This NIST framework function will tell you everything you need to do to respond to a cybersecurity incident including the strategic planning and specific areas to focus on.
Continuing through the primary functions of the NIST cybersecurity framework, we get to “Respond.” After the “Identify” function where you had determined the risks, vulnerabilities, and elements of your security program, you began implementing various security controls to “Protect” your data and critical systems. You also put in place technology and processes to “Detect” potential threats and events.
But what would you do if you confirmed that a cyber event took place? Are there strategies and activities you can use to react to an incident and mitigate the adverse outcomes? The answer is yes; all of this is part of the fourth NIST function, “Respond,” designed to help you manage a cybersecurity incident.
Importance of “Respond” Planning
It’s essential to understand much of the “Respond” function of NIST of response planning. In fact, the first of the five categories that NIST outlines to respond to an incident is called “response planning.” It strongly dictates your organization’s seriousness to incident response and how capable you will manage an incident.
The difference between responding in minutes and weeks can severely influence the outcome of an incident from being an event with minor impact to one with large-scale reputational harm and/or financial loss. Proper planning allows you to manage the incident more quickly and understand each role, responsibility, and action step. It also helps you quarantine an incident as much as possible which can prevent further issues caused by an incident.
Incident Response Plan
Everything you will need to respond can be documented and condensed into what’s called an “incident response plan.” An incident response plan should have action steps for multiple event scenarios that, at a minimum, include ransomware, unauthorized network access, system outage or denial of service attack, data corruption, and leaking of confidential information.
Your response plan should also indicate an escalation process that includes contact information for outside firms that would assist you in a cyber incident. This would consist of your insurance agency (assuming you have a cyber insurance policy), law firm, IT management company, and possibly a designated incident-response consultant.
Cyber & Data Breach Insurance
When planning to “Respond,” it is highly important to purchase a cyber insurance policy so you can manage the financial impact a cyber incident will have on your business. Cyber insurance covers the direct costs of responding to an incident such as ransomware payments, forensics, data recovery, and even loss of profits from a shutdown. There’s also the liability component for the cost of legal defense, settlement, and damages resulting from the incident.
In order to ensure that all personnel involved in your incident response plan are prepared to promptly handle their responsibilities, you can use what’s known as the “tabletop exercise.” This merely gets everyone together to go through an incident simulation to make sure each individual is prepared for their specific role, find flaws in the response plan, and offer training where it’s needed. This exercise should be completed periodically and before an incident occurs.
As part of your planning, you’ll need to be ready to work with an eDiscovery service or using an eDiscovery software by establishing where data is stored, the security controls surrounding it, and who has access to it. Information about your data should be included in the incident response plan. This is especially important in order to simplify legal and investigative processes that will come from a cyber incident when electronic information needs to be collected.
Other Components of “Respond”
On top of the “response planning” components, NIST also outlines four other “Respond” categories that need to be managed during the incident. The other four categories to “Respond” include:
- Communications: Coordination takes place between internal personnel as well as outside stakeholders regarding an incident.
- Analysis: Incident is thoroughly evaluated in terms of scope and impact to the organization.
- Mitigation: Processes are in place to isolate an incident as much as possible and resolve it as quickly as possible.
- Improvements: The organization makes adjustments and enhancements to its cybersecurity program based on the response activities.
The activities associated with each of these components can be best expressed through an example. Let’s say that ABC Inc, a management consulting firm, using their enterprise detection and response (EDR) software discovers there was unauthorized access into their network system by a malicious actor.
Lucky for ABC Inc, they are fully prepared to handle this incident because they already had completed in-depth response planning by:
- Purchasing cyber & data breach insurance policy
- Simulating incidents using the tabletop exercise to make sure all responsible parties understood what needed to be done
- Establishing and documenting their data systems to streamline any eDiscovery process necessary
- Consolidating their strategies and response steps into an incident response plan
Upon discovery by their IT staff, multiple response events take place:
- IT staff determines that the breach is only in the human resources network, segmented from the other systems. This means that currently, the threat actor only has access to the HR database and HR applications. (Analysis)
- IT staff also establishes that it was a standard login which means the cybercriminal stole a specific employee’s credentials through a phishing scam or other technique. (Analysis)
- The IT staff notifies the HR department of the breach to cease operations and monitor any spread of the event. (Communications)
- IT staff also contacts the ABC Inc financial department to file a pre-claim on their cyber insurance, reach out to their retained law firm for potential liability issues, and prepare for eDiscovery. (Communications)
- The IT staff has an access control management system where they can boot agents off the network, require a password change, and prompt a requirement for that user to re-login. The IT staff does these activities to resolve the incident and remove the criminal from the system. All HR staff are instructed to change their passwords. (Mitigation)
- Due to the cause of the incident likely being negligent, all employees of ABC Inc are required to complete security awareness training. IT staff also implements requirements for multi-factor authentication to add an additional security layer. (Improvements)
- In terms of the incident response, upper management felt that IT could have communicated more quickly with HR about the incident and decided to look into better emergency notification solutions for the organization. This causes them to schedule monthly tabletop exercises to be better prepared. (Improvements)
Prepare Your Response Plan
The best way to mitigate a cyber incident is by meeting it head-on with a plan ready to go. Ascension Global Technology can ensure that your business and the people inside it are fully prepared to “Respond” to the unexpected, execute that response, and enhance your cybersecurity program by incorporating this function of the NIST Framework. Schedule a consultation with one of AGT’s cybersecurity experts today to get started