Components of a World-Class Cyber Incident Response Program

No time to read? Listen to this episode here:

Before we address the main topic of the day, here are cybersecurity news you might've missed this week:

  • WhatsApp Pink, the new malware in town. A message has been sent to some WhatsApp users that contains a link, following which is supposed to provide the existing WhatsApp experience in a cheerful pink colour. Alas, the link leads to a page with an option to download the malicious WhatsApp Pink app that will steal your credentials and data - all while leaving your app in plain old colors. Bummer.

  • Hackers launch 100,000 web pages with malicious PDF templates. A threat group is now leveraging legitimate search engine techniques to lure unsuspecting Internet users into downloading SolarMarker Remote Access Trojans disguised as genuine templates for invoices, receipts, questionnaires and more in PDF format.

  • System admin of the FIN7 hacking group gets a 10-year sentence. The US Department of Justice has sentenced Fedir Hladyr, 35, a high-level systems admin of a hacker group called FIN7 to 10 years in federal prison after he pleaded guilty to wire fraud and conspiracy charges. FIN7 itself, however, is still around and well with over 70 people organized into business units and teams engaging in highly sophisticated malware campaigns to attack hundreds of US companies in the restaurant, gaming, and hospitality industries.

And now to our topic for the day.

Components of a World-Class Cyber Incident Response Program

For an average business, cyberattacks are a daily occurrence, and we’ve already established that the difference between a company that goes down and a company that lives to fight another day is often a well-thought-out Cyber Incident Response Program.

But what does a world-class Cyber Incident Response program look like?

#1 - An Incident Response Plan

An Incident Response (IR) Plan is a detailed (typically 80-150 pages) document that provides comprehensive cybersecurity crisis management guidelines and materials for an efficient response across all relevant departments in your business.

WP Cyber Incident Response Brochure
Download PDF • 8.06MB

The contents of a solid IR Plan would fall into 3 categories:

  • Processes. Detailed guidance on incident severity classification, correct playbook selection, escalations, communications, business continuity, third-party interactions, change and asset management, and more across the entire NIST or SANS Response process.

  • People. Cross-function collaboration is key during an incident; this is precisely why the Plan describes who performs which actions for maximum efficiency, what triggers said actions, as well as outlines each team's structure, RACI, backups, roles and interactions.

  • Accelerators. Time and resources are everything in a crisis; a good IR Plan will provide detailed plug-and-play templates and guidance for everything from reports, status tracking and email wording to contacts and law enforcement communications so you don't waste either.

#2 - Scenario-Based Playbooks

While the IR Plan is more of a crisis management document, the playbooks that complement it are designed to provide a series of detailed, specific directions that are highly situational. Usually, a company would have a specific playbook for various cyberattack scenarios, such as ransomware, phishing, insider threat, and others.

Such playbooks would detail steps across all phases of each type of scenario:

  • Pre-Incident, covering cyber incident awareness training, cross-functional cyber response simulations, guidance to monitor cyber intelligence feeds, and other steps to take prior to an incident.

  • Identification, providing insights on how to accurately determine the type of an incident, its severity, how to perform the initial escalations and short-term containment.

  • Containment, detailing the steps to implement long-term containment measures and monitor their effectiveness.

  • Eradication, covering the complete removal of the threat, including the attacks' root cause.

  • Recovery, focusing on the complete restoration of business-as-usual; and

  • Lessons Learned, where the team can get together, review the incident and discuss what was done well, and what could've been done better.

#3 - Training and Simulations

Without proper, continuous training, all of the IR Program documents will remain just that - a collection of dusty old PDFs. Practical crisis simulation exercises that allow every CIRT member to go through scenario-specific steps are essential for robust implementation.

WP Cyber Tabletop Exercise Brochure
Download PDF • 12.26MB

One of the most basic exercises is a Tabletop: a 3-4 hour interactive activity that presents both technical and business stakeholders with a simulated incident scenario, and demands relevant inputs from each, providing hands-on training that can highlight flaws in incident response planning.

#4 - Tools and Governance

Finally, a good IR Plan will take full advantage of the tools available on the market to augment the CIRT team's capabilities.

Luckily, there is an abundance of excellent tools out there, from threat hunting platforms, to pre-configured operating systems dedicated to digital forensics.

Don't forget to subscribe to our newsletter to get weekly cybersecurity insights and top news - straight to your mailbox!

87 views1 comment