All enterprises should have an incident response plan in place to help minimize the damage caused by a cyber-attack. The plan should enable enterprises to recover in the shortest time possible, with the least amount of money spent, and damage caused to their reputation. The plan should include a list of processes that should be executed in the event of a breach and should also provide a clear guideline as to what actually constitutes a security incident.
Enterprises will also need to appoint a Cyber Incident Response Team (CIRT), who are the key personnel responsible for executing the incident response plan. The CIRT does not only consist of IT security professionals, but also public relations, human resources, and legal departments, who are required to communicate with executives, stakeholders, supervisory authorities, and the public.
An incident response plan should consist of the following seven key phases.
The preparation phase consists of ensuring that employees are well trained, specifying the members of the CIRT, and ensuring that the necessary technology has been implemented. Data backups should be taken, and mock data breaches should be conducted to evaluate the effectiveness of the plan.
2. Identification and Scoping
It is perhaps the most important phase of the IRP. Essentially you will need a fast and effective means of detecting security incidents. It is therefore essential that you have implemented the right tools and technologies. For example, you will need to use Endpoint Detection and Response (EDR) and Network Traffic Analysis (NTA) solutions in order monitor endpoints and network traffic for indications of suspicious behavior.
3. Data Access Security
You will also need to know exactly who has access to your critical data or assets, where those data or assets are located, and when they are being accessed. Solutions such as the file server auditing component of LepideAuditor, provide you with real-time details of who has access to which data, who has made what changes and at what time.
4. Containment/Intelligence Gathering
This phase involves containing the threat to prevent further damage and gathering as much information about the incident as possible. Again, LepideAuditor enables IT teams, to review a history of the events that took place before the incident and can generate over 300 pre-set reports, which can be used for potential legal proceedings, and satisfy compliance requirements. You can also make use of threshold alerting technology and automated script execution to increase the intelligence of your detection and response strategies.
Naturally, once the threat has been detected, contained and analyzed, enterprises will need to remove the actual threat from the network and restore the system to a functional, uninfected state. Any compromised credentials will need to be reviewed and reset, and this must be well-communicated to those involved.
The recovery phase is where all systems are put back into production and monitored to ensure that they are functional and showing no signs that they have been compromised.
7. Follow Up/Lessons Learned
The CIRT should document any issues that are presented during the previous phases of the IRP and make suggestions about how these issues could be resolved during future incidents. This documentation should be included in the training material used in the preparation phase.