Incident Response Playbook: Business Email Compromise (BEC)
Flying under the radar for years, BEC attacks have been slowly climbing the ranks as one of the most popular tactics amongst cybercriminals to...
Whether you're a small startup or a major financial institution, having a well-crafted incident response (IR) plan is crucial for effectively managing and mitigating the impact of a cyberattack.
In this blog, we’ll cover all the necessary components of a robust IR plan, along with key considerations that often get overlooked.
The good news is that there are plenty of resources offering detailed steps and components for building your IR plan, so you won't have to start from scratch. A key player to involve early in this project is your designated cyber insurance firm, as your policy will outline the required components for coverage.
When starting, it’s important to note that relying solely on a single IR template might not be ideal. Such templates are often too generic, leading to gaps in coverage or excessive measures for your organization.
Two popular IR frameworks that offer great detail and often get referenced include:
For this blog, we'll focus primarily on the NIST SP 800-61. While it’s currently undergoing its third revision, we’ll base our discussion on the original IR lifecycle found below:
Before creating an incident response (IR) plan, consider several key factors. First, assess your organization's size and the number of employees to determine the plan's complexity. Understand the type and sensitivity of the data you handle, as more sensitive data requires stricter measures. Additionally, consider common vulnerabilities in your industry. For example, the financial sector often relies on numerous vendors, necessitating a detailed and comprehensive vendor management program to document critical third parties. This might also involve employing external forensics teams, security experts, or managed services.
Additional topics to consider include
Preparation is crucial to incident response, this step is primarily focused on setting up the right tools and resources, along with training your entire team. The goal is to prevent cyber events by conducting regular assessments and vulnerability scans. By having a clear picture of your network security, you can protect it more effectively. Your preparation phase should include regular risk and network security assessments, malware prevention, antivirus scanning, and security awareness training. These steps will all help keep your organization safe and prepared for any cyber threats
NIST lists two parts to this initial phase, one is preparation, and the second is prevention. Methodologies for preparation focus heavily on ensuring your system, networks, and making sure applications are secure, while prevention focuses on securing the IT environment and monitoring your systems and network continuously to detect any anomalies.
Steps to tackle in this phase include:
In the detection and analysis stage, the first step is identifying the nature of the threat and determining if it constitutes an incident. NIST categorizes signs of incidents into two types: precursors, indicating a potential future incident, and indicators, suggesting a current or past incident. We prefer to break this down into three parts: event, incident, and breach. An event is a suspicious activity found in a log that warrants investigation, an incident involves known malware, and a breach means data has been exfiltrated from your environment.
Once incidents are identified, the analysis phase involves documenting and prioritizing them effectively. Documentation in a ticketing system is essential for maintaining security and compliance standards. Effectively prioritizing incidents is one of the most crucial decisions in the incident response process. It's important not to handle incidents solely based on their order of occurrence due to resource constraints. According to NIST, factors to consider for incident prioritization include:
Finally, the last step in this phase is promptly reporting incidents internally and to relevant agencies, law enforcement, or affected parties to facilitate timely response and resolution.
The primary objective of this phase is to isolate the cyber incident, removing the cyber threat, and return systems to their pre-compromised state. To prevent further harm, conduct forensic operations immediately after containment. Response teams will then remove the cyber threat and isolate infected systems during containment. This effort continues until eradication is complete. Begin the recovery process by restoring clean backups, but remember to address any vulnerabilities exploited in the original attack with security patches and remediation efforts.
***Remember! Before reconnecting systems to the internet, monitor for abnormal log activity indicating persistent malware
Although not recommended, During this phase you can divert some of your attention and efforts to identifying attackers. Common methods include:
Learning and improving are crucial yet often overlooked aspects of incident response. Teams must adapt to new threats, technology, and insights to stay effective. Holding a "lessons learned" meeting after major incidents, and occasionally for smaller ones, can greatly enhance security and response efforts. These meetings, ideally held within a few days of an incident, offer a chance to review what happened, evaluate the actions taken, and assess their effectiveness. They also provide a valuable opportunity for team reflection and growth. Consider asking the following questions during your review phase:
Testing is crucial for the success of your incident response plan. According to NIST SP 800-84, two effective methods are Tabletop Exercises and Functional Exercises.
Tabletop Exercise:
A tabletop exercise is a great way to test your incident response plan. It's a discussion-based session where the team explores their roles and responses during a security incident through example scenarios. The main goals are to:
In these exercises, a facilitator presents a scenario and asks questions to initiate discussion about roles, responsibilities, coordination, and decision-making. Tabletop exercises are particularly useful if you already have a response plan in place for the scenario being tested. They help ensure your plans are effective and comprehensive.
Functional Exercise:
A functional exercise tests your team's readiness by having them perform their duties in a simulated environment. Unlike tabletop exercises, functional exercises involve real-time actions, testing how your team would handle a major incident and the specific roles, procedures, and resources involved.
These exercises can range from simple validations of certain plan elements to comprehensive tests of the entire plan. They help ensure everyone knows their responsibilities and can effectively respond during an actual emergency.
Rivial’s incident response software offers a robust foundation for creating a comprehensive and actionable incident response plan. With the Rivial Platform, you can either leverage our pre-built IR plans or customize them to your organization's size and scope through the guidance of our experienced IT staff. Additionally, our Platform enables you to test the plan thoroughly, allowing you to track real incidents efficiently, all within a single, integrated solution. This holistic approach simplifies the incident process and enhances your organization's preparedness and response capabilities. Schedule a call to learn more!
Flying under the radar for years, BEC attacks have been slowly climbing the ranks as one of the most popular tactics amongst cybercriminals to...
Considered one of the most detrimental threats to businesses, government entities, and individuals, ransomware attacks have escalated significantly...
National Credit Union Administration's (NCUA) recent policy on reporting Cyber Incidents went into effect September 1, 2023, and now requires all...