In this article our cyber expert Harry Lewis explores the essential guidelines to develop an effective cyber security incident response plan. This includes effective incident handling, focussing on the analysis of incident data and the tailored responses required to mitigate risks and restore operations swiftly.

 

Regardless of your technological environment, these guidelines offer a versatile framework for security incident management, ensuring your organisation will be well-equipped to navigate the evolving cyber security landscape. Drawing from my firsthand experience assisting organisations in both the private and public sectors, I identify the essential elements necessary for a successful cyber security incident response, including:

 

 

Essential Guidelines for Security Incident Response

In today’s rapidly evolving digital landscape, the significance of computer security incident response within IT programmes cannot be overstated. Despite preventive measures, the emergence of new security incidents underscores the need for a robust incident response capability.  Navigating the complexities of incident response demands a holistic approach that integrates technical expertise with strategic planning and effective collaboration. By adhering to these principles and embracing the guidelines provided, organisations can improve cyber security protection against the ever-evolving landscape of cyber security threats.

 

Continuous monitoring for potential threats is paramount, as is the establishment of clear procedures for prioritising incident response efforts. Equally critical is the implementation of robust methods for collecting, analysing, and reporting incident data. Moreover, fostering strong relationships and establishing efficient communication channels with both internal stakeholders, such as human resources and legal departments, and external entities,

 

 

 

Understanding the NIST Framework for Incident Response

The National Institute of Standards and Technology (NIST) serves as a cornerstone of cyber security, offering a comprehensive approach to managing and improving cyber security posture for organisations across various sectors. Driven by its statutory responsibilities under the Federal Information Security Management Act within the United States, NIST has created a number of frameworks and guidelines to provide a flexible and risk-based approach to cyber security, enabling organisations to better understand, manage, and mitigate cyber security risks.

 

NIST creates standards and guidelines, setting minimum requirements, to ensure proper information security for all government operations and assets. These guidelines serve as both guardrails and guiding principles for many organisations’ security approaches. They offer invaluable insights into the technology, people and processes needed to effectively monitor, manage, and respond to the security threats faced by an organisation. Telefónica Tech’s suite of cyber security services, NextDefense have all been designed around the NIST framework.

 

 

These NIST Incident Response guidelines encompass every area of security from an end-to-end perspective, including recommendations on incident response handling covering the key areas of:

 

 

  1. Planning and IR (Incident Response) Team Planning
  2. Preparation
  3. Identification
  4. Containment
  5. Eradication
  6. Recovery

1. Planning and IR Team Planning

Establishing an effective Computer Security Incident Response Capability (CSIRC) involves a series of crucial decisions and actions. One of the first steps is to define “incident” within the organisation’s context to establish clear boundaries. Decisions regarding the services the incident response team will provide, as well as the structure and model of the team, must be carefully considered and implemented. Equally important is the development of incident response plans, policies, and procedures to ensure efficient and consistent handling of incidents. These documents should also outline the team’s interactions with internal departments and external parties, including law enforcement and the media.

 

 

If we use a baking analogy, like a good cake, planning and preparation is vital for ensuring an effective result for Incident management. To be prepared there are a number of  essential ingredients that need to be mapped and covered:

 

 

  • Establish a formal incident response capability to ensure swift and effective action in response to security breaches, meeting legal requirements under UK data protection and cyber security regulations.
  • Develop an incident response policy outlining incident definitions, organisational structures, roles, responsibilities, and reporting requirements in compliance with UK legal frameworks.
  • Craft a comprehensive incident response plan aligned with the policy, detailing objectives, metrics, training needs, and incident handling frequency, meeting UK legal obligations.
  • Create incident response procedures offering detailed instructions for responding to incidents following UK legal requirements.
  • Implement information-sharing policies and procedures compliant with UK legal obligations, facilitating collaboration with external entities such as law enforcement agencies and regulatory bodies.
  • Define clear reporting lines and report incidents to appropriate authorities, such as the Information Commissioner’s Office (ICO), in compliance with UK data protection laws.
  • Select an incident response team model considering organisational needs and resources, aligning with UK legal standards and best practices.
  • Recruit the right team members with technical proficiency, critical thinking, teamwork, and communication skills, ensuring compliance with UK legal requirements and standards.
  • Identify internal teams for collaboration in incident handling, enhancing the response process while meeting UK legal obligations.
  • Determine additional services the team should provide beyond incident response, such as monitoring systems and delivering security awareness programmes, aligning with UK legal requirements and best practices.

 

 

Building Your Team: The Core of an Effective Response Plan

 

An incident response team should be accessible to anyone who suspects or discovers an incident involving the organisation. Depending on the incident’s severity and available personnel, one or more team members will handle the incident by analysing data, assessing impact, and taking necessary actions to mitigate damage and restore services. The success of the incident response team relies on the cooperation of individuals across the organisation.

 

Various team models can be adopted:

  • Central Incident Response Team: Ideal for small organisations or those with limited geographic diversity.
  • Distributed Incident Response Teams: Suitable for large organisations or those with extensive computing resources across different locations. These teams must coordinate to ensure consistency and information sharing.
  • Coordinating Team: Offers advice to other teams without direct authority, often assisting individual teams within departments.

Additionally, incident response teams can adopt different staffing models:

  • Employees: The organisation handles all incident response work, with limited support from contractors.
  • Partially Outsourced: The organisation outsources certain incident response tasks. Common arrangements include 24/7 monitoring by managed security service providers (MSSPs) or contractors assisting with serious incidents.
  • Fully Outsourced: The organisation entirely outsources incident response work, typically to onsite contractors, when in-house resources are insufficient.

2. Preparation

Incident response methodologies commonly prioritise preparation, aiming to establish both the readiness to respond to incidents and preventive measures to secure systems, networks, and applications effectively.  Effective readiness is separated within NIST guidelines into two distinct areas:

 

  • Incident Handling prep: Provide software capabilities and communication facilities that provide the resources that can be accessed, drawn upon and used in the event of an incident by the incident response team. Many incident response teams assemble a jump kit, a portable case stocked with essential materials for investigations. It should always remain readily accessible. The contents of a jump kit often mirror those listed in the previous bulleted lists. For instance, each kit usually comprises a laptop equipped with necessary software like packet sniffers and digital forensics tools. Additionally, crucial items such as backup devices, blank media, and basic networking equipment and cables are included. To ensure expedited responses, it’s advisable for the team to refrain from borrowing items from the jump kit.
  • Incident Prevention: Maintaining a relatively low number of incidents is crucial to safeguard the business processes of the organisation. Insufficient security controls can lead to a surge in incidents, potentially overwhelming the incident response team. To mitigate this, it is recommended organisations conduct:
    • Risk Assessments
    • Host Hardening
    • Implementation of appropriate Network Security controls
    • Utilising Malware prevention technologies
    • User Awareness training and incident handling education

 

Further to this, a key element of modern Incident Response preparation is having the correct tooling and utilising the latest capabilities on offer. AI and security tooling are becoming increasingly important for incident response due to several key benefits:

 

  • Faster Detection and Response: AI can analyse vast amounts of security data in real-time, identifying anomalies and potential threats that might slip past traditional methods. This allows for quicker response times, minimising the window of opportunity for attackers.
  • Automated Tasks: Security tooling can automate repetitive tasks like log analysis, freeing up security personnel to focus on more complex investigations and decision-making.
  • Improved Threat Analysis: AI can learn and adapt over time, becoming better at recognising new and evolving threats. This helps security teams stay ahead of attackers and respond to even sophisticated attacks.
  • Reduced False Positives: Security tools can filter out irrelevant alerts, reducing the time wasted investigating false positives and allowing security teams to focus on legitimate threats.
  • More Efficient Investigations: AI can help prioritise alerts and suggest investigation paths, streamlining the incident response process and leading to faster resolution

 

Having a toolset prepared, configured and available is a key component of preparing for an incident. However, it is important to remember that AI and security tools are not a silver bullet. They require proper training, integration, and human oversight to function effectively.

3. Identification and Analysis

Given the multitude of ways incidents can arise, crafting comprehensive, step-by-step instructions for each scenario is impractical. Instead, organisations should maintain a general readiness to address any incident, with particular emphasis on preparing for those leveraging common attack vectors. Tailored response strategies are warranted for various incident types.

Accurately identifying and evaluating potential incidents is often the most daunting aspect of the incident response process. The stage of identification and analysis of incidents is defined by NIST to broadly align to 4 areas:

 

1.Signs of an Incident: Detection of precursors and indicators of an incident can come from many sources via alerts from solutions, such as SIEMs (Security Information & Event Management) or IPS (Intrusion Prevention Systems) tools, network or operational logs or employees themselves. Building an appropriate picture of an incident and analysing its severity and impact is dependent on the preparation and readiness of the organisation.

 

2.Incident Analysis and Documentation: Not all alerts of precursor or incidents are genuine and their proliferation across your estate can be varied. The incident response team should work swiftly to analyse and validate each incident, following a predefined process and documenting each step taken. When the team believes that an incident has occurred, they should rapidly perform an initial analysis to determine the incident’s scope, such as which networks, systems, or applications are affected; who or what originated the incident; and how the incident is occurring (e.g., what tools or attack methods are being used, what vulnerabilities are being exploited). The initial analysis should provide enough information for the team to prioritise subsequent activities, such as containment of the incident and a deeper analysis of the effects of the incident.

 

3.Incident Prioritisation: Incidents should not be handled on a first come first served basis, but instead be prioritised based on relevant factors such as operational impact, informational impact, and recovery capability.

 

4.Incident Notification: The incident response team must inform the relevant individuals to ensure everyone plays their part effectively. Incident response policies should incorporate guidelines on incident reporting, specifying the essential information to be reported, the recipients, and the timing of reports (e.g., initial notification, regular updates). Typically, this involves notification to internal teams, system owners, users, and public affairs.

4. Containment

The goal of any incident response is to contain, eradicate and recover from the incident in a timely and effective manner. In this step, the team determines the best course of action to stop the incident from spreading and reduce the impact to the organisation.

 

Containment is crucial to prevent incidents from exhausting resources or exacerbating damage. Given that most incidents require containment, it should be a priority early in the incident handling process. Containment allows for the formulation of a tailored remediation plan. Key to containment is effective decision-making, such as system shutdowns, network disconnections, or function disabling. Having predetermined strategies and procedures for containment facilitates these decisions. Organisations should outline acceptable risks in incident management and devise strategies accordingly.

 

Containment strategies differ depending on the nature of the incident. Organisations should develop specific containment strategies for each significant incident type, clearly documenting criteria to aid decision-making processes. As part of the containment organisations should ensure:

 

• Evidence Gathering and Handling: evidence should be collected and documented to support the investigation and provide an appropriate trail that all members of the incident response team can follow. This documentation should also be gathered in a way that meets the legislative requirements of the country law applicable to the breach.
• Identification of compromised hosts: Identifying the attacking host and validating its IP address is crucial. This enables the blocking of communication from the attacker and facilitates the identification of the threat actor, aiding in understanding their modus operandi. Moreover, it allows for the detection and blocking of any other communication channels they may employ

5. Eradication and Recovery

After containing an incident, eradication may become necessary to remove components like malware and compromised user accounts. This process also involves identifying and addressing all vulnerabilities exploited during the incident. It’s essential to identify all affected hosts within the organisation for remediation.

 

In some cases, eradication occurs concurrently with recovery efforts. During recovery, administrators restore affected systems to normal functionality, verify their proper operation, and address vulnerabilities to prevent future incidents. Recovery actions may include restoring from backups, rebuilding systems, patching vulnerabilities, and enhancing network security measures.

 

It’s crucial to phase eradication and recovery efforts to prioritise remediation steps. For significant incidents, recovery may span several months, with initial phases aimed at implementing quick, high-value changes for immediate security enhancement. Subsequent phases focus on longer-term improvements and ongoing security maintenance.

 

Given the Operating System or application-specific nature of eradication and recovery actions, detailed recommendations are beyond the scope of this article.

6. Post-Incident Analysis

One of the most crucial aspects of incident response, often overlooked, is the opportunity for learning and improvement. Each incident response team should adapt to emerging threats, technological advancements, and lessons learned from past incidents. Conducting a “lessons learned” meeting with all involved parties following a major incident, and periodically after minor incidents as resources allow, can enhance security measures, cyber security solutions and refine the incident handling process.

 

Multiple incidents can be addressed in a single lessons-learned meeting, providing closure by reviewing the sequence of events, interventions made, and their effectiveness. Ideally, this meeting should take place within a few days of the incident’s conclusion. Key questions to address include:

 

  • What events occurred and when did they occur?
  • How effectively did staff and management respond to the incident? Were documented procedures followed and were they adequate?
  • What information could have been communicated sooner?
  • Were any actions taken that may have hindered recovery?
  • What changes would be made by staff and management in future similar incidents?
  • How could information sharing with other organisations be improved?
  • What preventive measures can be implemented to avert similar incidents in the future?
  • What warning signs or indicators should be monitored to detect similar incidents in the future?
  • What additional tools or resources are required to better detect, analyse, and mitigate future incidents?

Real-World Application: Learning from Examples

Building an effective incident response plan and responding to cyber threats is a significant challenge for many organisations. As such, many of our customers opt for the hybrid team model, where our Telefónica Tech experts collaborate closely with the customer’s team, ensuring effective management of security incidents.

Identify_Icon
Customer: Private Security Company

A multinational physical security, consultancy, and alarm company operating in 26 countries, with annual revenues exceeding £3.5 billion and over 150,000 employees, faced a severe ransomware incident. This incident, caused by a 'Triple Threat' malware (Emotet + TrickBot + Ryuk), affected a significant portion of its infrastructure across multiple countries. The company sought DFIR (Digital Forensics and Incident Response) support services to coordinate with its internal security team for advanced containment and investigation. Telefónica Tech's DFIR team swiftly isolated the affected infrastructure, preventing the threat from spreading further. They then conducted a thorough forensic investigation to pinpoint the attack vector, identify patient zero, ascertain the tools used by the attacker, and ultimately restore the entity's services and infrastructure. To prevent future occurrences of this attack, Telefónica Tech implemented mitigating measures to secure the entity against these three malware strains.

Identify_Icon
Customer: Energy Sector

A global energy distribution and commercialisation business group, serving over 1.1 million users worldwide, faced a ransomware incident affecting multiple companies within the group. They urgently sought Telefónica Tech's DFIR support due to the incident's widespread impact and critical nature, being essential infrastructure serving the public. Telefónica Tech coordinated efforts across various parties involved, navigating infrastructures of different clients with shared services. Together, they identified patient zero and the malware variant (Cuba), as well as the attacker's actions, providing necessary recommendations. A post-incident investigation determined the scope of exfiltrated documents and information.

Customer: Government Public Body

A national public body providing essential services to citizens, with over 10,000 civil servants, an average annual budget of £30M, and more than 750 sites, faced encryption of its systems, resulting in a complete halt of services to citizens and significant reputational and operational damage. In response, this body urgently sought assistance from Telefónica Tech to restore operational activity swiftly and investigate the extent and source of the security breach. Telefónica Tech, in coordination with the administration's IT teams and part of the country’s national computer intelligence team issued immediate guidelines to contain and eliminate the threat. This involved isolating compromised networks and communications and deploying EDR/forensic software. Through investigative actions, the team detected the security flaw exploited by the attacker, their lateral movements within the organisation, the tools used, and the ransomware deployed. The initial investigation identified the Ryuk ransomware variant and its scope: impacting Windows systems in offices and web services

Business Continuity Planning (BCP)

As this article outlines responding effectively to a security incident can be challenging, but having appropriate plans and preparation can mitigate many of the problems an organisation will face in the moment. However, the real challenge organisations face is knowing when to implement Incident Response plans and fully understanding what plans are appropriate for the situation –  as not all incidents an organisation faces will be cyber security incidents.

 

To this end, it is important for an organisation to have conducted appropriate business continuity planning. A business continuity plan helps identify potential risks and vulnerabilities that could disrupt business operations. By understanding these risks, organisations can develop strategies to mitigate them, reducing the likelihood and impact of adverse events.

 

These are instrumental to effective response to incidents as they:

  • Minimise Downtime: A cyberattack can cripple core functions. BCP helps identify critical operations and outlines steps to get them back up quickly, reducing downtime and lost revenue.
  • Pre-defined Roles and Procedures: BCP establishes a clear chain of command, assigning roles for incident response, containment, and recovery. This eliminates confusion and ensures everyone knows their part.
  • Resource Allocation: BCP helps identify and allocate resources needed for recovery, like backup systems or personnel for manual processes. This prevents scrambling during a crisis.
  • Reduced Impact: By having a plan, organisations can respond faster and more efficiently, limiting the spread of the attack and potential damage.
  • Improved Recovery: BCP outlines recovery procedures for IT systems and data. This ensures a smoother and faster restoration of normal operations.

A cyber security incident response plan is a crucial component of any organisation’s defence against cyber threats. In today’s rapidly evolving digital landscape, the risk of cyber attacks is ever-present, making it imperative for organisations to be prepared to effectively respond to incidents as they occur. A well-developed incident response plan serves as a roadmap for navigating the complexities of cyber security incidents. It outlines clear procedures and protocols for identifying, containing, and mitigating security breaches, thereby minimising potential damage and disruption to business operations. Moreover, having a structured response plan in place can significantly reduce recovery time and associated costs in the aftermath of an incident.

 

However, the effectiveness of incident response planning hinges on its ability to adapt to the evolving threat landscape. With cyber threats constantly evolving, organisations must regularly review and update their response plans to ensure they remain relevant and effective. Regular reviews enable organisations to incorporate lessons learned from past incidents, adjust response procedures to reflect changes in technology or business operations, and stay abreast of emerging best practices in cyber security.

 

By proactively reviewing and updating their incident response plans, organisations demonstrate their commitment to mitigating cyber security risks and protecting critical assets. This proactive approach not only enhances their ability to detect, respond to, and recover from cyber incidents but also helps to instil confidence in customers, stakeholders, and partners regarding the organisation’s cyber resilience capabilities.

Ready to start planning your cyber incident response?

With our NextDefense cyber security portfolio we help you identify and mitigate security risks, with the intelligence you need to take the right action, at the right time to achieve organisational resilience.

  • Are your cyber resilience measures robust enough to respond effectively to threats and ensure data integrity and confidentiality?
  • Can you swiftly detect and respond to cyber intrusions, minimising operational impact and protecting your operations

 

Contact Telefónica Tech today to improve your cyber incident response plan.

Get in touch

Stay Informed

Stay updated and subscribe to our regular communications.