Cybersecurity incident response plan is your “First Aid” for security incidents

The Cybersecurity
Daniel Kwaku Ntiamoah Addai

Cybersecurity is no more an emerging field in IT, and neither is it a new topic of discussion. Any operational business that is yet to implement a cybersecurity or information security strategy is soon to hit a hitch or has literally failed halfway.

Information security strategy is an organizational-wide framework of conceptual elements from individual up to inter-organizational level, which is informed by antecedent threat conditions to yield measurable information security benefits internal or external to the organization.

Information is an asset which has value for the organization and needs to be protected. Information security, therefore, seeks to ensure the confidentiality, integrity, and availability of the information.

Information fuels business operations. This fuel moves through the machines or systems or devices that organizations use to operate their business.  A company is out of business if the underlining information is therefore compromised. Organizations are more likely to suffer disasters relating to cyber-attacks than to fire outbreaks, flooding, or any natural disaster.

An incident response plan, therefore, defines a set of controls for the management of information security incidents, events, and weaknesses.

A weakness is a flaw in information systems and services.

A security event can be defined as an identified activity, occurrence or situation in an information system that can possibly translate into a breach of information security.

An unwanted or unexpected event that compromises the confidentiality, integrity and availability of the information is known as a security incident.

Unfortunately, the likelihood that a business will experience security incidents is inevitable. Many organizations will be hit with major incidents either for the first time or subsequent times. There are organizations that have been hit and organizations that do not know they have been hit. Then also there are organizations that have been hit and will be hit again.

This leaves organizations to respond to difficult questions about incident prevention, identification, or detection, and managing cyber-attacks. Severe Incidents in which an adversary takes administrative control over the IT systems that enable or facilitate business operations will have grievous consequences on the business.

It is therefore paramount that businesses prepare for a security crisis by tabling measures and mechanisms to contain and mitigate such a crisis.

Preparing for a crisis helps organizations to reduce the risk involved and a containment, mitigation, eradication, and recovery mechanism will limit the possible collateral damage that may arise.

A standard incident response plan or policy will encompass guidance for legal, technical, operational and communication aspects of preparing, identifying, detecting, analyzing, containing, eradicating, and recovering from a security incident. This further stretches into post-incident activities and coordination during incidents.

The plan requires that organizations define and document responsibilities and practicable processes and procedures for quick, timely and effective responses to security incidents.

The preparation phase of an incident response plan sets the stage for a preventive approach to incidents and then also a responsive approach to mitigate the impact of the incident should it occur.

Activities in the preparation phase include documenting and understanding policies and procedures for responding to incidents, instrumenting, and setting the environment to detect suspicious and malicious activity, establishing staffing plans, educating users and stakeholders on cyber-related threats and notification procedures and finally, leveraging cyber threat intelligence to proactively identify potential suspicious or malicious activities.

It is equally important to define baseline system and network operations before an incident occurs to understand the basics of “normal” activity. This enables responders to identify deviations and false positives.

Having a generic system or infrastructure in place to handle complex incidents, including classified and out-of-band communications, developing and testing courses of action (COAs) for containment and eradication and then also establishing means for collecting digital forensics data or evidence, are all preparation activities.

The goal here is to ensure resilient architecture and systems to maintain critical operations when in a compromised state. Active defence mechanisms may also play a role in constituting a robust incident response.

Practically, the detection and analysis phase of the incident response plan is the most challenging. It involves accurately detecting and assessing cybersecurity incidents, thus, determining whether an incident has occurred and, if so, the extent, type, reach and magnitude of the compromise within the infrastructure. The idea is to detect and analyze security events, implement defined processes, appropriate technology, and sufficient baseline information to monitor, detect and alert on anomalous and suspicious activities.

The assurance that there are appropriate procedures to deconflict any potential incidents with authorized activity (i.e ascertain the fact that an activity is a known or permitted activity). MITRE Framework will be of great assistance to aid responders to detect threats or incidents based on tactics, techniques, and procedures that adversaries use to propagate an attack or exploit vulnerabilities.

The containment phase is a high priority for incident response, especially for major incidents. The sole objective of containment is to prevent further damage and reduce the immediate impact of the incident by removing the adversary access. Containment is a damage control process. A containment strategy is dependent on the scenario or incident. The containment strategy employed to tackle ransomware will be different to that of active data exfiltration using a fileless malware.

A comprehensive containment strategy will consider any additional adverse impact on operations, availability of services, duration of the containment process ( i.e full or partial containment vs full or unknown level of containment), resources needed, effectiveness and any impact on the collection, preservation, securing, and documentation of evidence.

For most of the forensics cases I have worked on, I have had to work on limited to incomplete evidence because of bad containment strategies employed by clients during incidents. Untested, unpracticable, or bad containment strategies end up destroying evidence. This tends to limit the findings during forensics investigations.

Containment strategies like immediately shutting down devices or servers, unplugging power sources, and attempts to format, delete, or conceal evidential data sources, are bad strategies. These practices tend to limit, undermine, and complicate investigations.

Key containment activities that can be employed in case of incidents include isolating impacted systems and network segments from each other and/or from non-impacted systems and networks. Isolation not only breaks the spread of the attack, but it also limits the reach of the adversary and ultimately disengages the attacker from the machine.

Before isolating, consider the business needs and how to provide services so business operation can continue to a possible extent.

Furthermore, capturing forensics images to preserve evidence for legal use, updating firewall filtering, blocking unauthorized accesses, closing specific ports and servers, changing system admin credentials, and redirecting adversaries to a sandbox amongst others are all containment activities that can be employed.

The next phase after containment is eradication and recovery. The primary objective of this phase is to ensure the return to normal operations. This is done by eliminating artefacts of the incident (ie, purge malicious code, residues, re-build infected servers, re-image infected systems etc) and mitigating the vulnerabilities that were exploited.

Effective eradication and recovery can only be achieved if incident containment was properly done. So, it is prudent to ensure that all means of persistent access to the internal network have been curtailed and that adversary activities are appreciably contained, and evidence has been properly collected.

Eradication and recovery may also involve hardening and modifying the landscape or environment to protect targeted systems if the root cause of the incident or intrusion or attack or initial access vector has been identified. It is usually an iterative process and can be executed concurrently. It is important to coordinate with service providers, experts, vendors, and law enforcement agencies prior to the initiation of eradication efforts.

A key aspect to optimal recovery is to have enhanced vigilance and extensive controls in place to validate that the recovery plan has been successfully executed and that no signs or traces of adversary activity exist in the environment. To validate those normal operations have resumed and services have been restored, managers should consider performing an independent test or assessment on the whole IT infrastructure.

There have been several situations where due to poor containment strategies organizations have been hit by similar attacks few months after incidents or have had to live with viruses and malwares in the systems post-incident for more than a year.

Post-incident activities usually involve documentation, hardening and continuous monitoring. Other objective of this phase includes ensuring root-cause has been mitigated, identifying infrastructure problems to address, organizational policy and procedural problems to address, reviewing and updating roles and responsibilities, interfaces, and authorities to ensure clarity and then identifying technical or operational training needs.

A vital aspect of it all is the organization’s leadership decisions and plans going forward. Managers by now should have realized what will be needed to prevent or avoid subsequent attacks from happening and be able to make a firm case to management for them to appreciate the gravity of the incident and the need to help actualize the tabled recommendations.

Leadership will have to make available and allocate resources to help build the capacity and knowledge of personnel, purchase advanced tools and technology to boost security operations in the organization.

However, a very essential element of the incident response plan that is heavily overlooked, disregarded or ignored is coordination. Coordination is foundational to effective and efficient incident response. It is critical that all the phases coordinate seamlessly to achieve a greater outcome.

Also, organizations must always coordinate with the Cybersecurity Authority, Data Protection Commission, Bank of Ghana and all other agencies or related institutions, before, during and after they experience security incidents. Establish contacts with these agencies, institutions and other external vendors who are stakeholders or essential to the actualization of your incident response plan.

Perfect coordination will lead to optimal response and handling of incidents. Imagine a situation where your house is on fire or there is a robbery in your house, but you cannot reach emergency services or police because you do not have their contacts and so have to search for it or reach them through a friend or even have to call a radio station for assistance.

Imagine the road network to your house is bad making it difficult for them to reach your home. Imagine that your house not in conformity with Fire service regulations making it difficult for them to fight the fire. There are many scenarios that can be made to attest to the fact that a poor coordination can lead to further adversities for the company and can cripple infrastructure. Coordination can keep you in right standing with the law which will ensure that your owes are not worsened post-incident.

In summary, a comprehensive incident response plan basically defines responsibilities for reporting and managing incidents, contacts points for reporting incidents, events, and weaknesses, define how to monitor, detect, and report incidents or events. It furthers defines how long to log incidents and activities, how to respond to incidents, assessing reported weakness and events and learning from the incidents.

An incident response plan is a business continuity plan. It embodies the capability of a company to continue delivery of products or services at appreciable or acceptable levels after some disruptive incidents.


Leave a Reply