, the theft of company information.
Cybersecurity incident response is a formal, organized approach for dealing with all kinds of security incidents. It usually involves an incident response plan (IPR), which lays out the steps that a company should follow after an incident occurs. These plans should include the incident response process for all of the most common types of incidents, including those listed below.
Examples of security incidents
- Phishing. In a phishing attack, criminals send an organization's employees a message (usually via email) that includes a malicious attachment. The bad news, according to Verizon, is that phishing attacks are on the rise and employees don't know how to handle them. The median time between when attackers send out a phishing campaign and when the first recipient opens the message is just 1 minute and 40 seconds, and the median time for clicking on the malicious link is just 3 minutes and 45 seconds. Only 3 percent of phishing recipients reported the malicious email.
- Stolen Credentials. The goal of many phishing or malware attacks is to obtain credentials that will allow an attacker to access the organization's network. In many cases, however, the attackers don't actually have to "steal" anything — they simply guess the correct password. According to the Verizon report, "63 percent of confirmed data breaches involved weak, default or stolen passwords."
- Malware.Malware is a broad category that includes any kind of malicious software. Examples include viruses, trojan horses, rootkits, adware and the increasingly common ransomware. Users can introduce malware into a network in a number of ways, for example, by clicking a malicious attachment in a phishing email, by visiting a malicious Web page or by connecting an infected USB drive or other device to the network.
- Ransomware. An increasingly common attack vector, ransomware is a type of malware that demands that victims pay a fee in order to remove the malicious code, regain access to files that were encrypted by the ransomware or prevent something unwanted from happening, such as making a victim's data public. According to Symantec's Ransomware and Business 2016 Report, security vendors discovered one hundred new malware families last year alone, and the average ransom demand has climbed to $679.
- Denial of service attacks. In a denial of service (DoS) attack, attacks flood a system, usually a Web server, with so much traffic that legitimate users can no longer access it. Hackers often mount DoS attacks for ideological reasons or to "punish" a person or organization for some activity. For example, last year attackers hit security blogger Brian Krebs with a DoS attack after he published a series of articles on DoS-for-hire services.
- Web app attacks. Hackers attack organizations' Web apps in a number of different ways, such as buffer overflows, SQL injection, cross-site scripting and, as already mentioned, DoS attacks. Verizon reported 5,334 incidents of Web app attacks last year, including 908 that resulted in data breaches. Financial services companies are a particularly popular target for Web attacks.
- Cyberespionage. One of the hardest types of incidents to defend against, cyberespionage occurs when an unauthorized person attempts to infiltrate a system or network in order to gain access to secret information. Often these attacks are perpetrated by a company's competitors or by nation-states. According to Verizon, "90 percent of cyberespionage breaches capture trade secrets or proprietary information."
- Loss of theft of devices.As mobile devices have become more common, organizations have experienced an increase in the loss or theft of devices that contain corporate information or that can access corporate networks. Many of these incidents do not result in data breach, but organizations often find it very difficult to distinguish between accidents and intentional theft carried out with the goal of infiltrating an organization's networks.
- Insider attacks. Organizations sometimes don't pay enough attention to threats from their own employees or partners' employees, but Verizon reported that there were 10,489 incidents of "insider and privilege misuse" last year. These attacks can be very difficult to detect and mitigate because insiders often have knowledge that helps them evade an organization's security measures.
Incident response process
What does an incident response team do? The SANS Institute has identified six steps in the incident response lifecycle:
- Preparation. In this phase, organizations set up their policy, response plan, communication, documentation, team, access controls tools and training.
- Identification. This phase involves detecting unusual activity and determining whether or not it qualifies as a security incident.
- Containment. Once you determine that an incident has occurred, your next step should be to prevent any additional damage.
- Eradication. Next, you should remove any malicious code and repair any damage caused to your systems and networks.
- Recovery. After the problem has been eliminated, organizations should bring the affected systems back online slowly and carefully, taking steps to make sure that the incident won't reoccur immediately.
- Lessons learned. Finally, after systems are operating normally again, the team should document the incident and look for ways to harden systems against similar attacks.
Top tips for effective incident response
Experts offer a number of tips for improving your incident response, including the following:
- Don't rely on manual monitoring processes. If you have to wait for security staff to notice something unusual in the traffic logs, it will be too late to stop an attack or mitigate the damage. Instead, look for security tools that can automate the process of alerting you when an incident is underway.
- Set up a "jump bag." When an incident occurs, it may not be safe to use your company networks. That's a problem if your data breach response plan is a file saved on your hard drive or if the only way to access response team phone numbers is through the corporate intranet. SANS Institute recommends putting together a "jump bag" that includes a laptop with forensic software, a contact list for team members, USB drives and all the tools you will need to diagnose, contain, eradicate and recover from an incident.
- Create checklists. In a stressful situation, people are likely to make mistakes or leave out steps even when going through a familiar process. Checklists that tell the team exactly what to do, in what order can make things run much more smoothly.
- Consider the impact of "shadow IT." In most organizations, employees manage to use some cloud services or technology that the IT department doesn't know about. Your plan should include a process for responding to security threats introduced by these unsanctioned services and tools.
- Establish a baseline of normal behavior. You won't be able to tell if something unusual is happening on your networks until you understand what "usual" looks like. Monitor and document the typical activity your see on your networks to make it easier to identify when an incident occurs.
- Conduct "fire drills" on a regular basis. If your incident response plan doesn't work all that well, you don't want to find that out in the middle of a major attack. Schedule and run tests of your incident response capabilities to determine their effectiveness and look for ways to improve them.
- Review and update your plan regularly. Attackers are always finding new ways to accomplish their goals. Go over your plan every few months to make sure you have accounted for all of the most likely threats and that you are using the latest technology and best practices for incident response.
Setting up an incident response team
Who should serve on your incident response team? Some of the team members you should include seem obvious. For example, if you have a chief information security officer, he or she should definitely be on the team. Others may be less obvious. For example, many organizations find it helpful to have an attorney on the team to help make sure the company is meeting its legal obligations.
Every organization is different, so the exact mix of personnel on your incident response team will vary depending on your size, industry, likely security threats and other factors. The SANS Institute recommends that you consider including people from the following groups within your organization:
- Upper level management
- Information security
- IT auditing
- Security (the people responsible for physical security at your location)
- Human resources
- Public relations
- Financial auditing
In some cases, it may be helpful to contract with outside vendors who can provide some incident response services. For instance, you may want to hire an outside attorney, PR firm or information security specialist with expertise in responding to security incidents and data breaches.
Top tips for maintaining an incident response team
- Provide clear guidelines on what constitutes a security incident. Everyone needs to understand which sorts of events require a response from the team and which do not. Some incidents, such as a major data breach, may require you to mobilize the entire team, while others, such as a lost laptop, could be handled by one or two people. Make sure those details are documented so that there isn't any confusion when an incident (or potential incident) occurs.
- Define team member roles and responsibilities. You should also carefully document what each person will do in response to each type of incident. Getting everything in writing minimizes the chances that a key task will slip through the cracks.
- Train your team regularly. Make sure your incident response team is up to date on the latest attack vectors and the steps necessary to counter them. That means scheduling training sessions where you go over new security trends and review your incident response plan.
- Establish and use internal and external communication tools. In the midst of a security incident, you may not have access to all of your usual communications methods. For example, if an intruder has gained access to your internal collaboration platform, you may not want to use that collaboration platform to alert team members, because that would tip off the hacker. A security incident might also be accompanied by a power outage or a loss of cell service that would make it impossible to use some forms of communication. For these reasons, you should establish multiple methods of communication and specify in your plan when to use each.
Crafting an incident response plan
Writing your security incident response plan may seem like a daunting prospect. If so, you're not alone. An Enterprise Strategy Group Survey of North American IT security professionals found that 98 percent of respondents admitted to experiencing challenges with their incident response process.
Fortunately, you don't have to start from scratch. Many organizations have published downloadable templates and other resources to help you create your incident response plan. Here are just a few:
- NIST Computer Security Incident Handling Guide
- SANS Institute Incident Handler's Handbook
- SANS Institute "Incident Response: How to Fight Back"
- Department of Homeland Security Cyber Incident Response Page
- U.S. Computer Emergency Readiness Team (US-CERT) National Cyber Incident Response Plan (NCIRP)
- Cloud.Gov Security Incident Response Guide
- FIRST Global Forum for Incident Response and Security Teams
- Carnegie Mellon University Software Engineering Institute CERT Division CSIRT FAQs
- California Information Technology incident response plan example
Incident Response Vendors
Incident response is usually offered as a service by security vendors, although some, like IBM, Carbon Black, Intel/McAfee and Blue Coat, also offer incident response products. Vendors offering incident response services include the following:
- Carbon Black
- Check Point