Rob Floodeen, VP of Consulting, Mitiga
Cyberattacks are constant and security breach incidents inevitable. Cyber resilience strategies must include incident response plans that enable you to assess and respond to a breach quickly. Well-informed, fast and effective decisions are essential to protect your organisation from serious harm.
Cyber resilience is one piece in your overall resilience strategy. It includes a blend of people, processes, technology and governance. The intent of Cyber Resiliency (CR) is to create an adaptive capacity in your financial organisation’s IT (cyber) systems that aligns to the business objectives. There are many models that describe CR, including the CERT Resilience Management Model, IT Governance Cyber Resilience and UK NCSC 10 steps to cyber resilience. As cyberthreats continue to increase, it is important to build resilience into your organisation, including incident response capabilities.
Here are five steps organizations can take to reduce the risk of an incident escalating into a crisis.
1. Communicating
Good communication is essential to an effective breach response. Having a robust communication plan can help your business increase its resilience to a critical cyber incident. Here are a few steps you can take today to ensure that your communication capabilities are in place if an incident occurs tomorrow:
- Plan appropriate communications for multiple types of stakeholders, from internal response team members to the public.
- Understand the timing, messaging and medium for each type of stakeholder.
- Communicate information clearly, concisely and factually.
- Share only relevant information and only when necessary.
2. Inspecting the enterprise for incident-related data
Successfully gathering the information to evaluate and inform decision making is a common failure in increasing cyber resilience. To increase your resilience, plan ahead by ensuring that you have visibility into your environment, are retaining relevant forensic artefacts and have developed the skills needed to lead an investigation. Begin building these skills by conducting exercises that help you think through the steps of an investigation and response.
3. Evaluating possible incident impacts
While working on turning your incident-related data into information, evaluating that information as it impacts your organisation is key to making decisions rapidly. To ensure that you have the information needed to base evaluations against, take these five steps:
- Understand what your critical assets are and whether you are collecting data that would be relevant in the event these assets were impacted in an incident.
- Have the information needed to compare the current state to prior known good states (for operating systems, scripts, functions and so on).
- Understand the potential impacts of a breach to key business functions.
- Identify and understand abnormal changes.
- Maintain threat scenarios to provide context to the above items.
4. Confidence in decisions
The primary role for leadership during an incident is making decisions. To increase your ability to make confident decisions quickly, follow a process that is easy to understand, clearly communicated and tries to evaluate the quality of the information generated by the previous three sections. Use a standard process that helps you prioritise your efforts and understand the timing of best available information.
Here is an example process:
- Declare the two to four key objectives of the response.
- Construct supporting actions under each objective into Lines of Effort (LoEs).
- Each LoE includes expected types of data, such as LoE name, current status, next steps, an assigned leader and the current answer for the LoE.
- Add confidence levels (low, moderate, high) on your ability to improve your answer within a specified time (capped at 30 days).
- Finally, compile the confidence levels, answers and time period into an estimate for answer improvement (if possible) at the objective level.
A process like this provides confidence in the current status, future status and quality of progress on objectives. For example, if you know that the answers for an objective have a current low confidence level, the objective requires 30 more days of effort to complete, but very likely the confidence level will remain low, then now is the time to make decisions, not 30 days later when the effort is completed.
Your decisions also require an understanding of regulatory, jurisdiction and other third-party requirements; Business Continuity/Data Recovery capabilities; customer and product production impacts; and operational crisis communication systems.
5. Responding
None of these phases happen independently of the other. There are some immediate response activities, but most of the major response actions occur in consultation with the prior phases. Here are a few critical response capabilities:
- Have an agreed list of who would become incident commander, depending on the nature of the breach. The role requires an individual with comprehensive knowledge of business, customer and key system downtime impacts.
- Have a pre-defined set of actions that an incident commander can take.
- Harden your environment to prepare for evicting threat actors or closing down the attack surface(s).
- Prepare your environment for eviction, such as enabling isolation for critical application(s) or system(s).
- Know how to evict threat actors.
- Be able to monitor your environment for new or continuous suspicious activity.
Preparing for an incident increases resiliency
Increasing your cyber resilience requires robust communication, inspecting your enterprise to ensure you have the right visibility and information needed to investigate. It requires the ability to evaluate the impact of a potential incident — and then make informed decisions quickly so you can respond appropriately. Getting it right enables your financial organisation to recover rapidly and prevent a breach from escalating into a crisis.
