Cybersecurity Incident Response Guide, Part 1

Cybersecurity Guides - Cybersecurity Frameworks

Having an Incident Response Plan (IRP) is absolutely critical to any organization's Cybersecurity Program. The primary goal of Incident Response is to identify threats to your business, respond quickly before the threat spreads, and remediate before they can cause damage. Without having a plan to understand the scope of an incident, how it happened, and what can be done to prevent future occurrences, businesses face high risk of disruptions, unauthorized access, and data loss or exposure.

It is not realistic to expect security protections to be effective 100% of the time. So it's not a question of if an incident will happen, but when. When an incident does occur, without a documented plan, even with skilled security resources, it is nearly impossible to follow all the necessary steps effectively, including responding, reporting, evidence collection, management responsibility, legal protocols, and communications, which will allow the business to successfully defend and recover from a security incident. During an incident, every minute counts, and the faster you can contain the incident and eradicate the threat, the less potential impact, damage, and cost your business may face.

In the CIS Critical Controls, Incident Response Management is Control 17, out of 18. Although the CIS includes Incident Response in the top 18 controls, many security professionals would encourage businesses to raise the priority of this to begin addressing within the top 5 controls or simply to address as soon as possible. The reality is that, no matter how big or small your business is, or mature your Cybersecurity Program is, an incident can occur at any moment. So your business, specifically the IT and Security departments, should have a documented plan on how to handle a security incident.

So the point here is, don't hesitate or put off creating a plan! This may seem daunting to many businesses and many people can get paralyzed by the complexity of this, but having some kind of plan, even something short and simple, is better than not having any at all. This could save your organization thousands of dollars!

Cybersecurity Incident Response Guide, Part 1

There are some excellent resources you can leverage to help construct your own Incident Response Plan. The CIS Critical Controls are an excellent place to start if you do not have a plan today and are looking to create one for the first time. Even if you have an informal plan, or a plan that you may feel is incomplete or out of date, we strongly recommend looking there first. CIS Control 17 covers Incident Response Management and there are 9 individual safeguards (sub-controls) that should be addressed as part of this.

These safeguards include:

1. Designate Personnel to Manage Incident Handling

2. Establish and Maintain Contact Information for Reporting Security Incidents

3. Establish and Maintain an Enterprise Process for Reporting Incidents

4. Establish and Maintain an Incident Response Process

5. Assign Key Roles and Responsibilities

6. Define Mechanisms for Communicating During Incident Response

7. Conduct Routine Incident Response Exercises

8. Conduct Post-Incident Reviews

9. Establish and Maintain Security Incident Thresholds

The first three of those controls are part of implementation group 1 and every business should have them in place as a top priority.

Additionally, NIST has some excellent resources that offer greater detail around Incident Response and all the steps that make up each of the major phases universally recognized throughout the Cybersecurity community. You can reference the NIST Cybersecurity Framework (CSF) which covers this, or more thoroughly, the Computer Security Incident Handling Guide, SP 800-61 (links below).

Many frameworks reference five key phases including Preparation, Identification (includes Detection and Analysis), Containment, Eradication, and Recovery. Most also recognize a sixth and final phase usually referred to as Lessons Learned or Post-Incident Activity.

We will be diving into each of the CIS Controls, as well as each of the six major phases in Incident Response in upcoming guides. So please keep an eye out for those in the near future, but until then, take a look at the links below for the resources you need to get working on your own Incident Response Plan!

See the list of references below

Review these sources for more information

1. CIS Controls Version 8 - Control 17 Incident Response Management (2021) https://www.cisecurity.org/controls

2. NIST Cybersecurity Framework, Version 1.1 (2012) https://www.nist.gov/cyberframework/framework

3. Computer Security Incident Handling Guide, SP 800-61 Rev. 2 (2018) https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final

4. Digital Forensics and Incident Response (DFIR) Framework for Operational Technology (OT) (2022) https://www.nist.gov/publications/digital-forensics-and-incident-response-dfir-framework-operational-technology-ot

5. Quick walkthrough of NIST Special publication 800 - 61 Rev2 https://www.youtube.com/watch?v=0AGs8bE9L2U