As cybersecurity threats continue to grow exponentially, organizations need to create and implement a cyber incident management framework to protect their business. The increasing sophistication and volume of modern cyber attacks require a proactive approach to mitigate the effects of a potential data breach or system compromise. As such, enterprises need to create and implement cybersecurity practices that allow them to rapidly identify and mitigate any incidents which threaten their systems and data.
A cyber incident management framework is a tool an organization can utilize to help them detect, respond, and defend against any incident. Furthermore, these measures should form part of a continuous improvement cycle which increases resilience ensuring an effective defense against any similar future events.
A cybersecurity incident response process typically begins when a system raises an alert. From that moment a carefully crafted response plan should initiate a string of actions. These actions typically include the activation of the organization’s incident response team who need to react and deter the threat. Following the successful mitigation of the attack, the process should then analyze the incident and provide recommendations to ensure a similar event does not reoccur. The ISO/IEC Standard 27035 outlines this process and is an excellent base for organizations who wish to develop a cyber incident management framework.
ISO/IEC 27035 recommends a five-step process to cyber incident response. These are:
Preparing to deal with incidents by creating an incident management policy and establishing a skilled team to deal with any potential threats.
Creating a platform that can identify and report any security-related incidents in real time.
Assessing the impact of the incident and establishing a remediation strategy.
Responding to and resolving any issues that have occurred as a result of the incident.
Conducting a post-mortem and identifying any lessons learned that should form part of the incident management policy moving forward.
The first step in developing a cyber incident management framework is to have the necessary policies, procedures, and people in place to deal with any cybersecurity incident. The starting point of this process involves the establishment of an incident management policy followed by the creation of an incident management plan. A crucial part of this process is the identification of a cybersecurity incident response team (CIRT) that will deal with any security-related incidents. The plan should also identify the technical and support resources which will assist the CIRT and outline security awareness training initiatives.
Identifying the moment a security-related incident has occurred is an essential component of any cyber incident management framework. An organization should implement proactive monitoring solutions which can detect any security-related incidents in real time. These solutions should have the capability to generate alerts automatically notifying the CIRT and other relevant parties. Monitoring every possible attack vector is critical so every device, system, and service, be it on premises or in the cloud, must be covered.
Once the incident has been identified, the CIRT must then assess the potential impact of the event and formulate a plan to respond to the attack. Information is critical during this phase. The CIRT needs as much intelligence as possible to devise their response and mitigate the threat. Consequently, useful and detailed communication from all affected parties is vital in addition to any data from the monitoring system.
On completion of the assessment and plan to mitigate the threat, the CIRT must respond and remediate any issues caused by the incident. The primary goal during this phase is to contain the incident, investigate it, and ultimately resolve it. Containing the incident may involve taking specific systems offline. In extreme cases, the CIRT may invoke the organization’s Disaster Recovery (DR) plan if the incident has created a catastrophic downtime event. Once the threat has been contained, a forensic investigation may be needed to ascertain what caused the incident and what steps need to be taken to resolve it. Typically, this would involve understanding the nature of the threat and implementing the necessary measures to defeat it.
The final step needed in implementing a cyber incident management framework is putting the necessary measures in place to learn from past incidents. This phase typically involves a post-mortem where the investigation identifies any vulnerabilities the attacker used to gain unauthorized access. It could also include probing the response and resolution times of the CIRT and identifying areas which need improvement. Any lessons learned should be absorbed and fed back into the organization’s incident management plan to ensure future incidents of the same nature cannot reoccur.