[BreachExchange] Security Think Tank: Incident response vital to guard against catastrophic cyber attack

[Destry Winant]

https://www.computerweekly.com/opinion/Security-Think-Tank-Incident-response-vital-to-guard-against-catastrophic-cyber-attack

When it comes to cyber attacks, enterprises have traditionally focused
security controls around prevention. Naturally, prevention is the
first objective, but recognising that 100% prevention is impossible,
security controls in the detection and response groups are receiving
increasing consideration.

The NIST [US National Institute of Standards and Technology] cyber
security frameworkcategorises controls in five groupings: identify,
prevent, detect, respond and recover. Respond and recover receive a
great deal of attention when high-profile security breaches happen,
and an organisation’s reputation might well dive or thrive based on
how well it does this. In recent examples, British Airways arguably
did a great job, whereas perhaps Equifax did not.

Not every cyber attack will have a financial motive. Some may be
focused on organisational disruption, and others on distortion of
company information, for example. Disruption might even have the
ultimate objective of destroying an organisation.

Organisations can fail if there are inadequate or no incident response
plans in place. The “Six Ps” mantra clearly applies: proper
preparation and planning prevents poor performance.

Key to a resilient organisation is a comprehensive backup and recovery
plan and capability. Good governance – indeed, common sense – dictates
that an organisation should regularly backup its data and systems.
This ensures that, if required, essential information and software can
be restored as needed and within timescales to meet organisational
needs.

At the very least, an organisation should have a basic incident
response plan. More security-mature enterprises will have built or
adopted an incident response framework, from which there are a series
of “playbooks” setting out the procedures to respond to and recover
from specific types of incident.

The playbooks will assign roles and responsibilities to individuals
and teams in responding to the incident. Those involved should have
access to the products and tools required to enable full investigation
and remediation, along with the information needed to understand what
is happening (or has happened). There will be implications of the
incident around the organisation and potentially beyond, and the team
and playbook must take this into consideration.

It may sound obvious, but it is still worth stating: don’t have
incident response plans and playbooks only available via online
access. If your systems have been taken down, you won’t have the
playbooks to hand.

Post-event, reviewing existing security controls is essential because
these controls may well require tightening, so there’s no recurrence
of the same (or similar) type of incident.

Having a framework and playbooks is no guarantee the organisation will
survive an attack designed to put it out of operation; however,
there’s a significantly improved chance of survival than if there was
no framework and playbooks in place. To reiterate: proper preparation
and planning prevents poor performance.