The NIST Cyber Security Incident Response Framework
Cyber security breaches should be taken as a “when” and not an “if” occurrence, especially given the rise in cyber attacks due to remote working. The wrong time to put your cyber security incident response plan in place is when confronted with the pressure of a critical cyber security-related incident.
“COVID-19 has changed the risks,” says Patrick Ryan, Managing Director of Mobius Consulting, “and your company has to change along with it. The threat profile has changed, assets have changed, and your policies, people and processes have to keep up with this change.” Now is the time to make sure that your incident response strategy meets the demands of the current times.
A key factor to take into consideration is the fact that your cyber security team is now working remotely and most of your incident response process will be geared towards meeting in a room, or physically having access to specific hardware, or using security software that is office-based. Can you still ensure your company’s response readiness to cyber attacks when the response team members all working remotely? Teams need to test processes and procedures now, before the attack occurs, to be better prepared for when they happen.
Mobius Consulting’s methodology is aimed at reducing and better managing cyber security risks, including controls to prepare and respond to an attack and is aligned to the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF).
A company needs to understand the risk environment in which they operate and this includes identifying critical risks from a business perspective. This helps prioritise the risk management strategy in terms of the needs of the company.
With a remote workforce, it is clear that business assets, including all data, devices and systems that have been forced to operate beyond the safety of the organisations firewalls, will need to be carefully monitored.
“VPN has opened up your network to new ways of accessing the network and working outside of the firewall has increased your cyber security risk,” says Patrick Ryan. “It is critical that you identify the ways that your systems can be attacked and identify your risk and threat profiles.”
Three key actions:
- Identify all critical assets – here software can be a big help in identifying and categorising third party risks as well as software and project risks
- Identify all apps requiring online and remote access
- Identify risks and threats
Once you have identified the risks, you can put in measures and controls to protect the business from cyber attacks. This step involves the development and implementation of the appropriate safeguards to ensure the delivery of critical infrastructure services should an attack occur.
How do you protect your assets? What measures and controls are in place? Consider your changed risk profile and how you can better manage access control, user awareness and user training. “Recognising issues before they happen goes a long way,” says Patrick Ryan.
Three key safeguards:
- Access control: All information, applications, and other digital and physical assets need to be protected according to their risk profile, this is a particularly important aspect of cyber security when managing risks associated with a remote work environment.
- Information security awareness and training: Educating the workforce about the influx of cyber attacks as hackers take advantage of this pandemic will give the company a first line of defense against threats.
- Data security: Sensitive information and company records need to be managed according to the company’s remote working risk plan, this includes knowing how to comply with the common conditions of privacy in a home based office.
The detection function requires companies to develop and implement the appropriate activities to identify the occurrence of a cyber security event.
“Monitoring and detection are often weak points for companies,” says Patrick Ryan, Managing Director of Mobius Consulting. “During penetration testing exercises that we run for our clients many companies don’t even pick up that we have just breached their security. This area usually needs the most work. If you can’t detect penetration testers on your network, then you will never even initiate the response processes.”
The detection function usually uses activity logs, alerts and specialised software to identify unusual activity so that the organisation can respond timeously. Detection needs to be extended to cater for remote working, for example, when a company has a cyber security incident response team working remotely, who do the security alerts go to and how do they action their responses? Who is looking at the logs? Who is monitoring user access – checking who is logging into which software remotely and looking for anomalous behaviour?
“Detection is usually poor to start with,” says Patrick. “Now it’s a real risk to the organisation.”
Three key actions:
- Check your existing detection systems
- Maintain your existing detection systems
- Create new detections systems and mechanisms
What is your company’s response processes or incident response playbooks? Are teams ready to react and do they have the skills and training required to respond adequately to a cyber security incident? Most companies have response plans but under the current circumstances, is it possible for the necessary stakeholders to convene and converse around an incident remotely?
“Test responses to see if there are holes in the processes, test now more than ever before,” says Raymond du Plessis from Mobius Consulting. “If you have a robust process in place it shouldn’t change, except for how it’s implemented. You shouldn’t have any processes that require you to be in the office to respond to an attack, especially considering most attacks will happen after hours.”
Three key actions:
- Manage communications with key stakeholders throughout the response process
- Ensure that mitigation activities are in place to prevent further impact or expansion of the event
- Implement improvements by incorporating lessons learned from current and past incident response activities
How will you recover if a system or network goes down or data is lost or you are locked out of your systems? Recovery planning involves having processes in place to ensure that there is timely restoration of the systems and assets that have been impacted by cyber security breaches. How quickly will you be able to get back online and up and running again?
During the lockdown, there may be limitations to the degrees that your response team can act in order to fully recover. “If necessary, companies should apply in advance for essential services passes for the team that may need to go into the office in response to an incident,” suggests Patrick Ryan, Managing Director of Mobius Consulting.
Three key actions:
- Ensure that the organisation conducts the relevant recovery planning procedures needed to restore systems and assets that have been impacted.
- Coordinate internal and external communications during and following the recovery process
- Review existing strategies in order to implement improvements where necessary
Since every organisation will continue to have unique risks, threats, vulnerabilities, and tolerances, there is no one-size-fits-all solution to risk management. It is because of these variables that incident response processes and plans should be interpreted as a “living documents that are unique to every company”, and resources should be adaptable to the individual circumstances that companies face, including during a lockdown situation.
Organisations should consider using the COVID-19 lockdown as an opportunity to review and update their current response processes in order to ensure that they can cater for these complex circumstances.
For more information about what you can do to improve your incident response plan contact Mobius Consulting.