In 2020, 39% of businesses in the UK reported a cyber security breach or attack. When an attack takes place, it kicks off a cyber security incident response effort aimed at mitigating the impact of the event, limiting the damage to the organisation’s operations, finances, and reputation. However a successful cyber attack incident response begins long before an attack actually takes place.
A cyber security incident response involves understanding where an attack could come from, preparing for that attack, implementing early warning systems, and finally ensuring that the right team is in place to deal with the incident when it takes place.
Phishing is the most common form of cyber incident
Phishing is still the most common form of cyber incident faced by organisations of all shapes and sizes. The UK Government’s Cyber Security Breaches Survey 2021 identified phishing as the most common form of threat by a long way. 83% of respondents to the survey reported that they had identified phishing attacks against their organisation.
By contrast, the second most common form of cyber attack identified in the survey is “Others impersonating organisation in emails or online”, at 27%. Furthermore, the proportion of organisations reporting phishing activity has increased from 72% in 2017, suggesting that phishing is still getting the desired results.
The other forms of cyber attack identified include: viruses, spyware or malware; ransomware; denial of service attacks; hacking or attempted hacking of financial accounts; unauthorised accessing of files or networks by staff or outsiders, and more.
Preparation is key… But what does that mean?
That’s a question that many organisations are still trying to answer. Again, the Cyber Security Breaches Survey 2021 found that just 31% of businesses and 27% of charities include cyber security in their business continuity plans. In addition, simply having an incident response plan in place doesn’t mean that they are effective.
Tips for preparing for a cyber attack include:
Put in good detection controls – You can’t respond to incidents you don’t detect. Make sure to get early warning of an attack through effective detection controls and have an efficient security operations centre who can mobilise quickly in an attack.
Create incident response playbooks – Go a step further than creating an incident response plan – create a playbook. A playbook will include all the information, contact details, step by step tasks the cyber attack incident response team need to carry out in order to respond to the incident.
Move incident response plans off the page – Test incident response plans with tabletop exercise, or rehearse them with full cyber attack simulations to see what works and what doesn’t work. Acting out cyber attack incident response plans will ensure that everything is covered in the plan, and that everyone knows what to do in the real thing.
Help employees stay safe – It’s no coincidence that phishing and other forms of social engineering are the most common form of cyber incident. Humans have long been seen as the weakest link when it comes to cyber security, and attackers exploit their lack of awareness. Engage employees with the cyber security programme, and train them to become security champions, protecting themselves and the organisation’s network.
Review cyber security incident response plans regularly – Things change. So don’t forget to update plans when they do. When new systems come online, add them to the playbook. Review the list of incident responders and their contact details to ensure that it is as up to date as possible.
Get an early warning of cyber attack
There’s no fail safe way to become aware of cyber incidents, and that’s why organisations usually rely on several notification methods. As well as the technology in place, information security teams are also expected to tap into the wider community and threat intelligence resources. These are not as scary as they sound and can include threat bulletins, peer groups, and the industry press.
Again, employees can be a great resource and should be encouraged to report unusual activity to their information security teams as soon as they first see something suspicious.
What should go into a cyber security incident response plan?
There are many variables to include in a cyber attack incident response plan, but just some of the elements to consider include:
- A process for identifying the source of the incident
- The location, sensitivity, and relative value of all sensitive data
- Roles and responsibilities assigned to specific individuals
- A list of critical systems which should be prioritised in any remediation activity
- A step by step playbook for the incident response to enable teams to work in the right order
- How to restore backups
- A process for formally logging incidents
- Written guidance on who to notify including regulators
- Communications plans for employees, stakeholders, and the public
- The contact details of any third party cyber attack incident response support
Spring into action – speed is essential in a cyber security incident response
When an attack occurs, time is of the essence. This is when those plans and playbooks are most needed as the incident response team needs to mobilise quickly and methodically. Most of the first few tasks should already be done – the incident response team should know how they are, the Lead Investigation Officer should already be in place, tasks should be mapped out, and communications plans should be in place.
With that said, some of the activities that follow a cyber incident include:
Quickly contain the breach
Understand which servers, devices, systems are impacted and take them off line as quickly as possible. Disconnect everything from the internet while searching for the full scope of the attack, and disable remote access. Change passwords for all systems immediately.
Assess the breach
Gather more information about the breach. Is it a stand alone attack, or are other organisations also affected?
Log everything
Keep a comprehensive log of the incident and response, including when the incident occurred, how it was discovered, the actions undertaken to manage it, the members of the incident response team, and more.
Prioritise what to work on when
Information about the criticality of certain systems, and what to prioritise should be in the cyber security incident response plan. Of highest priority are the systems required to operate, or to return to operations as quickly as possible.
Communicate with stakeholders
Notify employees, stakeholders, customers, and the public as soon as possible. Contact regulators and insurance providers in the first instance.
Leading the way from the front: How should the leadership team respond?
While the incident response team are carrying out their work, leadership should also be carrying out their work. Again, requirements from leadership will be set out in the cyber security incident response plan, and they will include such tasks as being the face of the organisation to employees, stakeholders, the media, regulators, and more.
In addition, the way that leadership behave will set the tone for the incident response. The organisation needs leadership to stay calm and focused on the task at hand, to support the incident response team, and to keep on message both internally and externally.
Recovering from a cyber attack
The initial response to a cyber attack is only the start of an organisation’s recovery from the incident. Once the heat of the response has ended, that’s when the post event analysis kicks in to avoid it happening again.
Post event analysis is when an organisation can understand the underlying vulnerabilities that enabled the attack. During this analysis they will want to look at the type of attack, causes, failures, whether it was preventable, and what can be done to protect the organisation from a similar attack in future.
Analysing the incident response is also important. Organisations will want to understand which containment actions worked, whether the cyber attack incident response plans were effective, and the losses and costs of the attack.
Finally, there will be a rebuilding exercise for the organisation to return to a position of stability. The rebuilding phase may require support and help from third parties who can work with the organisation to strengthen their security risk and compliance. Technology and controls will need to be updated, additional safeguards should be added, and a program built for regular checks of infrastructure security.
After all, prevention is better than cure, and learning the lessons from one cyber attack is key to breaking the cycle and avoiding another attack the next time.
Stay safe