Cyber incident response checklist and plan: Are you breach-ready?
Joseph Carson
Cyberattacks are not rare. From ransomware to data breaches to DDoS (Distributed Denial of Service) attacks, the incident is usually attributed to either cybercriminals or nation-states and almost always comes from beyond our own country’s borders and laws.
We worry about clicking on a link or web page or opening an attachment in an email, not knowing if it will result in a cybersecurity incident that’s going to compromise us. But we click anyway because that’s what we do to get things done. We’re humans—we take risks.
If you fail to train employees you’ll always run the risk of someone clicking on the wrong thing
Despite the technology available to keep us safe, your organization must ultimately depend on its people to make the right security decisions. If you fail to train employees as enthusiastically as you invest in technology, you’ll always run the risk of someone clicking on the wrong thing and bringing your entire network and infrastructure to a standstill.
This brings me to the all-important cyber incident response checklist, but keep reading beyond the list as I also provide important information about privileged accounts and how you’re most likely to find out if your organization has been attacked.
Cyber Incident Response Checklist
It’s important to methodically plan and prepare for a cybersecurity incident so your response can be swift and well-coordinated. You don’t want to be doing this in the middle of an active incident because if you’re not coordinated, everything can go downhill fast. So, let’s ensure that you have taken the important steps to plan for an incident. The better you’re prepared, the less impact the incident will have, and the sooner you’ll get back to business.
The steps to building a strong incident response checklist include:
- Ownership and responsibilities
- Roles and contacts
- Communication methods and contact list
- The incident
- Identification and confirmation
- Containment
- Eradication
- Recovery
- Lessons learned
1. Ownership and responsibilities
When putting an incident response plan in place you must first decide who will be responsible for it. Have a clear idea as to who has been trained, what tools and technology are available to manage the incident, and how much time could be needed for incident response. Part of this responsibility includes involving your business executives and ensuring they, too are trained and prepared for their roles during a cyber incident. Keeping the plan updated and current is also vital.
As your business evolves, your cyber incident response plan must evolve with it to stay aligned with your business priorities. An outdated incident response plan could create more problems than it solves. Executive approval and buy-in are critical to success, so the plan must have full approval from the top of the organization. This is also a good time to work on incident response simulations and role-play exercises.
2. Roles and contacts
Everyone who would or could be involved in incident response, whether it’s the Executive Team, Public Relations, Legal, Technical, Finance, HR, or Customer Support teams, must have clearly defined roles. They must all know how they will be impacted during a cyberattack incident, and what will be expected of them. Does everyone know what to do if the cyber incident becomes public? You may have all your customers trying to call at once, and your help desk might get overwhelmed, causing a DDoS attack on your help desk. So, it’s essential you understand the capabilities of your help desk for when incidents occur.
3. Communication methods and contact list
During an incident, traditional means of communication, like email or VOIP, may not be available. So contact details and an alternative means of communicating must be available during the attack in case traditional methods are not. During the incident, who needs to be notified, and in what order of priority? A contact list must be available online and offline and should include both the System Owners and Technical Responders.
4. The incident
Clearly record how the incident was identified. Was it internal, external, a system alert, or one of the methods described previously? Who discovered it, and how was the incident reported? List all the sources and times that the incident has passed through. At which stage did the security team get involved? Record the entire nature of the incident from the original source, type of incident, assets impacted, location, and scope. Based on the data and system classification, identify the impact on your business so you can determine the appropriate security measures to take next. It is very important that you document each step performed during the incident.
Tip: Using a Privileged Access Management (PAM) solution enables you to quickly audit which privileged accounts have been used recently, whether any passwords have been changed and what applications have been executed. It is also good practice to take a snapshot of the audit logs. You may have already prepared privileged accounts that are used explicitly for incident response. If so, make them available to the technical and security teams to quickly access and monitor systems.
5. Identification and confirmation
If, at this stage, the incident has not yet been confirmed, you must identify the type of incident and confirm that it is, in fact, a real incident.
Tip: Using a PAM solution, you can quickly identify abnormal behavior of privileged accounts and determine if they have been abused by an attacker. You can then compare previous privileged account usage against current usage.
6. Containment
This typically means stopping the threat to prevent any further damage. Once the incident has been identified and confirmed, based on whether it is an active breach or not, you must decide if it’s safe to watch and learn, or immediately contain the threat (pull the plug). Use the Indicators of Compromise (IoC) to help determine the scope of the affected systems, update any firewalls and network security to capture evidence that can be used later for forensics. Figure out if any sensitive data has been stolen and, if so, what the potential risk might be to your business.
During this stage, anticipate potential legal outcomes. Engage the Legal Team and examine Compliance and Risks to see if the incident impacts and regulations. Should your service remain available if a risk is exposed or should it be shut down until the risk is eliminated? Contact law enforcement if applicable as the incident may also impact other organizations, and additional intelligence on the incident may help eradicate, identify the scope, or assist with attribution.
During the containment, you may also need to report the incident to the appropriate authorities depending on the country, industry, or sensitivity of the data. It may require notifying impacted parties including partners and customers in a certain time frame. This is why it is important to have prepared Public Relations Statements.
Tip: A PAM solution can enable you to restrict access to sensitive systems, require additional approval processes, force multi-factor authentication for privileged accounts, and quickly rotate all passwords to prevent further access by the attackers. It will aid with the containment of an incident. You might also want to increase the security controls’ sensitivity and enforce applications allowing you to prevent malicious malware from being distributed by the attacker.
7. Eradication
Restore the systems to a pre-incident state. Collect as much evidence as possible and maintain a solid chain of custody. Gather logs, memory dumps, audits, network traffic, and disk images. Without proper evidence gathering, digital forensics is limited so a follow-up investigation will not occur. Eliminate the security risk to ensure the attacker cannot regain access. This includes patching systems, closing network access, and resetting passwords of compromised accounts. During the eradication step, create a root cause identification to help determine the attack path used so that security controls can be improved to prevent similar attacks in the future. Perform vulnerability analysis to check whether any other vulnerabilities may exist.
Tip: A PAM solution can help compare a baseline before and after the incident, so you can quickly determine which privileged accounts might be malicious and audit the life cycle. This is a good way to guarantee you can recover and maintain the integrity of privileged accounts.
8. Recovery
You’ll need to recover from the incident and ensure systems integrity, availability, and confidentiality is regained. Make sure your services have recovered and the business is back to normal operations. Implement monitoring and continuous detection on the Indicators of Compromise collected during the incident.
Tip: Monitor all audits and activity for privileged accounts to determine that they are back to normal expected usage. You might also want to run in a higher security control sensitivity for a period of time.
9. Lessons learned
It’s important to learn from the cyber incident. What went well and what did not go well during the incident recovery? Plan how it can be improved in the future. Write up an Incident Response Report and include all areas of the business that were affected by the incident. Was management satisfied with the response, and does the business need to invest further in people, training, or technology to help improve your security stature?
Tip: During the lessons learned you can review how Privileged Access Management enabled effective incident response, areas on continuous improvement, and how to leverage Privileged Access Controls in the future.
Does your team have a solid cyber incident response plan yet?
Download our free, customizable Cybersecurity Incident Response Template.
A few words about privileged accounts and incident response
Let’s take a look at privileged accounts and what happens when they’re compromised.
Privileged accounts exist to enable IT professionals, to manage applications, software, and server hardware, and they can be human or non-human. Privileged accounts provide administrative or specialized levels of access based on higher levels of permissions that are shared. Some privileged accounts are also application accounts used to run services requiring specific permissions. In many cases, user accounts can also have elevated or administrative privileges attached to them.
Privileged accounts must be correctly managed by your IT security team to minimize the risk of a security breach. However, should one of your privileged accounts become compromised, you may find yourself faced with a breach and an urgent need for appropriate incident response.
Cyber incident response is an organized process and structured technique for handling a cybersecurity incident within an organization to manage and limit further damage. Preparing an organization-specific cyber incident response plan is an investment in your company’s cybersecurity and should live on as just another item on your breach prevention to-do list.
When a privileged account is compromised
When a privileged account gets compromised or stolen, it gives a cybercriminal the ability to bypass almost all the traditional IT security controls—like firewalls or antivirus—that many organizations rely on to protect their most valuable assets and keep the business running. It enables the cybercriminal to impersonate a trusted employee or system and carry out malicious activity, often remaining undetected for long periods of time.
In many breaches, an attacker will use privileged accounts to perform reconnaissance and learn about the IT team’s normal routines, predictable schedules, what security is in place, traffic flow, and ultimately create a blueprint of the entire network and operations. An attacker’s reconnaissance can occur from a few hours to months earlier, depending on how big the target or reward is. The more an attacker learns about the target the easier it is for the attacker to blend in with normal operations, evade detection, and avoid triggering any alarm thresholds set by the security team.
When your organization falls victim to a cyberattack it is critically important you know the potential impact of the breach. That means knowing what sensitive data has been disclosed and which privileged accounts have been compromised. This will enable you to determine the potential risk to your organization and act accordingly.
Two questions I usually ask when responding to an active ongoing cybersecurity breach are:
- Do any of the systems the cybercriminal has access to contain sensitive data?
- Does the cybercriminal have access to privileged accounts?
Knowing the answers to these questions enables me to determine whether the organization should focus on isolating the active breach (aka Pull the Plug), or if containment is an option (watch and learn) to learn more about the cybercriminal and their motive.
I can quickly tell if the victim has no idea how to answer the questions. That is, they don’t know where sensitive data exists, nor whether they’re managing and securing privileged accounts. This is a major failure in cybersecurity best practices. It means that during such incidents the only way forward is to quickly eradicate the active attack. It may be a matter of minutes before the cybercriminal extracts all the targeted data or deploys a ransomware payload that will corrupt systems to hide their tracks, and cause significant damage.
Cyber incidents will happen. But how do you typically find out?
We know accidents do happen. With cyber threats, it’s a matter of when and not if you are going to be impacted by a cyberattack. Some of these are within your control and some are not, so it’s important to be prepared to respond correctly when you do become a victim.
Here are some common ways you may find out that you’re the victim of a cyberattack:
-
The cybercriminal will contact you
Sometimes, the cybercriminal will be bold enough to contact you to extract money. This is typically the consequence of sensitive data being stolen, which is followed by a ransom demand to prevent the cybercriminal from publicly disclosing or selling it to another criminal to abuse. The data could be sensitive customer information, intellectual property, trade secrets, source code, potential illegal activity, or financial results, all of which could be very damaging for your organization, both reputational and financial. Often, when the cybercriminal contacts you, it’s very likely that you are dealing with cross-border international cyber-crime.
-
Law enforcement will notify you
You may not be looking for a data breach in the hopes that your old firewalls and antivirus are doing an effective job—until you’re contacted by law enforcement telling you that they have found your data exposed on the darknet, or that it resulted from a different cybercrime activity wherein they discovered several other victims’ sensitive data.
-
Third parties, like your bank, partners, or customers, will alert you
This typically happens when a bank identifies potentially fraudulent activities from credit cards. The data is then correlated to common factors that might point to a retail company that has likely been compromised, and cybercriminals are stealing credit card details, sometimes via skimming them from PoS (Point of Sale) terminals. Another reason that third parties might notify you is that they start receiving suspicious activity that is pretending to be your service, usually from cybercriminals compromising the supply chain in an attempt to gain access to a bigger organization. This usually means you may not be the primary target of the cyber crime but a secondary victim or a stepping stone to a bigger cyberattack. In some incidents, it might be found that your organization could be compromised and carrying out cyberattacks against other organizations. This is very common in Educational Institutes where weak security or no security is applied.
-
Ethical hackers and security researchers—your security friends—will figure it out for you
Not all cybercriminals are bad. Yes, many are doing good work, ethically, to help you. I refer to them as ethical hackers, just like me. Sometimes an ethical cybercriminal, while performing research or responding to other incidents, will find other victims as well and feel they have a responsibility to notify them. Unfortunately, during past events some victims have not responded well to such incidents, preferring to criminalize the ethical cybercriminal, which makes this a difficult relationship but hopefully one which will improve in the future. While ethical cybercriminals expose your security flaws they are doing it respectfully, to help you, and it’s certainly a better option than a cybercriminal finding your vulnerability and exploiting it.
-
Hurray, you found it yourself. Threat hunting does work!
On rare occasions, an organization will detect a security incident before any major damage has been caused. This could be thanks to internal skilled cybersecurity experts or engagement with consultants performing threat-hunting techniques. This is the better scenario as sometimes the threat can be identified early enough to reduce potential damage to systems or a data breach. All organizations should be looking for security incidents rather than waiting to find out via the alternatives.
-
Systems are down. 404 Page Not Found
This is one where the entire organization finds out quickly—it means you just got hit with a destructive cyberattack, either via a DDoS (Distributed Denial of Service) attack or ransomware, and your systems are either offline, corrupted, or service is limited. In most scenarios, cybercriminals prefer to stay hidden and get away from the crime before you even know anything about it. However, some less-skilled cybercriminals will try and make a quick buck, and ransomware is one way.
Related Materials: Download our free guide – Ransomware on the Rise (Best practices to become more resilient so you can avoid being the next ransomware victim.)
-
Or, you have simply not found it yet
That’s right. You’ve not been looking hard enough, or you have failed to deploy effective solutions to help identify the data breach. If you’re being entrusted with sensitive data and not following security best practices, then this is one that will not end well for you. You must take a proactive approach.
Employees are on the front line of incident prevention
Empower your whole team!
Employees are the front line in the battle to keep your information secure. Attacks rely on your goodwill and trust to succeed, so you must become more personally responsible in how you manage your information, and this can be tiring.
Empower your employees to be strong players in your cybersecurity battles. They can be a vital part of your indicator of compromise as, we now know, most threats and attacks usually start via a simple email. Employees should be taught how to identify cyber threats so they are part of your early indicator of a potential cyberattack, either targeted or an attack of opportunity. Cyber-educated employees reduce your risk of a data breach, period.
Data Classification and Access Audits
What is important, and who has access?
Perform a complete Data Impact Assessment and ensure that access to sensitive data comes with full access audits. I recommend performing a data classification after an impact assessment to identify data that is more sensitive. I have used a similar process to Data Center Classification that identifies the data in relation to its importance, and aligned it with the CIA Triad to determine what is important to the data: is its availability, integrity, or confidentiality? By classifying the data, you can then align it to security and access controls to ensure adequate security is applied and the risk is reduced.
A data classification and access audit help ensure that during an incident the scope of the incident and potential risks are quickly identified so the appropriate response can be coordinated.
A cyber incident response plan is essential
Sooner or later, you’ll become a victim.
An incident is not something any organization wants to experience but the fact is, with an ever-increasing cyberattack threat landscape, it’s becoming more and more likely that your organization will become a victim of cybercrime. How prepared you are will determine the overall impact on your business, so have a solid incident response plan in place to help you do everything possible to reduce the potential impact and risks.
FREE TOOL
Cybersecurity Incident Response Template