Cyber Security Incident Response Planning
Learning Without Scars is pleased to introduce our new guest writer, Danny Slusarchuk. His first post for our blog is on Cyber Security Incident Response Planning. Danny Slusarchuk enjoys spending time with his family and being a productive member of the community. He serves on the Oklahoma Venture Forum (immediate past Chairman) and Oklahoma Innovative Technology Alliance boards. He leads the Oklahoma National Guard Defensive Cyberspace Operations Element. Danny founded Standards IT in 2012 and continues to be a managing partner at the headquarters in downtown Edmond. He has been recognized as 20 Edmond Business Leaders under 40 and was a recent Edmond’s Young Professional of the Year award recipient. Danny spoke most recently at the FBI’s Information Warfare Summit and has for 4 years running. This year he spoke at SECCON as well. He was a guest speaker for the Youth Leadership Edmond conference, 45th Field Artillery Brigade Honorable Order of Saint Barbara Dining Out. He was the keynote for Oklahoma Officer Candidate School Class 63.
Cyber Security Incident Response Planning
Let’s understand the why.
Your business is shut down for the foreseeable future and you don’t have the slightest idea how you are going to get back to the way you were operating yesterday. Your customers, employees, and even competitors know you have been hacked. Someone in another country is extorting you for ten Bitcoin to maybe restore your precious data on their good word. To top it all off, your customers have brought a class action lawsuit against your negligent handling of their data.
Do not let that scenario play out solely on the bad actors’ terms. It is possible to do everything right and still get hacked. A living incident response policy and procedure accompanied by routine tabletop exercises and vulnerability assessments can be the difference between surviving and shutting your business down.
The Sans institution provided great cyber security training. The incident response considerations in this post draw from their Global Certified Incident Handler curriculum.
Your plan should have input from all departments that require systems and data to operate. I recommend you nest it with your cyber liability insurance policy and have it legally approved.
Now, if you were to pull out as much of the lingo as possible and boil it down to bullets here is how I would state it:
- Identify the event (Intrusion Detection Software, Security Operations Center Notification, Individual Report, Litigation Notice) (each an “Event”)
- Execute initial alert roster of Event and establish event timeline using “Event” document for record
- Determine exposure (add additional resources if necessary and conclude as an IT Governance Council that the Event is contained and did not elevate to an “Incident”)
- If Breach, exfiltration of data, or other harm is suspected to be probable elevate the Event to an Incident
- Contact “Incident Response Legal Team” and “Cyber Forensics Team” (both appointed by the IT Governance Council)
- Use IT Governance Council, Legal Team, and Cyber Forensics Team as Incident Response Council and establish Cyber Forensics Team as Incident Response Manager of the Council
- Add additional technical resources, if needed, to manage the technical aspect of the Cyber Forensics effort and cyber defense
- Track all time, keep running estimates of time and hardware required to maintain operations during the Incident Response
- Add Crisis Public Relations Firm to the Council for internal and external talking points and press releases, if needed
- Use cyber forensic evidence in court or to settle lawsuit and to submit claims to the insurance carrier
- Notify customers and any injured parties, if necessary, pursuant to regulatory requirements
- File incident with the FBI Cyber Crimes Complaint center, if appropriate
- Complete “Incident Response” document(s) for record
- Add technical controls to Cyber Security Risk Mitigation Matrix
- Conduct an after-incident review with key personnel and distribute the IR for Record documentation
That was high level steps, and each has significance. Overall, the concept is to prepare, identify, contain, eradicate, recover, and realized lessons learned. The steps also include adding one-time resources like forensics and crisis public relations.
In future posts I will explore specific sections covered in greater detail that will help educate the reasoning behind the order and specific terminology. Cyber liability insurance is only good if it pays out when you need it for example. Yes, there are some gotchas in choosing your protection.
References: https://www.sans.org/cyber-security-courses/hacker-techniques-incident-handling/