Don’t Wait Until a Cyber Attack to Formulate an Incident Response Plan

You’ve got all of the latest new fangled AI incident detection solutions set up, and you’ve got the detection devices configured to the max to iron out those false positives. Then all of a sudden and out of nowhere the dreaded red lights start to flash, all those nice green traffic lights turn to red and you have a full blown cyber attack on your hands…

What’s your next step? Are you ready for a cyber incident? Of course you are, you’ve got a tried and tested incident response plan in place. 

Prepare, Respond and Follow Up

2018 saw an increase in cyber-attacks and information security breaches. 72% of large UK organisations identified an information security breach in 2018, compared to 68% in 2017.

Organisations are never going to eliminate the inevitable happening but can prepare an effective response and do all that they can to minimise the impact when it does happen.  

Incident reporting is now a major factor in regulatory compliance, GDPR, NIS Directive, NHS DSP Toolkit, CareCERT and the Scottish Cyber Resilience Strategy for Scotland. These regulations all have mandatory incident reporting requirements and associated fines if breaches are not reporting within certain timeframes. Incident reporting is also becoming an increasingly common contractual requirement. 

An organisation’s ability to detect, react to and respond to security incidents in a fast, planned and coordinated fashion, is of paramount importance to the operation, resilience and success of any organisation. 

The purpose of incident response management is to manage prepare and respond to unexpected, disruptive events such as cyber attacks, with the objective of controlling impacts within acceptable levels.  

While it is important for organisations to have preventive measures in place to avoid security incidents, it is equally important that there is a robust, tried and tested response plan in place should an incident occur. Lots of organisations have business continuity plans in place and these plans are a vital part of incident response but very few organisations have actual incident response plans in place. 

Incident response management shouldn’t just be for larger organisations.  A cyber attack on a small business like a Hacking attack on your website or a Ransomware attack could potentially put you out of business if your website is down for a number of days or you can’t fulfil customer orders because systems are locked down or unavailable. This could have a real impact on your business. This isn’t scaremongering. It’s a very real threat. 

Incident Management Approach

Romano Security Consulting advocate the implementation of an incident management framework based on ISO 27035 and the CREST (CSIR) guidelines utilising the Prepare, Respond and Follow Up approach. This can be broken down even further into 6 key areas 

  • Preparation– conduct a BIA, threat analysis, develop scenarios, develop an incident response plan, implement technical defences, review readiness. 

  • Identification– incident detection and monitoring, investigation and triage, not every attack is a cyber attack, learn to identify what actually is.

  • Containment– contain the damage, isolate systems.

  • Eradication– eradicate the cause, gather and preserve evidence. 

  • Recovery– recover systems, data and connectivity. 

  • Lessons learned– often overlooked and crucially important, what, why, how and who, what can you do to avoid a repeat performance. 

Incident Response Plan 

Your incident response plan doesn’t have to be War and Peace and it’s probably much more effective if it’s not, but it needs to be clear and concise and should contain or link to the following info:

  • Critical Asset Register– what are and where are your critical assets 

  • Data Flows– where is your data stored and transferred to and from

  • Interfaces– what systems interface and rely on other systems 

  • Incident Process– the 6 key areas above 

  • Incident Scenarios– your biggest threats identified, and a plan documented for each one

  • Escalation Points– who are you going to call…IT manager, IR team info sec manager, CEO, the board 

  • Roles and Responsibilities– who does what, when and how

  • Contacts-  internal and external 

  • Press Releases– templates for updates and info that you are going to release during the incident 

  • Templates and Logs – evidence templates, point in time logs

The Incident Response plan should be stored securely and needs to be readily available. There is no point only storing the plan on the company network if the company network is brought down.

Incident Response Testing 

It is absolutely crucial that your incident response plan should be testing at regular intervals, or when major changes are made to infrastructure, processes etc. An untested plan is about as useful as not having a plan at all.  

Table top testing is a good starting point, where all the relevant parties such as the incident response team, suppliers and key clients are assembled to walk through and discuss the plan and test various scenarios. 

Live testing should be completed at least annually and would involve a full blown cyber attack test such as a denial of service attack, phishing attack or ransomware attack. This service is now offered by several organisations and is a true test of, if and how well your incident response plan actually works. The fewer people within the organisation who know the test is scheduled the better. 

Romano Security Consulting Incident Management Consultancy

Defend, protect and prepare for cyber incidents and data breaches with our Incident Response Planning and Management Consultancy Solutions based on the CREST guidelines and ISO 27035. 

Let us help you Plan and Prepare for and be ready to Respond to a cyber incident or data breach quickly.

If you are looking to implement an incident management and incident response solution, then we can help develop a bespoke solution for you utilising the following milestones:

  • Review your current status, perform a gap analysis and recommend suitable controls and appropriate technical measures

  • Assist in asset discovery and perform a Business Impact Analysis (BIA)

  • Advise on the development of a suitable incident response strategy and process

  • Develop an incident response team 

  • Develop a bespoke incident response plan 

  • Provide incident response training 

  • Develop bespoke incident scenarios 

  • Assist and advise on scenario testing 

  • Advise on a suitable framework for continual improvement and ongoing management

Contact Romano Security Consulting today and let us help to put you on the right track to secure your organisation. 

T: 01625 315 021

E: enquiries@romanosecurityconsulting.com

Previous
Previous

CCS Digital Specialists Approved Supplier

Next
Next

What is SOC 2?