Cybersecurity Incident Reporting Process and Template
Ever since we launched our customizable cybersecurity incident report template, I’ve been amazed by its volume of downloads.
I quickly realized that the increasing cyber threats from cyber criminals, malware, and ransomware are being taken seriously by organizations large and small and that there is a growing demand for guidance and information on cybersecurity incident response and reporting.
Mangools.com, a Slovakian company that provides advanced tools for monitoring online search engine activity, indicates that online searches for the phrases “cybersecurity incident report template” and “cybersecurity incident response” are increasing at a mind-blowing rate year over year.
So, organizations are getting on board with cyber risk, and this is great news. I’ve been writing, tweeting, and giving talks about how to respond to cyber incidents for some time now—and companies are listening. Many are now taking action.
If you’re ready to get on board with properly minimizing the risk to your organization and data during or after a breach, but are not 100% sure of the process—this is the place to start. I’ll provide some procedure resources for handling the cyber incident response process, but let’s start by addressing 4 common questions.
- What is incident response?
Incident response is an organization’s reaction to halting and recovering from a cybersecurity incident, and the response plan must be in place before the incident occurs. Incident response is one of the major components to helping an organization become more resilient to cyber attacks.
You may already know a security incident as:
- An information security incident
- An IT security incident
- A network security incident
- A security breach
- A data breach
- A cyber attack
- A ransomware attack
- Or, “We’ve been hacked!”
They’re all pretty much cut from the same cloth, and the only good response is to meticulously follow a tailored cyber incident response plan (CIRP) that you have ready to go at a moment’s notice.
The goal of having an incident response plan is to ensure that your organization is fully prepared for, and ready to respond to any level of cybersecurity incident fast and effectively. And today, incidents are inevitable. All that varies is the breadth and depth.
Here’s Gartner’s definition of a CIRP: Also known as a “computer incident response plan,” this is formulated by an enterprise to respond to potentially catastrophic, computer-related incidents, such as viruses or hacker attacks. The CIRP should include steps to determine whether the incident originated from a malicious source — and, if so, to contain the threat and isolate the enterprise from the attacker.
- Is there a difference between incident response and incident handling?
Well, yes, although response and handling go hand in hand, and without both, you do not have a sound incident response process. Incident response refers to the technical aspects of incident analysis and containment, whereas incident handling refers to the human responsibilities: the communications, coordination, and cooperation required to see the process through.
- What is the incident response life cycle?
The life cycle of a cyber incident is defined by the stages a typical incident goes through, and it includes everything from preparing for an incident to analyzing the lessons you learned after experiencing one. I like this version of the incident response life cycle:
Preparation > Incident Discovery and Confirmation > Containment and Continuity > Eradication > Recovery > Lessons Learned
- What are the different types of information security incidents?
There are many types of cybersecurity incidents that can result in intrusions on your organization’s network or full-on data breaches, but I’m going to focus on the six to which I believe organizations are most vulnerable:
- Phishing attacks: you click on a link in an authentic-looking email and end up giving away sensitive information (like a password), or enabling ransomware or some other malware. Companies are super-vulnerable to phishing attacks because cybercriminals target the weakest links in most companies—its employees—and success rates are high! A more targeted type of phishing attack known as spearfishing occurs when the attacker invests time researching the victim in order to pull off an even more successful attack.
- Denial-of-service (DoS) attacks: the point of this attack is to shut down an individual machine or entire network so that it cannot respond to service requests. DoS attacks achieve this by inundating the target with traffic or sending it some information that triggers a crash.
- Man-in-the-middle (MitM) attacks: an outside entity intercepts and alters the communication between two parties who believe they are communicating with each other. By impersonating them both, the attacker manipulates both victims in an effort to gain access to data. The users are blissfully unaware that they are both talking to an attacker. Session hijacking, email hijacking, and Wi-Fi eavesdropping are all examples of MitM attacks.
- Drive-by attacks: a common method of spreading malware, criminal hackers seek out insecure websites and plant a malicious script into code on one of the pages. The script could install malware onto the computer of someone who visits the site or re-direct the victim to a different site controlled by the hackers.
- Password attacks: this sort of attack is aimed specifically at obtaining a user or an account’s password. Criminal hackers use a variety of techniques for getting their hands on passwords, such as password-cracking programs, dictionary attacks, password “sniffers”, or brute-force password guessing, often based on some personal knowledge of an individual (like the birthday, dog’s name, etc.) This is why strong passwords are so important.
- Malware and ransomware attacks: a broad term for any sort of malicious software that’s installed on your system without your consent can be considered malware. You are probably familiar with many types of malware—file infectors, worms, Trojans, ransomware, adware, spyware, logic bombs, and different types of viruses. Some are inadvertently installed when an employee installs freeware or other software, clicks on an ad, or visits an infected website. The possibilities are endless, therefore so are the chances of an employee falling victim to a malware attack.
Related Materials: Download our Free Guide – Ransomware on the Rise (Best practices to become more resilient so you can avoid being the next ransomware victim).
Industry-specific cybersecurity incident reporting
The incident response process described in the life cycle above is largely the same for all organizations, but the incident reporting procedure varies for certain industries. For example, if you’re in the healthcare industry you may need to observe the HIPAA incident reporting requirements.
These are some industry regulations that have very specific laws around incident reporting, and who they apply to:
HIPPA – if you create, receive, maintain or transmit electronically protected health information
FISMA/NIST – if you’re a Federal agency or government contractor
PCI DSS – if you accept, store, or transmit credit card data
NERC/CIP – if you’re an energy and utility company
SOX – if your organization is a public company (though in some cases private companies must also comply with SOX regulations)
NYCRR – if You’re a New York insurance company, bank, or other regulated financial services institution
If your organization must adhere to any of the above regulations, you must familiarize yourself with the incident reporting requirements that might uniquely apply to your industry. Links to helpful industry-specific information can be found in the incident response template.
The template also has:
- Customization instructions
- Assembling an incident response team, including IT, compliance, and communications representatives
- Threat classification
- A sample cyber Incident
- Phase of the incident, and the appropriate actions to take at each step (the template ensures you capture all the right information)
As an additional resource, our whitepaper provides a broader incident response strategy.
Incident response is a plan I hope you’ll never need
I talk about the incident response process often, but always with the hope that you’ll never need to report an incident. And as more organizations take steps to protect themselves, become more resilient and recover quickly, I look forward to seeing fewer victims of cybercrime.
In the past few years, Gartner’s number 1 security project is privileged account management (PAM) But like incident response, Cybersecurity has a technical AND a human aspect—employee cyber awareness training is critical to your organization’s security. cybercriminals view employees as the fast track into your company’s network, so security training should be introduced on day one of your new hire orientation process.
No cybersecurity solution is bulletproof
No solution you choose to protect your privileged access, nor any amount of employee training, will guarantee you bullet-proof cybersecurity. After all, the cybercriminal’s ongoing challenge is to stay a step ahead of you. But having a rock-solid incident response procedure in place can minimize the damage—even stop it before it gets a foothold—and save you money, time, and your reputation.