It is widely accepted that information technology is an enabler; through the promotion and application of innovative solutions, modern organizations and their customers have a reliance on essential technologies as part of their everyday interactions. Through technology enablement, organizations seek to increase growth and revenue yet often overlook or ignore the potential for increased risk.
In particular, the advance of technology can be linked to vast growth in cyber-based risks such as continually adapting nefarious elements that pose a constant and evolving threat to the confidentiality, integrity and availability of the technology that we have come to rely upon.
Therefore, when considering the use of technology as an enabler it is essential to evaluate risk and apply intelligent security controls or mitigations from the ground-up; technology ‘and’ security as an enabler.
Cyber-attacks and the nefarious elements behind them, threat actors, have evolved and the risks are very real; a single incident could result in significant losses, both financial and reputational. The question is not ‘if’ you will be attacked but rather ‘when’ and as such organizations need to be prepared with an effective and intelligent cyber-security strategy.
One aspect of an effective cyber-security posture is to ensure that you have the ability to respond to and investigate incidents; an effective ‘Incident Response’ (IR) capability could be the difference between survival or extinction.
Cyber-attacks come in all shapes and sizes and there is no ‘one size fits all’ solution. When scoping an IR capability, many organizations may choose to focus their attentions on advanced and persistent threats whilst perhaps ignoring the ‘small stuff’. Advanced threats, by their very nature, are incredibly serious and notoriously difficult to detect, yet, it is important not to ignore the potential of isolated attacks. Seemingly smaller, less-sophisticated attacks can have an impact just as severe. For example, a bank robber marching through the front door in broad daylight may be easier to detect and mitigate, but can still be just as effective as an organized criminal who takes the time to construct a tunnel, subvert surveillance cameras and implement other Hollywood-esque techniques to avoid detection. Either way, without the proper security in place, the bank has been robbed and the criminals achieved their goal.
Defense-in-depth approaches to cyber-security are typically deployed to attempt to thwart any combination of attack, and therefore a well-defined IR plan should support the effective handling of incidents regardless of their type, size, complexity, or severity. Also, as IR processes require the involvement of a variety of internal and potentially external parties, an efficient method of collaboration and communication amongst the various relevant peers is imperative to the success of the plan.
Additionally, an IR plan should also consist of the following critical components:
- Processes to declare or determine what an incident is;
- Definition of ‘security’ incident boundaries;
- Assignment of roles and responsibilities including a level of authority across each appropriate department (not only Security and IT departments but also legal, compliance, HR, PR, marketing and so on) for each type of incident;
- Metrics for the improvement of the IR plan (i.e. running ad-hoc simulations or table top exercises);
- Defined communication and escalation channels throughout the organization and, if appropriate, trusted third-parties;
Finally, even the best IR plan needs support. Support and active participation by an organization’s management is necessary to remain effective while ensuring that the IR team’s actions are not curtailed by internal factors like budget, or jurisdiction hurdles.
In The human and process elements of an Incident Response Plan – I will expand the above topics in more details.