Practical Incident Response

The year 2016 and so far in 2017 have shown the rise and widespread unbiased campaign of cyber-attacks. The number of U.S. data breaches tracked in 2016 hit an all-time record high, according to a new report released by the Identity Theft Resource Center (ITRC) and CyberScout (formerly IDT911). This represents a substantial hike of 40 percent over the near record high of the previous year. With the rise of cyber security threats, more and more banks are having to enact their incident response plans only to find that they might meet regulatory expectations, but their practical application has been found wanting.  In the midst of a crisis is not the ideal time to re-evaluate your incident response plan. So before you find yourself in that position, you should examine your incident response plan and ask yourself if this document serves its practical purpose as well as satisfies your regulators. 

A great way to test your incident response plan is through scenario-based testing and training.  You can not only evaluate your incident response plans practicality but also train staff on how to handle incidents that may affect your organization.  Here are some common threats that every organization should know how to handle and ensure their staff is aware of:

Phishing Emails 

The frequency of phishing emails and targeted attacks of business email has gained momentum, especially as ransomware attacks have been on the rise. According to a study conducted by Malwarebytes, 47 percent of U.S. companies experienced a ransomware attack in the last year, with 50 percent of those incidents resulting from someone clicking on a malicious link in emails. Scenario: You have discovered that an employee clicked a link in an email that contained ransomware.

Malicious Attachments

It’s just as important for your security team to know when malicious attachments make their way onto the network as it is to avoid opening them. Scenario: A malicious attachment made it through your filters and into your employee’s inbox and was opened.

Password and Other Suspicious Requests 

Cybercriminals can pose as employees, contractors, or third-party vendors to bait employees into divulging sensitive passwords and other access controls. Scenario: An employee contacted IT admitting they followed the instructions of a “suspicious” vendor and went to a website to allow remote access and they divulged their network password.

Unauthorized Computers and Devices on Network 

Computers and devices that haven’t gone through proper authentication processes before joining your corporate network are perfect targets for attackers. Scenario: During an internal vulnerability assessment, a device was identified that the organization can’t account for.

During this scenario based training you should evaluate your incident response procedures to ensure that at minimum you can answer the following questions:

  • Do procedures define declaring an incident?
  • Who is responsible for declaration, containment, preservation of data and evidence, notification, and restoration of systems?
  • Exactly what would you do to contain the incident?
  • How will data and evidence be maintained to ensure integrity?
  • What tools or outside resources will be needed to contain the incident and restore your network?
  • How are incidents documented throughout the entire process?
  • Are there defined thresholds for reporting incidents (internally, regulators, customers)?
  • Do you have defined restoration procedures to recover the network after the threat is neutralized?
  • Are there defined follow-up procedures to help prevent similar incidents in the future?

Having a practical and practiced incident response approach will help to prevent an organization from having a cyber incident develop into a catastrophic event, either financially, or to the detriment of the organizations reputation, or both.

For more information see FFIEC Incident response, NIST Computer Security Incident Handling Guidelines and ITRC Breach report.