Incident Response – Where to Begin, What to Test, and How Often. Pt1
Incident Response (IR)
Is a process to prepare, detect, and respond to security-related events and incidents. Without the necessary planning, coordination, and training, IR processes become less effective and reliable which can lead to more negative business outcomes and prolonged incident recovery periods. An incident is recognized by NIST (NIST SP 800-61) as a violation of policy (computer security, acceptable use) or accepted computer security practices. The downstream consequences of failing to plan and failing to test are most visible during an actual incident. An organization should not wait until after an incident occurs, to determine whether or not its IR process is fully operational. It is a recommended best practice and requirement for security and compliance frameworks such as the Payment Card Industry Data Security Standard to maintain a documented Incident Response Plan (IRP), designate resources for incident handling, test the process at least annually, and provide adequate training to incident responders on how to effectively manage incidents and respond to a potential security breach. Many indicators can contribute to a cybersecurity incident and trigger an incident response such as inappropriate successful login activities, system tampering alerts, and the detection of malicious software on critical systems. Digital forensics processes may integrate with an active cybersecurity incident, to ensure evidence is properly collected, preserved, and analyzed.
Incident response is often associated with disaster recovery and business continuity practices. To clarify, think of incident response in terms of an end-to-end cybersecurity process, whereas a disaster recovery plan may be activated in response to a non-cyber event (e.g., flooding) or as part of the recovery phase of a cybersecurity incident (e.g., rebuilding critical systems and restoring from known-good backup media after a ransomware event). Activation of Disaster Recovery (DR) or Business Continuity Plans (BCP) regularly involves senior management and key business stakeholders. Likewise, incident response requires adequate oversight and leadership, to maintain command over an incident and manage good internal and external communication throughout the incident cycle. Collaborating with existing DR/BCP resources and including them in the IR test planning process can help align IR test plans with existing risk management activities. Often, an organization undergoes a risk assessment, identifying critical assets, threats, and vulnerabilities. A Business Impact Analysis (BIA) serves as an input to DR/BCP plans, identifying potential impacts to business operations. These reports provide greater insight into the specific business environment and inform stakeholders on the relevance of incident response test scenarios to critical business functions. In addition, DR/BCP scenarios and activities may be integrated into a scheduled IR test, for a wider assessment of response capabilities.
NIST identifies two common, scenario-driven test types to facilitate IR testing (NIST 800-84)
focus on discussion and verbal process walkthroughs. It can be helpful to use a tabletop format as an initial test, after a change (personnel, process, technology), or when resources are limited. The key advantages and disadvantages are summarized below:
· Lower Impact on Business Resources: Resources are not tied up in partial or large-scale simulations, Cost-Effective.
· Flexibility: Tabletop simulations can be less rigid or structured, enabling more open discussion and the ability to more easily shift to additional test scenarios.
· Scheduling: Tests may be scheduled and performed with less advance preparation (deployment of resources) than a functional test, due to its “meeting format”.
· Limited Participation: Fewer stakeholders may participate, depending on the focus of the tabletop scenarios and test objectives (e.g., senior leadership vs. operational team participants).
· Lack of Operational Validation: The discussion format of the tabletop exercise does not provide the same level of assurance as performing the IR procedures as part of a functional exercise that measures actual results.
Simulated Attack/Functional Exercise
A functional exercise is one in which a scenario is operationally tested, with tangible results based on the performance of the participants. The results provide a more real-world view of a team’s ability to detect, respond to, and manage an incident that could negatively impact the organization. In addition to discussions and general scenario-based walkthroughs in a tabletop exercise, a functioning exercise will involve actual systems, tools, and documented procedures, to successfully address the test objectives. These exercises can be more time-intensive and disruptive to personnel and services with operational responsibilities. However, the investment in these types of exercises can result in more valuable insight into an organization’s actual capabilities and areas for continued improvement.
· Real Responses:
· Resource Constraints:
Active personnel must defer routine job tasks and operational resources are strained, due to actual testing activities.
· Potential System Disruption: Simulated attacks on an enterprise network or production environment may disrupt critical services.
· Competing IR Priorities – Legitimate Attacks: Actual incidents occurring at the same time as a functional exercise could inhibit an organization’s ability to successfully respond to an incident and complete mandatory test exercises within a timely manner.
Periodic testing of your Incident Response Plan is critical to ensuring it will function as intended before it is needed. An IR Plan developed one or more years ago may no longer meet the needs of your business or address industry developments. Malicious actors evolve, business environments change, and the IR Plan and testing must continue to grow and develop in order to remain relevant.
5 Benefits to conducting IR Tests:
1. Know your Stakeholders & Roles
Whether you are conducting a tabletop or functional exercise, your organization will be able to better understand the roles and individuals responsible to lead an incident, make decisions, and oversee the execution of IR procedures.
2. Recognize what is important
Customized test scenarios, based on your organization’s own risk assessment yield more relevant, higher-value results.
3.Verify it works before you need it
Gain assurance that the IR Plan can be executed and successfully operate is a vital takeaway from periodic IR test exercises. Tabletop exercises can identify process issues, even when full, functional testing is not being performed.
4. Learn & Grow
Successful IR Plans include a feedback loop (Lessons Learned), identifying areas of correction or improvement. Conducting tests can iteratively improve the IR Plan and associated processes.
5. Meet external requirements
Some external bodies require IR Plans and periodic testing, such as for PCI DSS compliance. Doing so can support ongoing compliance and help organizations avoid negative consequences.
Looking for a knowledgeable partner for your cybersecurity and compliance efforts? We're Here To Help!
We look forward to talking to you about your upcoming Security Test, Compliance Assessment, and Managed Security Services priorities. Our expert security consultants and QSAs are fully certified and have decades of experience helping businesses like yours stay safe from cyber threats. Set up a time to chat with us about your biggest payment security and compliance challenges so we can partner with you to solve them!
Share this post
Industry Leading Certified Experts
Subscribe To Our Newsletter & Stay Up-To-Date
Explore Our Blogs
Whitepaper | 10 min Read
Developing An Effective Compliance Program
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business. We will also outline critical steps towards developing and implementing a useful and effective Compliance Program.
New Service Offering | Contact Us
Ransomware Preparedness Assessment
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack? If not or if you are unsure, MegaplanIT is offering a Ransomware Readiness Assessment free of charge for up to 50 Systems.
ResourceGuide | 8 min Read
Cybersecurity Roadmap For 2022
Companies need to be aware of their current state, where they need improvement, and how to be proactive moving forward. Dialing in on the key elements your organization will need to succeed is a great starting point to having a full-fledged plan in place, and it all comes down to the fundamentals.
We're Here To Help
We look forward to talking to you about your upcoming Security Testing, Compliance Assessments, and Managed Security Services priorities. We are ready to help and discuss more information with you on our comprehensive list of services.
Make Our Team, Your Team!
Our innovative IT security and compliance solutions are designed to deliver customized, cost-effective service on time—because your priorities are our priorities. With a highly qualified team of PCI-DSS QSAs, Penetration Testers, and Information Security Consultants here at MegaplanIT, we will assess your unique company and business environment and design a path to security that will fit all of your needs.
Ransomware Assessment Preparedness
Cybersecurity Roadmap For 2022
Developing And Maintaining An Effective Compliance Program
As new vulnerabilities emerge in response to ongoing geopolitical threats, are you confident that your organization could defend against a ransomware attack?
A Cybersecurity Roadmap details priorities and objectives to drive progress towards security goals. The roadmap follows a data-driven path based on answers to critical questions
This whitepaper provides organizations with a path forward. We will walk through aspects of an effective compliance program and how it can be valuable to your business