What are the phases of incident response and what are the key points within each?
In this article we look at the 6 phases of incident response, to help you defend your business, in detail:
Defining a ‘Cyber Incident’
The US Health Insurance Portability and Accountability Act (HIPAA) security standard defines an incident as:
‘The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.’ (HIPAA Regulation 164.304 – Definitions)
It is a wide definition and could encompass almost any unusual event on an information system in a business. Just about anything, from discovering malware to identifying suspicious user activity, could be defined as a cyber incident under these standards. So how do you know when it’s time to implement a full incident response plan?
The answer is that it’s always time to implement your incident response plan.
Often, the incident could be relatively minor, without the need of a full-blow response, but this will not be clear until an investigation begins, therefore it’s important that every event is responded to, and the investigation starts, in the same way.
Following the incident response advice from both the SANS Institute and National Institute of Standards and Technology (NIST), incident response is generally broken down into six phases; preparation, identification, containment, eradication, recovery and lessons learned. Most organizations mainly focus on containment, eradication, and recovery and completely skip lessons learned, but this last phase is the most important for the continued battle against cybercrime.
1. Preparation
Preparation can be as simple as making sure you have a trained incident response team; inhouse, contracted or at least a business card to know who to call.
Pen-test and Patch
Malware often enters systems through known vulnerabilities. Knowing these vulnerabilities in advance through continuous vulnerability assessment (pen-testing, security auditing etc.) and then remediation by regularly patching systems can help prevent the malware from getting onto your computers in the first place.
Create and protect your back-ups
Ransomware, in particular, destroys backup files and encrypts regular files. Therefore, frequently back-up all documents to a location that can’t be affected by the malware (e.g. offline storage) and then ensure these files can be restored easily if needed.
Prepare a response plan
Your business should develop an incident response (IR) plan that should detail the specific actions people should take as soon as it becomes apparent that an attack is underway to ensure a prompt response in a situation where time is of the essence to stop or contain a serious situation. An incident response tool such as CyberCPR not only provides a quick, easy-to-use and secure platform to carry out incident response, but it is also a useful every-day tool to use to monitor changes and refer to previous events.
Assign least privileges
One critical aspect to defending against an attack is to apply ‘least privilege’ when it comes to file shares in particular. Many organisations will have one file share accessible to everyone within the company. Creating a ‘least privilege’ policy and giving file access on a need-to-know basis can limit the damage caused by malware infection substantially.
Connect with industry and threat intelligence sources
Connect with industry intelligence and threat intelligence sources and industry lists specific to crime-ware or malware, and regularly feed those indicators back into detection mechanisms such as ‘intrusion detection systems’ (IDS).
Protect your endpoints
Deploy endpoint protection tools that have the ability to detect and automatically respond to infections in the early stages. These tools can be used to detect infections early-on and respond to them automatically and quickly so that they don’t become big incidents.
Educate users
Many attackers rely on social engineering tactics that are growing more and more sophisticated. Employees need to be educated in what to look out for, to report any unusual activity on their devices and what to expect.
Consider cyber security insurance
‘The average cost of a breach rose in 2019 to more than $8 million in the US’ (Ponemon Institute)
For a larger than average enterprise, such costs can be greater, possibly into millions or even billions.
These days, having cyber insurance that covers a company for costs related to cyberattacks is the last in the line of risk mitigation tools to lessen or defer a company’s cyber risk. It is, however, an important one to consider as step to defending your business, as data breaches and other cyber incidents are happening daily to small business and large corporate alike, even ones with large information security departments.
2. Detection and Identification
Should your business get hit with an attack, you can minimize the damage if you can detect the malware early.
Prime your defence devices
Use threat intelligence sources to block or at least alert on the presence of anomalies associated with ransomware in your network traffic.
Screen email for malicious links and payloads
Use tools that can detect malicious attachments or perform attachment scanning to look for executable attachments within phishing emails.
Look for signs of encryption and notifications
Look at your environment and understand what your remote desk protocol (RDP) exposure is, and make sure you have two-factor authentication on those links or have them behind a virtual private network (VPN).
Attackers may start with control of just one PC on a network – perhaps via a phishing email (indeed, a spate of phishing emails could be an indicator of an attack, and if staff are trained to spot them this could provide an early warning).
An attacker may also then try to increase their reach by creating an administrator account for themselves, and use that extra power to start disabling security software, look for accounts that are created outside account management system. Also look for random filename patterns to detect if ransomware as it is actually running.
Scope the incident
Scoping the incident can identify whether it is a mass distribution attack where you are usually dealing with maybe a few hosts that are infected, or a targeted attack that will usually affect more systems
3. Containment
Containment often takes place immediately after identification, or sometimes concurrently. Damaged systems need to be removed, devices isolated and compromised accounts locked down.
Isolate the afflicted endpoint
The best means of containment is usually to have an endpoint protection system that can look for the execution and remove the process.
Try and get the local system shutdown as quickly as possible so that the least amount of files are encrypted. The incident needs fully scoping so a containment plan can be quickly implemented.
4. Eradication
Once the ransomware incident is identified and contained, it needs to be removed from the network, and any damage discovered in the identification phase remediated. This is usually done by restoring systems from backup and re-imaging workstation systems.
Eradication of a cyber infection should only be done by trained professionals and once a comprehensive investigation is completed.
Replace, rebuild or clean
It’s usually more recommended that machines are replaced rather than cleaned as there can be tool an attacker has put in place which may not be detected and caught through just a clean-up of the system and could re-infect devices.
However, for network locations such as mailboxes or file shares, sometimes it is more pertinent to clean those locations, remove the malicious email message from the mailbox, or ransomware instructions from the file share. If this is done, it is important to continue to monitor to prevent the attack from re-emerging.
5. Recovery
Follow your disaster recovery plan to get all affected systems up and running again and get back to business as usual.
Recovery includes testing of the fixes in the eradication phase and transition back to normal operations. Vulnerabilities need to be patched, passwords need to be changed or removed altogether for compromised accounts and replaced with more secure methods of access.
Functionality can then be tested and day to day business resume.
Restore from a clean back-up
The number one task is to restore from backup. With good, verified backups, a ransomware attack can almost be made into a non-event as you can simply replace or clean your systems and then recover from backups. There may be a couple of hours down-time required to restore from backup, but it shouldn’t be a large impact issue.
Full investigation
To complete the recovery phase, a full investigation into the ransomware attack as to what specific infection vector was used against the system is needed. Was it a phishing email? Or a web-based attack kit? If the latter, how did that user get to that webpage? It is easy for a victim to have innocently visited a self-help page via Google and then be redirected to strategically compromised website that then infects them. Knowing how the ransomware came onto the system in the first place helps to prepare and improve defence systems for the future.
6. Lessons Learnt
This last phase is often missed, but is arguably the most important to prevent future incidents as it’s common for hackers to duplicate successful attacks and hit victims over and over again. As noted in the full investigation, knowing how a system firstly became infected is vital to understand how to protect from future attacks.
It’s not just finding out how it happened, but reviewing the steps that were taken during each phase and improving on them where possible.
Often businesses will be quick to delete, restore, and re-image at the first sign of an incident before they’ve learned how the attacker got in, or how much damage was really done. Not stopping to consider the implications of what caused the security incident and how it was managed means a business will never improve its cybersecurity standing. Whether it was human error, security holes, or a flaw in a security product, an organization needs to review what went wrong and how it was handled to positively use the incident as a learning and implement better preventative measures and improved incident management steps.
Without this stage, a business can easily find itself repeating the same steps again and again, against the same attack, with no improvement.
What next?
Incident response is best performed by people trained and equipped for incidents. Considering a SOC (Security Operations Centre) is a valuable asset if the organisation is large enough, however for small businesses (SMEs) there is a wealth of managed security services providers (MSSP) who can supply such a service. Most importantly the processes of a SOC or MSSP need full support and commitment from leadership within the business and dedication from all employees to make cyber security a priority, through training and basic understanding of what to look out for.
If you’re considering an incident response platform check out our blog post ‘Choosing a cyber incident management platform’ here. Or Contact us using the online form to discover how the CyberCPR platform may help your business.