Preparation for incident response can often be over looked until its too late. There is a reason incident response is a best practice and a requirement for most cybersecurity compliance frameworks as well as an often questioned on vendor due diligence forms.
The recent incidents with CDK Global and United Health’s Change Healthcare multi-week outages from ransomware both resulting in 10’s and 100’s of Millions in losses + ransom payments or the recent Microsoft outages in July including O365 and Azure with a botnet DDOS attack and the entire industry from a bad update combined CrowdStrike and Microsoft Update Service are really good examples of why incident response and readiness prep are not just a good idea, but should be an essential practice for every organization.
ControlMap includes an Incident Response Policy template along with Responsibility Matrix to assign responsible parties for objectives and Risks to Manage and consider alongside your chosen framework objectives that align with your industry but what really should be considered with Incident Response?
Below are a few considerations and we invited seasoned ControlMap Admin Itza White as a special guest to share how her company takes incident response a step further with Table Top Exercise to test, learn and prepare for various incidents.
The recording to the Itza’s Table Top Exercise overview can be found here: July 2024 Table Top Exercise Recording
Incident Response Steps to consider:
When responding to a cybersecurity incident, organizations should follow a structured set of steps to effectively manage and mitigate any potential damage. Here is a summary of typical incident response steps to consider:
-
Preparation: Establish and train an incident response team, develop an incident response plan, and ensure all necessary tools and access controls are in place.
-
Identification: Detect and determine the nature of the incident. This involves monitoring systems and networks for signs of a security breach and promptly identifying the type of threat.
-
Containment: Once an incident is identified, quickly contain the threat to prevent further damage. Short-term containment may involve isolating affected network segments. Long-term containment involves implementing more permanent solutions such as system upgrades or patches.
-
Eradication: After containment, remove the root cause of the incident and any related malware or vulnerabilities from the environment. This step often involves deep system analysis, removing affected components, and strengthening system defenses.
-
Recovery: Restore and validate system functionality for business operations. This includes restoring systems from clean backups, monitoring for anomalies to ensure no remnants of the threat remain, and gradually returning to normal operations.
-
Lessons Learned: After resolving the incident, conduct a post-incident review. Document everything from how the incident occurred to the effectiveness of the response. Update the incident response plan to reflect lessons learned and improve future response efforts.