A Complete Guide to Cyber Incident Response

Expert insight from our head of cyber incident response

Cliff Martin has extensive experience in the defence industry, where he dealt with both operational technology and IT complexities.

Before that, he taught computer systems and network technologies in further and higher education.

Now, as our head of cyber incident response, Cliff supports clients with their cyber security requirements. He also recently obtained a new certification: GCFE (GIAC Certified Forensic Examiner).

In this interview

What must organisations think about first?

Before we can prepare a cyber security incident strategy, we must first understand what we’re defending and where our biggest risks are.

This is why I suggest organisations start with a risk assessment, asset management and a business impact assessment.

That should include, but isn’t limited to identifying:

  • What assets you’re protecting;
  • Where those assets are;
  • What your priorities – or ’crown jewels’ – are; and
  • What security controls you already have in place.

Before doing anything else, understand what you’re working with. As an analogy, you can’t protect a building without knowing where all the doors and windows are.

Likewise, you must figure out where your biggest risks are, then implement appropriate controls to mitigate them. You want to reduce the likelihood and/or impact of a threat actor gaining access to the environment.

You previously said that security breaches are a matter of when, not if

Yes. Organisations must assume their defences will, at some point, fail. Threat actors will always discover new ways to compromise IT systems.

When we work with clients, we always say that no cyber security control is 100% secure. That’s just the unfortunate reality.

With that in mind, try to put multiple controls in place – think defence in depth.

Don’t just implement a control to prevent access, but also think about detection. In other words, a mechanism that tells you when an intruder may have gained access to your systems.

Your security controls should provide enough time for your team to detect and respond to an attack before the damage is done. The quicker you can detect and respond to an attack, the less time the threat actor gets to achieve their objectives.

Also, these kinds of monitoring systems can provide a wealth of information when investigating the root cause of an incident.

What cost-effective preventive measures do you recommend?

Just the basic measures organisations often overlook:

  • Firewalls.
  • Good password practices by technically enforcing strong passwords. Organisations can also help staff use unique passwords for different accounts by encouraging password managers.
  • Enabling MFA [multifactor authentication] where possible.
  • Regular patching and secure configuration across the environment. This should include network segmentation, system hardening and managing legacy applications.
  • Staff awareness training. A staggering number of organisations don’t bother with this, but do implement expensive technological solutions. With phishing attacks so common now, even basic elearning gives you good value for money. This training must cover, among other things, what users should do if they suspect a cyber security incident.
  • Documented policies and procedures. These help ensure staff are consistent in their approach to doing business.

What about detective measures?

For starters, you must understand what normal user behaviour looks like. For example, do users normally log into the network at 1:00 am?

By understanding what ‘normal’ looks like, we can detect abnormal or malicious behaviour, with the help of appropriate tools.

Look at network security monitoring solutions like an IPS or IDS [intrusion prevention system, intrusion detection system]. EDR [endpoint detection and response] solutions are also good.

In addition, ensure that systems are logging system activity, so they can forward them to a centralised SIEM solution or SOC [security information and event management, security operations centre].

These types of automated tools are a great help, as they can process a lot of information to detect suspicious activity in real time. However, where something is detected, you need staff who are trained to review, escalate and respond as needed.

Which brings us to response. What must organisations consider first?

You need a cyber incident response plan. But for that plan to work, you need that monitoring capability.

The most challenging part of response is the ability to detect malicious activity. The sooner you can do that, the better off the organisation will be, because you minimise potential impact.

Think about:

  • Which parts of your network are and aren’t you monitoring?
  • Where and what are the cyber security risks?
  • Who’s analysing your event logs, and can they determine whether something malicious is occurring in the environment?
  • How does a suspected incident get escalated to the cyber incident response team?

These are the types of questions you must answer in your response plan.

Why is the cyber incident response plan so important?

The plan provides a consistent approach when responding to a cyber security incident.

Staff should follow it regardless of the type of incident you’re dealing with.

The plan should also be supported by threat-specific playbooks. You’d respond differently when facing a phishing email rather than a DoS [denial-of-service] attack, for example.

Technology is essential to any defence system, but not terribly effective on its own. As mentioned earlier, it’s not a case of if, but when. You need to be ready to respond as necessary.

As an example, if you don’t have someone who can follow up on your automated alerts, you may as well not have them. If your technology tells you something might be wrong, you need to act.

So, people and processes come into play, meaning:

  • Put procedures in place;
  • Assign roles and responsibilities; and
  • Develop communication plans.

These are all things to cover in your incident response plan.

How can organisations further improve their response plan?

Suffering an incident is stressful and can lead to bad decisions. During an incident is not the time to be putting your plan together.

Therefore, be sure to document your plan before an incident. That way, you make the right decisions quickly in situations where time is of the essence.

Also, test your plan – don’t overlook the value of tabletop exercises. To truly know whether your plan works, you must try it out.

This also helps key stakeholders understand their roles and responsibilities if a real incident occurs.

In addition, provide members of the cyber incident response team with the necessary training for their role during a response.

What training do staff with incident response roles or responsibilities need?

That depends on the individual’s role in the team.

Cyber incident response is not an IT issue, but a business issue requiring input from a wide range of stakeholders.

At a minimum, training should cover:

  • What constitutes an incident;
  • Responsibilities during an incident response;
  • Activities for ensuring compliance with regulatory or legislative requirements;
  • How, when and to whom an incident should be escalated; and
  • How to handle, store and process evidence in a forensically sound manner.

Is that a common issue? Not recognising something as a potential incident?

We do often see that. Different people in an organisation have different opinions on the definition of an incident.

In many situations, differing views are great. But in an incident response context, the organisation needs to ensure a consistent definition and approach, so staff training can cover it clearly.

You really need to teach people how to recognise the abnormal stuff. And to report it to someone adequately trained. Whoever triages must know both what to look for and how to handle it securely, to ensure that the organisation is taking the right actions from the start.

When is it better to have or develop that technical expertise internally, and when is it better to outsource?

It depends on:

  • Your organisational size;
  • The complexity of your systems; and
  • Your internal capabilities.

If you’re a smaller organisation, it’s unlikely you have the internal capability. More complex organisations would probably also benefit from outsourcing all or some of the capabilities – digital forensics, for example.

If you do decide to outsource, it’s best to have that external expertise on retainer. That way, you can be sure they understand your environment – having a good relationship before an incident occurs helps minimise the impact.

It also saves precious time when you do suffer an incident. Having someone on retainer ensures they can react immediately, without sorting out contracts and other paperwork first.

That’s something we see quite a lot when someone only gets in touch after suffering a cyber attack or data breach. They must then first deal with all the paperwork before we can spring into action, which only adds to the stress of the situation.

So, the benefit to having the expertise internally is that they’re already familiar with the environment?

Yes. They don’t need to get up to speed with what the environment looks like first, but can immediately start triaging and investigating.

But you’d get the same benefit by having an external team on retainer. Better still, because they’re independent of your organisation, they can get on with the response while your internal teams concentrate on business continuity.

A retainer is also cheaper than calling an expert in after the incident happened. The service cost is lower, as well as the cost of the incident itself, because your experts can spring into action quicker.

Using external expertise also means relying on people for whom responding to incidents is an everyday occurrence. They’ll know exactly what actions to take, and won’t allow their skills to become rusty. In fact, they make a point of keeping up with industry news and trends.

That’s completely different from an internal capacity, whose day to day likely involves other tasks. That makes them less comfortable dealing with an exceptional situation like a security breach.

Want to find out more about our annual retainer?

Have peace of mind that you know exactly who to call for help when a cyber incident occurs.

Get priority access to our 24/7 specialist cyber incident response team.

What skills are specific for incident response? That an internal person is unlikely to use day to day?

Again, they keep up with, and have a deep understanding of, the latest threats. That gives them the ability to quickly detect and respond to these threats.

More specialist capabilities include:

  • Digital forensics;
  • Malware analysis; and
  • Threat hunting.

These often require expensive training and significant effort to keep up, as the latest approaches keep evolving.

In fact, due to cost, these are often – unfortunately – not conducted in cyber incident response. This is a mistake, because if you don’t understand what happened, how it happened, or when it happened, it makes the incident response procedure much more challenging. It’s not enough to just get your business up and running again.

Do you have a real-world example of that?

We’ve assisted multiple clients who were targeted more than once by the same threat actor.

In a recent example, we worked with a client who had been compromised with a ransomware attack. They decided not to pay – fair enough, by the way – and restored all their services without investigating the root cause.

They got hit a second time just two weeks later, wiping everything out again.

Which brings home the point: you must understand and remediate the initial vulnerabilities before declaring the incident response complete:

  • Investigate how the attackers got into the environment in the first place.
  • Check for back doors and persistence mechanisms, such as scheduled tasks, new users, new processes, etc.

Ensure you’ve closed your vulnerabilities, or the threat actor may well just hit you again.

Ending up back where you started is hugely disruptive. The financial and reputational impact is also massive. Think about it: journalists love writing about the ones attacked twice in quick succession.

What’s the first step when responding to a cyber security incident?

The first step is always to confirm whether the incident is real, and if so, to determine the scope and potential impact. Detection and analysis – or ‘triage’, if you prefer. [According to NIST SP 800-61 Rev. 2.]

You might not be able to answer all questions initially, and that’s okay. But as the investigation continues, you must continue to reevaluate the situation and risks to the organisation.

Also think about any relevant reporting requirements you might have, such as under:

  • The GDPR [General Data Protection Regulation];
  • The PCI DSS [Payment Card Industry Data Security Standard];
  • The NIS Regulations [Network and Information Systems Regulations]; and/or
  • DORA [Digital Operational Resilience Act].

The set of requirements for incident reporting is expanding. Moreover, organisations must report them quickly – often within 72 hours of discovery, sometimes within just 24 hours, so you’ll need to act fast.

What else should organisations do during the first stage of their response?

It’s best practice to isolate the compromised device and/or network segment to prevent further damage. We recommend simply isolating the device from the rest of the environment.

Also, if already on, don’t power off the device.

If you do power it off, you could lose critical evidence that’s only stored within the device’s memory [RAM]. Some malware only runs in the memory, with very few artifacts stored on the hard drive. That limits what we can discover during any forensic investigation. The memory occasionally also stores ransomware decryption keys.

However, if your device is already powered off, don’t switch it on. That makes changes to the system that could overwrite logs or other evidence.

What does a digital forensics investigation involve?

A digital forensics investigation will aim to answer questions like:

  • How did the threat actors gain access?
  • When did the threat actors gain access?
  • What did the threat actors do once they got into the IT environment?

Any digital forensic investigation should be conducted by someone who is trained to do so, because any evidence they uncover might be used in future prosecutions.

The output of this investigation may also lead to follow-up actions such as malware analysis or threat hunting. That’s proactively looking for undetected threats in the network.

After completing the detection and analysis stages, what comes next?

Next, we can contain the incident.

The output of the initial stages, including the forensic investigation, will provide details as to what should be done next to contain the situation.

The actions may be short-, medium- or long-term containment, depending on the type and the complexity of the incident.

For example, you may need to isolate a critical service while the investigation is ongoing. You may also need to engage with third-party providers, such as Cloud service providers. They could, for example, give you access to vital logs or isolate the service for you.

What comes after containment?

We move into the eradication and recovery stages.

That can involve replacing or rebuilding compromised systems, which takes time and may have an impact on legacy applications. That process may include, but definitely isn’t limited to:

  • Restoring and securing base systems;
  • Restoring data from backups (following verification of integrity); and
  • Scanning for known vulnerabilities.

Also, we need to test any recovered systems for functionality and security, before reintroducing them into the IT environment.

Once introduced, we monitor them for a period – ideally, at least a week – to make sure the threat actors haven’t returned.

The indicators of compromise discovered during the investigation help inform us what suspicious activity we’re monitoring for. For example:

  • Specific network connections from suspicious IP addresses or domains;
  • Running applications and related services; and
  • Compromised user accounts.

What happens after the recovery?

Once you’re satisfied that you’ve fully remedied the situation, do a post-incident review:

  • What happened?
  • How did it happen?
  • What was the impact?
  • What went well in the response?
  • What could have gone smoother?
  • How can we improve for next time?

In short, establish and implement the lessons learned. This will only improve your ability to protect against, detect and respond to future cyber security incidents.

Should that sort of information also be shared externally?

Yes! We all have a part to play when it comes to cyber security, so it’s important to contribute to threat intelligence.

For example, take the ransomware attack on the British Library last year.

It recently released a report to the public, which talks about what happened, how it happened and what the Library learned from it.

It’s a great resource. Everyone responsible for cyber security and incident response should read it.

Find out how we can help

GRCI Law works 24/7 to cover you any time of the day or night.

We take a pragmatic approach to assessing and managing your data privacy needs. We align standards and best practices with your operational and business requirements.

And, unlike other organisations, we are a specialist legal consultancy – we only advise on cyber security and data privacy.

Ready to learn how our experienced team of cyber security specialists and qualified lawyers can help?

We hope you enjoyed this week’s edition of our ‘Expert Insight’ series. We’ll be back on Friday, chatting to another expert within the Group.

In the meantime, if you missed it, check out last week’s blog with Andrew Pattison, head of GRC consultancy at IT Governance Europe. He gave us his expert insights into pragmatic ISO 27001 risk assessments.