Security Think Tank: Incident response vital to guard against catastrophic cyber attack

When it comes to cyber attacks, enterprises have traditionally focused security controls around prevention. Naturally, prevention is the first objective, but recognising that 100% prevention is impossible, security controls in the detection and response groups are receiving increasing consideration.

The NIST [US National Institute of Standards and Technology] cyber security framework categorises controls in five groupings: identify, prevent, detect, respond and recover. Respond and recover receive a great deal of attention when high-profile security breaches happen, and an organisation’s reputation might well dive or thrive based on how well it does this. In recent examples, British Airways arguably did a great job, whereas perhaps Equifax did not.

Not every cyber attack will have a financial motive. Some may be focused on organisational disruption, and others on distortion of company information, for example. Disruption might even have the ultimate objective of destroying an organisation.

Organisations can fail if there are inadequate or no incident response plans in place. The “Six Ps” mantra clearly applies: proper preparation and planning prevents poor performance.

Key to a resilient organisation is a comprehensive backup and recovery plan and capability. Good governance – indeed, common sense – dictates that an organisation should regularly backup its data and systems. This ensures that, if required, essential information and software can be restored as needed and within timescales to meet organisational needs.

At the very least, an organisation should have a basic incident response plan. More security-mature enterprises will have built or adopted an incident response framework, from which there are a series of “playbooks” setting out the procedures to respond to and recover from specific types of incident.

The playbooks will assign roles and responsibilities to individuals and teams in responding to the incident. Those involved should have access to the products and tools required to enable full investigation and remediation, along with the information needed to understand what is happening (or has happened). There will be implications of the incident around the organisation and potentially beyond, and the team and playbook must take this into consideration.

It may sound obvious, but it is still worth stating: don’t have incident response plans and playbooks only available via online access. If your systems have been taken down, you won’t have the playbooks to hand.

Post-event, reviewing existing security controls is essential because these controls may well require tightening, so there’s no recurrence of the same (or similar) type of incident.

Having a framework and playbooks is no guarantee the organisation will survive an attack designed to put it out of operation; however, there’s a significantly improved chance of survival than if there was no framework and playbooks in place. To reiterate: proper preparation and planning prevents poor performance.