Business continuity and emergency preparedness have become familiar concepts for many businesses – and having such risk management practices in place is expected in many industries. In spite of this, apart from software companies, inclusion of cybersecurity and preparing for handling of serious cyber attacks and security incidents is far from mature. Many businesses have digitized their value chains to a very high degree without thinking about how this affects their overall risk picture. Another challenge for many businesses that have seen the need to include their digital footprint in their risk management process, is that they don’t know where to start. That is what this post is about: how do you start to think about emergency preparedness for cyber incidents? If you have a robust process for this in place, this post is not meant for you. This is a “how-to” for those who stand bewildered at the start position of their crisis management planning process.
KNOW WHAT YOU HAVE
Before planning your incident response, or emergency preparedness plan, you should have a clear overview of what assets you have that is worth protecting. Creating a detailed asset inventory can be a daunting task. However, for most organizations, it is sufficient to identify the key information and organizational assets without aiming for completeness.
- What are your main business processes? Identify all of the main processes you need to work in order for your organization to serve its purpose. The breakdown can be of different granularity, but here’s an example for an e-commerce business:
- Management and leadership
- Sales and marketing
- Procurement and logistics
- Software development
- Customer support
- For each of the main business processes you have, there will be various types of assets that are necessary to make that process work. Think about what you need in various categories:
- Key personnel
- Software you need to get the job done
- Data that is needed to support the function (if you know what software you depend on, this is often easier to identify)
Why are we mentioning people here? Often people have knowledge that cannot easily be replaced within the organization, or that would require considerable effort and investment. If such a person disappears, the situation can be hard to deal with. That is why, also from an information security point of view, it is important to know who your key employees are, and put down a plan for what to do if they are not available.
When you have identified these assets, it is a good idea to group them into two categories: critical and non-critical (you can use more than 2 categories if you want to, but a binary division is usually sufficient). Critical assets would lead to serious consequences if the security is breached: if data is leaked, or changed in an unauthorized manner, or made unavailable. It is unfortunate if non-critical assets are breached too, but not at a level where the business itself can be threatened. The critical assets are your crown jewels – the assets you need to protect as good as you can.
BASELINE DEFENSE: DO THE SMALL THINGS THAT MATTER
Before planning how to respond to a cyber attack, we should introduce some baseline practices that do not depend on criticality or risk assessments. These are practices all organizations should aim to internalize; they significantly reduce the likelihood that a cyber attack would be successful, and they also prepare you to respond to an attack when it happens.
- Introduce a security policy and make it known to the organization. Work systematically to make sure the policy is adhered to.
- Maintain the data register (using the process described above for “knowing what you have”). This way you make sure critical assets do not get overlooked.
- Include security requirements when selecting suppliers. Do not get breached because a supplier or business partner has weak security practices.
- Take regular backups of all critical data. This way, you can restore your data if they should become unavailable or destroyed, whether this happens because of a hacker’s malicious actions or due to a hardware failure.
- Use firewall rules to deny all traffic that is not needed in your business. Deny all incoming requests, unless there is a specific reason to keep a service available.
- Run up-to-date endpoint protection such as antivirus software on all computers.
- Keep all of your software up-to-date and patched. Do not forget appliances and IoT devices.
- Do not give end users administrative access to their computers.
- Give security awareness training to all employees.
With this in place, 80% of the job is done. Now you can focus on the “disaster scenarios”; those where you crown jewels are at risk.
PREPARE TO DEFEND YOUR ASSETS
You know what assets you have. You know what your crown jewels are. You have your baseline security in place. Now you are ready to take on the remaining risk – responding to attacks and more advanced incidents. Here’s how you prepare for that.
Before you develop your incident response plan, it pays off to create a simple threat model. Your model should describe credible attack patterns. In order to identify such attack patterns, you should think about who the attacker would be, and what their motivation would be. Is it a script kiddie, a person without deep technical knowledge hacking for fun using tools downloaded from the internet? Is it a cyber crime group hoping to earn money on extortion or by selling your intellectual property? Is it a nation-state actor, hoping to use your company as a foothold for attacking government assets? Or perhaps it is an insider threat, a dishonest or angry employee attacking his own employer? Likely scenarios depend on your assumptions here.
You don’t need a very detailed threat model to gain understanding that can aid your incident response planning. You should think about phases of the attack?
- How is the initial breach obtained? In most cases this would be some form of social engineering, like phishing.
- How do they get a foothold and gain persistence? Malware based? Using built-in functions?
- How do they get access to the crown jewels? What actions will they perform on the object?
- What are the consequences of the attack for your organization and its stakeholders?
Having this down, you should start to prepare an incident response plan. Thinking about this in phases too is helpful:
- Incident detection and escalation
- Lessons learned
During preparation you should get down who is responsible for incident handling, who should be communicated with and how suspected incidents should be reported. Include a budget for training and running exercises. Cyber threat incident response needs to be tested the same way we do fire drills.
Incident detection is difficult. Various reports all indicate the average time from compromise to detection of advanced attacks is somewhere between 3 months and 2 years. There are many ways to detect that something is wrong:
- A user notices strange behavior of lack of access
- Monitoring of logs and security systems may report unusual signals
- A hacker contacts you for a ransom or to state demands
In all cases the company should have a clear process for categorizing potential incidents, verifying if it is a real incident or not, and making a decision to start incident response.
Containment is about stopping the problem from spreading throughout the network, and gathering evidence. Be aware that cutting access to the internet can sometimes set off pre-programmed destructive routines. Therefore containment should be based on observation of the hacker behavior within the network on a case by case basis.
Eradication is about removing the problem: taking away the persistent access, removing malware, patching security holes. The right way to do this is to format all disks, clean all data, and then restore from original media and trusted backups.
Recovery is about getting back to business: recovering the service at an acceptable level. It is not uncommon to see malware reappear after recovery, so testing in a controlled environment is always good practice, before connecting the restored system to the business network again.
Lessons learned is important. In this phase an after action review is done: how could this happen, what was the reason? Do a root cause analysis. Summarize what worked well in response, and what did not. Make recommendations for changes in practice or policy – and follow up on it.
If you have this down: knowing what your crown jewels are, a solid baseline security system and a risk based incident response plan your organization will be much more robust than before. The risk exposure of your organization to cyber threats will be greatly reduced – but do not forget that security is a continuous process: as the threat landscape changes, your security management should too. This is why you need to maintain your threat model, and update your response plan.