The Incident Response procedure (or IR strategy) is part of the cyber-security control measures. Following prevention and detection, the IR strategy is critical for the situations where the system has been affected by a breach or by another cyber-security event.
A coherent IR plan should comprise procedures for notifying the authorities and the other concerned parties, as well as procedures to isolate, clean and restore the affected system parts and services and to perform a due analysis aimed at excluding similar future events from happening again.
The connected fields (computer security and information technology) provide the necessary tools for the incident manager to efficiently respond and reduce the repercussions as much as possible.
Events that trigger IR strategy measures
Cyber-security events, once fulfilling the basic condition of noticeable change needed to qualify as such, belong in one of the three categories:
- Normal (when no critical components are affected);
- Escalated (when critical systems are affected and senior personnel should participate in the remedying procedures while some event notifications also need to be exerted);
- Emergency (when its impact risks affecting critical systems and human health and safety or it violates the company’s policy).
The cyber-security controller should identify the occurring incident and notify the concerned parties. Once the incident’s type is determined (see above), the specific procedures will be deployed, according to the previously established IR plan.
A specific concept in IR is the OODA loop, coined by the military strategist (and Pentagon consultant of the late 20th century) John Boyd. OODA stands for observe, orient, decide, and act and it maps the proper strategy in reaction to an event for ensuring the highest probability of making appropriate decisions quicker than the opposing force.
In cyber-security events the opponent is the malicious entity that breached the system. Usually its decisions have been preset during the phase of planning the attack or structuring the virus/malware/cyber-tool, nevertheless the quicker the person that handles IR reacts, the better. Reacting efficiently is extremely important in minimizing the consequences and containing the damage.
Recommendations in IR strategy
The most common procedures when confronted to a cyber-security incident would be:
- Restraining the attack by isolating the affected system from further outside intrusions (usually materialized in setting specific firewall rules and blocking the source of the attack from accessing the system);
- Eliminating the infected files (themselves source of infection) by deleting, removing or quarantining them and disabling any related active processes;
- Removing the material assets or devices that carry the infected files from the connectivity loop (by powering off any such devices and disconnecting them from the wireless or cable micro-environment).
An important thing to remember while going through these procedures would be to pay attention not to destroy the computer forensic evidence. This is necessary especially when stakeholders and authorities are to be notified, but it is also useful in normal IR procedures so that the analysis and remedial measures can be adjusted to whatever affected the system.
When preparing your IR team, the necessary essential seven steps are the following, according to a previously quoted source:
- Selecting the appropriate standards (there are different specific standards available for various industry groups, and organizations may choose to implement them since they come with useful guidance);
- Aligning organizational controls with data classification standards for maximum efficiency; especially when the resources are limited, they should concentrate on the most critical and important elements in the system, without neglecting to consider the possible peripheral weak entry-points;
- Prioritizing the implementation order once cyber-security IR has been drafted, in order to efficiently deploy the internal resources and begin with the essential processes, such as encrypting the data or system architecture modifications;
- Designing the necessary controls in your system or work environment in order to allow a proper response when and if necessary, from re-configuring applications or network settings to the manual procedures and assigning roles in IR for some of the staff members;
- Training the personnel members that are to take part in IR in case of an occurring event;
- Implementing all the above changes and putting them in place, combined with the new incident response awareness of your team;
- Monitoring the implementation of the new processes over time, to make sure the strategy remains up and active even if (luckily) no event triggers the IR strategy;
A schematic representation of the IR establishing process also presents a few key elements:
- Performing an internal cyber-security audit;
- Creating a response team;
- Creating a documented IR plan;
- Establishing the incident triggers and indicators specific to your organization;
- Establishing investigative procedures;
- Setting out triage and mitigation procedures.
Trends in IR strategy
Incident Response (IR) ranks among the 2016’s listed cyber-security trends. All cyber-security aware companies establish and implement IR procedures and even perform related training exercises to be prepared in case of occurring events.
However, recent findings show that many industrial sites still lag in IR strategies: their policies are outdated, un-monitored or completely nonexistent. Many ICS/SCADA organizations (critical infrastructure systems included, such as some companies in the water, manufacturing, and oil & gas industries) lack IR plans.
As we have already mentioned in our article on SCADA cyber-security solutions, this situation presents various risks. Running a system that may represent a cyber-attack target automatically requires a full cyber-security strategy, IR plan included. However, the situation is even worse when an unprotected business is bound to be connected with other systems, or its products will become part of further devices or connected networks.
Of course, when mentioning IR, many would think of a cyber-security incident that already happened. It seems unlikely that a company (with or without its own IR plan) should launch on the market cyber-infected devices or components – once an incident took place. But think of the time it took before data breaches or malware infections were detected in many of the known cases.
So why is it important to have an efficient Incident Response strategy? First, to minimize the chances of less severe events going unnoticed or evolving into emergencies. Secondly, if an incident should occur, the same company might find it harder to contain the event, to avoid liability or to regain the trust of its business partners when not deploying an IR strategy. The costs could be considerably higher, as well as the reputation damage.
On the other hand, there are many available online resources for the interested organizations to browse. Either by drafting their own IR plan or by acquiring specialized cyber-security external services, the organizations could easily move towards the safer side of the spectrum in just a few easy moves. Cyber-security incident response plans, or CSIRPs, are part of cyber-security good practices.
In a simple research-oriented browsing session, one may find out the right kind of questions to start with, incident handling guides, or specialized services and products.
Bearing all these in mind, improving or altogether setting up your IR strategy is an important and mandatory step for your business and should be approached as such.
