The average time organizations take to detect cyberattacks is 10 days following a system breach. In certain instances, such as data breaches, the identification process can extend to nearly seven months.
When factoring in the time needed to respond to an intrusion, the overall costs can severely affect an organization’s financial health and reputation. Yet, over 75% of organizations globally lack effective cybersecurity incident response plans.
Establishing a clearly defined and well-rehearsed IR plan enables organizations to better handle and reduce the repercussions of cyberattacks.
This article outlines the essential steps for business leaders, cybersecurity experts, and IT personnel to develop and maintain a robust IR plan. It also includes practical illustrations of successful incident management to support these recommendations.
Why a Robust Cybersecurity IR Plan Is Important
There are several reasons for having a robust cyber IR plan, including reduced downtime, financial savings, reputation management, and regulatory compliance.
Here’s more about each of these benefits:
Reduced Downtime
Delays in detecting and containing cyber threats can cause prolonged outages, costing organizations vast sums of money and damaging their reputations.
Organizations having strong IR plans not only can prevent cyber-attacks, but they also can reduce downtime if the attack occurs. A good example of such an organization is Cisco, a network and security behemoth.
On May 24, 2022, Cisco detected a potential attack on its systems. The attacker managed to access vital internal systems, including those associated with product development, code signing, and similar functions.
When they attempted to login into multiple systems, the Cisco Security Incident Response Team (CSIRT) took notice and successfully removed them. Cisco’s operations were not disrupted and no sensitive information was stolen.
Financial Savings
A robust IR plan can save organizations millions of dollars by reducing costs associated with ransom payments, fines, penalties, and legal fees from potential lawsuits.
In 2017, Equifax, a global credit bureau company, exposed the sensitive information of about 147 million and 13.8 million UK customers due to an ineffective cybersecurity measure. In the attack, hackers stole people’s details such as credit card information, driver’s license numbers, and social security numbers.
This resulted in the company spending over $1.9 billion on fines, legal fees, and security transformation. As a result, the company’s profitability was negatively impacted.
The fact that Equifax informed the public about the attack six weeks after it occurred indicates a lack of a solid IR plan. The same applies to the organization’s inadequate cybersecurity measures.
A strong incident response plan reduces the financial consequences of cyber-attacks.
Reputation Management
Maintaining trust, preserving customer loyalty, and protecting an organization’s reputation is crucial. Building a solid reputation takes years and involves substantial time and financial investment.
In 2018, British Airways (BA) suffered a data breach attack that exfiltrated the personal and financial data of about 429,612 people. BA suffered financial losses due to non-compliance with the General Data Protection Regulation (GDPR) and its reputation dropped.
The data breach contributed to BA’s drop in reputation ranking from 31st to 55th out of 65 organizations.
Regulatory Compliance
Many organizations operate in industries with strict cybersecurity regulations. For instance, Department of Defense contractors must adhere to the Defense Federal Acquisition Regulation Supplement (DFARS), which aims to ensure external contractors and suppliers comply with cybersecurity standards.
Failure to comply with regulations can lead to increased downtimes, higher costs, and reputational damage. Regulators deemed the breach experienced by Equifax in 2017 “entirely preventable”, leading to a $13.4 million fine from the UK’s Financial Conduct Authority (FCA).
Armed with solid cybersecurity IR plans, organizations can prevent or minimize cyber-attacks and keep their reputations intact. They’ll also reduce downtimes and financial losses.
Organizations will have clear strategies to manage the communication of the cyber-attacks experience to authorities and the public.
Step-by-Step Process for Creating a Robust IR plan
The stakes in cybersecurity are high. The difference between a minor incident and a catastrophic failure hinge on an organization’s preparedness.
A well-designed IR plan begins with thorough preparation, followed by threat identification. The subsequent steps—containment, eradication, recovery, and lessons learned—form the PICERL framework. This approach, based on the NIST guidelines, combines containment of eradication and recovery.
This section dissects each stage of an effective IR plan process, offering a roadmap to enhance an organization’s security posture. With this blueprint, organizations will be equipped with an IR plan that not only responds to cyber incidents but also anticipates and thwarts them.
Preparation
Preparation (P) is the backbone of a robust IR plan, ensuring minimal impact when an incident occurs. It involves two key elements: preventing incidents and preparing to handle them when they happen.
The success of an IR plan lies in appointing a strong incident response team and providing it with the training, tools, and resources. While the team’s primary role is handling incidents, it must also contribute to incident prevention.
Preventing Incidents
Ideally, an organization should prevent cybersecurity incidents as its first line of defense. Weak prevention strategies can expose the organization to multiple attacks, leaving the incident response team overwhelmed.
Preventative measures include risk assessments, user awareness and training, malware prevention, and enhanced network security. Once these safeguards are in place, organizations must conduct continuous cybersecurity audits to maintain and improve their posture.
The IR team aids in incident prevention by identifying cybersecurity issues, spotting training gaps, and contributing to risk management.
While this article focuses on handling cybersecurity incidents, preventing them will be covered elsewhere.
Incident Handling
Thorough preparation enables an organization to respond swiftly to a cybersecurity incident. This requires establishing and training an incident response team and developing communication plans.
An incident response team is a multidisciplinary group comprising members from roles such as legal, human resources, IT, public relations, management, finance, and research and development.
Training team members to handle their roles effectively is crucial. Purple teaming simulations can prepare the team to address a wide range of potential threats.
This training also enhances communication and speeds up incident containment. Team members learn to coordinate with stakeholders and meet notification requirements.
It’s essential to establish a communication plan with backup tools and coordination resources for continuous operation, even when the primary systems fail. This is a crucial component of an overall business continuity plan.
Quicker containment minimizes the impact on business operations, reducing financial losses and potential reputational damage.
Identification and Analysis
Identification (I) is a critical phase of a robust IR plan, working in tandem with preliminary analysis to validate the incident. Without verifying the incident, the organization might waste resources responding to a false positive.
Quick incident validation is also crucial to allow the organization to decide if it needs to initiate a full response.
An organization must detect and validate an event as quickly as possible. Failure to do this can severely impact it. For example, Anthem (now Elevance Health), a major U.S. health insurance company, suffered a data breach in which nearly 80 million personal records were exfiltrated.
The comprised information included social security numbers, income data, email addresses, birthdays, and names.
Anthem identified and validated the attack on January 27, 2015, over one month after hackers had infiltrated its data warehouse. Two days later, the organization reported the incident to federal authorities. On February 5, 2015, Anthem notified the public about the incident through a press release.
The attack began on February 18, 2014, underscoring the importance of effective incident detection systems.
A robust IR plan includes continuous monitoring tools such as Security Information and Event Management (SIEM) systems, intrusion detection systems (IDS), and other tracking tools. Monitoring should be combined with alerts for suspicious activities like data transfers or unusual login attempts.
Equally important, organizations should establish and adhere to well-defined cybersecurity policies and processes. Solid policies ensure systematic and effective responses to incidents, while consistent processes help maintain order and reduce the risk of oversight.
To detect potential threats, it’s essential first to determine the baseline behavior of the organization’s systems. Deviations from this normal behavior can trigger alerts, activating this phase of the IR plan.
Since the cybersecurity world is dynamic, with new and advanced attack strategies developed, it’s critical to update detection mechanisms. Doing so will ensure that organizations stay on ahead of cyber criminals.
By following these established protocols, organizations can ensure a swift, coordinated response to potential threats and minimize the impact of security incidents.
Containment
Once the organization identifies and validates an incident, it must contain it, which ushers in the containment (C) phase. As mentioned earlier, this step aims to isolate the threat, preventing further damage.
There are two interlinked strategies for containing a cyber incident: a short-term or long-term approach.
Short-term containment initiates the efforts to handle the incident once it’s detected. It often kicks in within minutes, though it might begin hours later depending on the scale of the incident.
Organizations typically implement the short-term plan by immediately isolating affected systems. For example, the affected organization might isolate its cloud-based apps, such as those for file storage, collaboration, communication, and project management, from its IT system.
It’s crucial to verify that the strategy is effective. Organizations must also back up its IT infrastructure to preserve records for forensic efforts.
Long-term containment follows the short-term plan and allows the organization to keep its systems running while neutralizing the threat. Cybersecurity actions taken ensure future protection of the organization.
Long-term containment might involve implementing additional security measures, increasing monitoring, or applying patches. For example, efforts might include employee cybersecurity training, updating firewalls, reconfiguring roles and permissions.
Employing these short-term and long-term containment strategies ensures organizations prevent costly downtimes, now and in the future.
Eradication
The eradication (E) phase outlines the strategies for removing the threat and provides guidelines for prioritizing eradication efforts. For this step to be effective, organizations must have robust identification and preliminary analysis stages.
Inadequate identification will lead to fixing or upgrading wrong systems or software, leading to a waste of effort, money, and other resources. It’s critical to identify all affected components within the organization’s system for successful remediation.
The strategies used will vary depending on the type of threat. For instance:
- If hackers planted malware in the system, the organization might remove it using anti-malware tools and antivirus software.
- If the incident involves compromised user accounts, it might require resetting passwords, revoking access privileges, or even disabling accounts that are no longer necessary.
- A Domain Name System (DNS) spoofing attack can be remedied by updating the DNS servers. Organization should flush the DNS cache and implement DNSSEC to ensure DNS responses remain authentic and protect their systems from potential tampering. It’s crucial to provide user education on identifying spoofing signs, enhancing overall organizational security.
During the eradication phase, organizations need to monitor their systems to ensure that they’ve removed the threats. This ensures that there are no new malicious activities occurring.
Once eradication is complete, it’s necessary to reassess the organization’s security posture to prevent similar future incidents.
Recovery
The recovery (R) phase aims to restore the organization’s systems to normal operation. Actions might include patching exploited vulnerabilities, rebuilding affected systems, or installing backups.
Organizations must ensure they securely restore and validate their systems, communicate with stakeholders, document actions taken, and conduct security audits with continuous monitoring to prevent future incidents.
Like eradication, prioritizing recovery is crucial, especially in large-scale incidents that can take months to resolve. Quickly restoring systems minimizes the incident’s impact.
Lessons Learned
A robust IR plan is a living document that improves over time. One critical method for enhancing it is gathering and implementing lessons learned (L) from each incident.
Organizations can gain valuable insights by making post-incident lessons learned meetings a requirement in their IR plan. It is valuable to outline the different categories of questions to be discussed during the meeting, such as:
- What happened during the incident, when was it first detected, and how was it identified?
- What systems, data, or services were impacted? What vulnerabilities were exploited, and how can they be mitigated?
- What steps did the incident response team take upon identifying the incident?
- How did the incident response team, staff, and management respond and were there any challenges?
- How can the organization prevent similar incidents in the future?
These meetings should involve all relevant stakeholders to create a complete picture of what happened. All information gathered should be documented in an incident summary report and used to update and improve the IR plan.
A robust IR plan will always benefit the organization, as it will prevent a repeat of the incident and help future-proof the organization’s security posture.
Conclusion
The bottom line is that every organization must have a robust IR plan to handle cyber incidents. Without this system, organizations can incur financial losses and tarnished reputations.
Additionally, IR plans help organizations reduce downtimes and comply with regulations.
A robust IR plan covers preparation, identification, containment, eradication, recovery, and lessons learned (PICERL).
With this as a guide, organizations must review their IR plan and strengthen them. Those that don’t have it, yet, can use this article as a blueprint to develop their IR plan.