Since it’s almost certain that every organization will experience a cyber security incident at some time, you need to be well prepared in advance.
According to the 2013 Verizon Data Breach report, 22 organizations, mainly in manufacturing and professional services with only one to 100 employees, became a victim to cyber espionage last year. And 23 firms, mainly in manufacturing with 101 to 1,000 employees, also were breached.
If you don’t have a Computer Incident Response Plan (CIRP), resolving an incident will be much more difficult on your company and much more expensive. Because the longer you wait to eradicate a threat, the more time the intruders have to steal valuable information on you and your customers, and to make fraudulent wire transfers from your banking accounts.
The most successful CIRPs have been validated by outside incident response security consultants who have reviewed the plan, watched you rehearse it thoroughly in “tabletop exercises,” and helped you revise it as needed.
A CIRP covers the handling of an incident from the moment it is noticed to the conclusion of the incident. Like a disaster recovery plan, a CIRP is a management function, which means that management should be part of the planning team that develops the plan. Management needs to work with IT to discuss the organization’s top concerns—such as payment systems, member data, and email access—to decide which systems are most critical to get back online first and which need double layers of protection.
To implement a CIRP, you will need to have a map of where every piece of technology equipment you have is located. You should also already have controls and policies set in place to help prevent an incident. With the right preventive and detective controls in place, including continuous network monitoring, you can normally stop an incident in its tracks before it spreads to your most valuable servers.
Your CIRP should define “an incident” and categorize possible incidents to help create an action plan. For example, categories could include the following: malware, suspicious activity seen from monitoring logs and networks, lost or stolen computers and equipment, hijacking your domain, third-party vendor mistakes, SPAM, theft of IP, intentional destruction of data, hackers and espionage.
Creating the CIRP
- Develop a Computer Emergency Response Team comprised of business managers, representatives from your IT and security groups, legal advisor, HR director, PR director and internal security auditors. Discuss the roles they and others will play during an incident and their responses to particular situations.
- Designate a facilitator and data collector, and discuss the objectives, topics and scope of the plan.
- Decide what the participants’ roles should be and what actions they should be responsible for taking. Roles should be adjusted as you perform annual tabletop exercises and find better solutions than those written in the plan.
- As you go through different exercises below, participants should try to become aware of any weaknesses and adjust the plan accordingly.
- The facilitator should present, one at a time, a handful of concise hypothetical incidents that inspire responses to fulfill the objectives. Various topics could deal with espionage, data leakage, insider threats, malware, website compromises, or any other topic that could affect your company’s security.
For each incident, the facilitator should ask the following questions:
- What groups within the organization would be involved in handling this incident?
- Which internal and external parties need to be notified of the incident?
- What actions would be needed to control the incident?
- How the scenarios would be different if the incident were to occur at a different physical location?
- What measures are in place to prevent this incident?
- Who should attend a meeting with the lessons learned regarding this incident?
- What could be done to improve earlier detection of this and similar incidents?
The data collector should record the following information:
- The type of incident
- The answers to the above questions
- The names and contact information of participants who would be affected by the incident
- The action recommended for the participants to take.
A good tabletop exercise should expose your organization’s strengths and weaknesses, and further the development of responding well to computer incidents. Following the tabletop exercise, the data collector and facilitator should conduct a debriefing to discuss areas they felt went well and areas in which people could use additional training. The training should take place soon thereafter. Your company should annually perform the tabletop exercise and update the CIRP.
Dell SecureWorks is one of only nine approved Payment Card Industry Forensic Investigators in the U.S. With an entire practice dedicated to Incident Response (IR) and Digital Forensics, Dell SecureWorks can service any entity within the entire U.S. and can be on site as soon as 24 hours.
Jeff Multz, Director of North America Midmarket Sales at Dell SecureWorks, began his career as a software programmer in 1985 and has worked in technology ever since. He holds a Bachelor of Science Degree in Computer Science from Mercer University. For help with an incident response plan, contact Jeff@secureworks.com.