Do I need a Cyber Incident Response capability?
Do I need a Cyber Incident Response capability?
“Fail to plan and you plan to fail”. How cyber Incident Response planning can make or break your organisation’s future.
Cyber risk management involves doing a lot of work to ensure nothing happens; something referred to in the flight safety industry as a “dynamic non-event”. Those of you who have watched our Cyber Risk Management video [link] will remember that the five elements of cyber risk management include the ‘Impact or Consequences’ on objectives. This reflects the fact that, sooner or later, cyber incidents do occur and they have an impact.
When cyber incidents occur - whether it’s a phishing email, malware attachment, ransomware, third-party supplier compromise or data breach - the only thing that can help you manage the ‘Impact or Consequences’ is a cyber incident response capability.
In this blog we’ll look at what generating such a capability involves and the benefits it offers.
What is a cyber incident response capability?
“Only one thing can help you deal well with a cyber incident: good preparation”
NCSC Incident Management Guide
Recognising the need for a cyber incident response capability means first accepting that there is no such thing as “perfectly secure”. No matter how good our cyber defence measures are, they may one day not be enough to prevent a cyber incident.
The purpose of a cyber incident response capability is to reduce the impact of a cyber incident. This could be by limiting the spread of a malware infection, preventing further data breaches, restoring compromised accounts or systems, initialising fail-over systems or restoring backups, or simply deleting an infected file. The aim is to ensure that the impact on the organisation’s operations, its staff, finances, customers, or anything else of value, is kept to a minimum, and that recovery is as quick as possible. Any incident response activity must also ensure that all legal, regulatory, safeguarding, and data privacy obligations are observed, and that trust and reputation is preserved.
What’s the difference between a cyber incident response capability and an incident response plan?
An incident response capability is the overall term for both the incident response plan and the enabling and supporting controls that make the plan function. Let’s first consider the plan.
The cyber incident response plan is a document containing a structured process with clear decisions and actions that need to be taken when responding to a cyber incident. To understand why we make a plan, rather than relying on judgement and experience, consider aircraft emergencies. The confusion and pressure of any emergency or incident can have an adverse effect on judgement, communication and decision-making. For this reason, commercial and military pilots use printed ‘Flight Reference Cards’ (FRCs) to help guide them when handling aircraft emergencies. This reduces cognitive load and improves their performance when it comes to successfully handling an emergency.
An incident response plan is the same; a set of reliable actions you can follow to handle an incident. Since these are written in advance and in the absence of pressure and uncertainty, you know they can be relied upon to contain almost everything you need to do and think about.
A plan is just a plan, however; in order to work it needs lots of other elements to be in place. To understand this better, we use another analogy: a building fire response plan. This plan will tell you how people should evacuate when a fire is detected, and how the emergency services should secure the building and tackle the blaze. But this plan is nothing without the parts which make it work.
Smoke detectors, infra-red sensors and break-glass cells need to be installed to detect fires. Audio and visual alarms need to be present to alert the building occupants. Communications methods need to be established to notify the emergency services. Evacuation routes and exits need to be installed and signposted. Fire marshalls need training in how to evacuate people safely. Fire doors, ventilation shut-offs, sprinklers, and other fire suppression systems can limit the extent of the fire until the emergency services arrive. When they do arrive, the emergency services come equipped with extensive training and equipment to perform their role.
Cyber incident response is no different. A cyber incident response capability includes not just the plan, but also the technical and procedural methods for detecting and alerting on events and incidents. A single point of contact (SPoC) needs to be in place to receive alerts, create an incident ticket, and to triage and escalate the incident. Those directly responding to the incident will need equipment; everything from standalone devices on a separate, non-affected network, to mobile phones, removable media, building access keys, notepads, and digital forensics equipment.
Communications are vital, both internally with staff and colleagues, as well as externally with suppliers, customers, law enforcement and the wider public. The plan will not work without trained staff; from spotting a phishing email and alerting the SPoC, to performing malware reverse engineering (if that’s your thing…), education and training is vital for success. This is especially true for those staff who need to execute the plan.
The ability to conduct cyber incident response actions depends not just on training and skill, but on having the right accesses and authorisations to inspect, analyse, control, and potentially segregate or disable affected systems, Finally, a good cyber incident response capability should include the ability to conduct routine incident response exercises (internally and with suppliers), as well as doing a formal close-down, write-up and lessons identified for any real cyber incidents.
The key thing to remember is that a cyber incident response plan is nothing without the enablers mentioned above.
Do I really need an incident response capability?
Every industry-recognised Incident Response publication and reference we know of asserts the importance of having an incident response capability. Even if you’re a small organisation with a limited IT footprint, it’s important to make at least some preparations for cyber Incident Response. If you do experience a cyber incident, a response capability is the only realistic way you’re going to be able to manage it successfully. Even a basic set of procedures and actions is preferable to nothing.
For medium and large organisations, a cyber Incident Response capability is arguably essential, and it should integrate with your Disaster Recovery (DR) and Business Continuity Plan (BCP). In fact, not only is having an Incident Response capability regarded as best practice, it’s required under ISO/IEC 27001, NISR (NCSC CAF), and PCI-DSS. It also has two of the five NIST CSF Functions dedicated to it, and is a vital tool for complying with the breach notification obligations of the Data Protection Act.
Can I build an incident response capability myself?
In simple cases, yes! The basic principles covered in the NCSC guidance and NIST SP 800-61 are great starting points for designing and building your capability. However, these offer only general guidance; to make a truly effective plan requires tailoring and extending this guidance to suit the organisation’s size, operating model, capacity, resource and supplier dependencies.
Clear Cut Cyber can help you grow your capability, whether you want to establish a fully-fledged and integrated cyber incident response capability, or simply want to create a roadmap for building your own.
What are playbooks and how do I make them?
If an incident response plan tells you how to handle *an* incident, a playbook tells you how to handle *the* incident. Playbooks are extensions to the main plan which contain guidance on how to handle specific types of incident, for example ransomware or website cloning.
Since they are specific to a particular type of incident, the guidance they contain is more detailed. Playbooks are especially useful for complex incidents (e.g. a malware infection affecting multiple organisational sites) or which could have a large financial or reputation impact (e.g. a ransomware incident, or a data breach of a particular high-value system).
Playbooks can be treated like standalone documents, but they should always reference and cohere with the main cyber incident response plan where possible.
One of the best ways to create a cyber incident response playbook is to run an incident response exercise using a scenario based on the specific incident type you want to focus on. We have extensive experience of designing and running these types of exercise, and of producing the resulting playbooks. As well as generating effective playbooks, they are a great way to build vital stakeholder relationships across the organisation which improves collaboration during real incident response.
Should I have my own incident response team or should I get external support?
There is no easy answer for this as it depends on the complexity, scale, operating model and resource level of the organisation, along with a number of other factors. Most small or medium organisations are better off using an external company to provide them with incident response support, but where you draw the line is up to you. You might want to keep the SPoC and communications functions in-house, but leave the technical work up to your Managed Service Provider or a dedicated third-party cyber incident response company. Having such a company ‘on retainer’ can be a good idea if you want to guarantee yourself quick and easy access to the support you need when you need it, though this is reflected in the cost.
The NCSC has an excellent guide for organisations considering third-party cyber incident response services - link.
If you are a large organisation, especially if you operate a Security Operations Centre (SOC), then you probably already have some kind of incident response capability. This is definitely worth formalising, if it’s not already. However, just because you have a lot of resources and capacity, does not mean you have to do it all in-house. A major cyber incident can quickly overwhelm and exhaust even a strong security team, particularly if it lasts more than a day or two. Having someone you can bring in will give your staff a break, and can help promote trust in stakeholders that you are handling the incident professionally.
In all cases, it’s also important to consider out-of-hours coverage for your incident response. This could range from a single mobile phone swapped between staff, through to a 24/7 SOC with a callout list.
Clear Cut Cyber can help you identify and design the right composition of internal and external Incident Response coverage for your organisation.
When is a good time to create an IR capability?
The best time to plant an oak tree was 10 years ago. The second best time is right now. The same principle applies to Incident Response. If your organisation hasn’t done it, then get started as soon as you can. The worst time to be doing Incident Response planning is during an incident!
Contact us to learn more about how we can help your organisation with cyber incident response.