When a Breach Occurs, Are We Ready to Minimize the Operational Effects

Written by Dr. Vito Nozza, Softchoice.

“Plan for what is difficult while it is easy, do what is great while it is small” Sun Tzu

I love to quote Sun Tzu, as the art of war is indicative of what cyber professionals go through on a daily grind. The offensive security mindset and techniques that are researched and planned out, that need to be top of mind for any CISO worth they weight in gold. Preventing this is the focus of an incident response plan (IRP), which takes control of events that could cause catastrophic harm to your organization in advance so that you do not panic when they occur.

Let’s be honest folks, it’s not if an attack occurs of when it does; but ultimately how well you responded to an incident and realized business continuity success that matters. An incident response plan (IRP) must not be taken lightly, as it is a measurement of the business’ resilience. What are the procedures that will ensure all roles and responsibilities are understood, acknowledged, and ready for action in the case of an event? How is a Tabletop Exercise (TTX) created and implemented, are proper communication and parties involved, do they know what to do? The following steps are meant to be a guide in how to create a team, that can be ready to accomplish your resiliency goals.

• Establish an incident response team. Reach out to business unit leaders or assigned individuals who can represent the various stakeholders during a crisis. Make sure there is an executive champion leading the charge so that all will follow. Communicate to the different members the importance of their participation and overall responsibilities to the plan’s success. Start to develop a RACI (Responsible, Accountable, Consulted, Informed) chart that will have the included stakeholders and their roles, documented.
• Analyze potential threats. Reference your Business Impact Assessment (BIA), to gather all assets that are critical to your business. If one has not been developed, the inclusion of an asset identification and classification model, is a great artifact to help create a BIA. From there, conduct a threat analysis of possible events/scenarios that could affect your company. These could be malware attacks, DDoS events, or even ransomware attacks that have crippled your operations. Do not forget natural occurrences like hurricanes, tornados, fires, etc. that could affect to your business.
• Outline response guidelines. Once scenarios have been established and leaders have participated in the threat analysis, you are ready to create your guidelines. Guidelines should include runbooks/playbooks that provide procedures to guide users throughout a pre-determined actionable plan.
• Prepare your external response. As we all know, nothing exists in a bubble. Ensure that external communication guidelines are established with law enforcement, partners, third parties, PR firms, and possibly first responders.
• Train. Once scenarios are approved, train employees on their assigned roles for when events occur.
• Test, test, and re-test the incident response plan(s). Even if they worked the first time, things change, and the tests should be altered accordingly. Adaptability is key. TTX should be altered as risk and security postures change.
• Learn from the scenarios and your risks. As your response plan changes, ensure everyone is updated on the modifications.

Your incident response plan is now set. All business unit leaders have been informed, participated in the design and usability of the plan. The following steps should be known and understood by all involved, due to the high stress nature, when a breach occurs.

1. Detection. Hopefully, there is sufficient data flow and anomalous visibility throughout your environment. Maybe you already have a proper managed detection and response (MDR) program or perhaps an advanced Security Incident and Event Monitoring (SIEM) tool that indicates when an event or possible compromise has been detected. Therefore, you have now detected an event that is outside the normal business traffic patterns.
2. Analysis. Your team analyzes the event to confirm that there is in fact an incident taking place that could affect ongoing operations. This is imperative that a simple event in which an employee cannot access the web is not confused over an actual slowdown in services that affects all operations.
3. Containment. This allows you to mitigate any further loss and segment the attack from leaving a specific area or sector. It also gives your experts or external forensic investigators time to collect data, tag it, and extract the information carefully to dissect/investigate later in a lab.
4. Eradication. Now’s the time to extinguish the threat so that there are no further risks to your ecosystem.
5. Recovery. This is the time that you either bring compromised-free services back up or you enact your disaster recovery plan and retrieve backup data from your secondary sites and/or the cloud.
6. Lessons Learned. This final step is one of the most important. It allows the incident response team to meet after the event is under control and no longer a threat. Discussions will be around what happened, how the incident response plan performed, and what lessons were learned so that a repeat of the event does not occur.

This blog highlights the reality of what happens when you fail to create an incident response plan—and what the repercussions could be for your company. As Sun Tzu stated, and I am paraphrasing, planning may seem like a large task at first, however it will lessen the effect when the actual event occurs.