“Hmm, that’s strange.”
In the scientific community, these words are thought of as the immediate precursor to the ‘Eureka’ moment when something amazing is discovered. In the information technology field, specifically in security, they usually mean something bad is happening.
So you’ve just seen something strange. Perhaps the logs on your VPN server show that a user who’s sitting right next to you has also just logged in from Hong Kong. Or someone on your customer service team notes that they can see an accounting file that no one should have access to. Or maybe that same accounting team is wondering why they can’t open anything and every folder on their shared drive contains the file ‘HELP_DECRYPT.TXT’.
Something strange has definitely happened. Is that strange thing a cyber incident? How do you decide? And what do you need to do in case you decide that it is?
The HIPAA security standard defines an incident as:
‘The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.’ (HIPAA Regulation 164.304 – Definitions)
This is a fairly broad definition and could encompass almost any out-of-the-ordinary event on an information system in your organization. Just about anything, from discovering malware to identifying suspicious user activity, could be legally defined as a cyber incident under these standards. So how do you know when it’s time to implement a full incident response plan?
The correct answer is that it’s always time to implement your incident response plan.
In many cases, the nature of your incident could be such that the bulk of the response can be abbreviated. You won’t know this until the investigation begins, so that’s why you have to start every response the same way.
Incident Response Phases
Incident response is typically broken down into six phases; preparation, identification, containment, eradication, recovery and lessons learned. Most organizations mainly focus on containment, eradication, and recovery and completely skip lessons learned, but the truth is, that last phase is potentially one of the most important.
Preparation is as straightforward as making sure you have a trained incident response team, either employed, on retainer, or at least someone’s business card so you know who to call.
An incident is initially identified in any number of ways, leading you to start your response plan with only slight awareness of what the incident may be. The identification phase is meant to clear this part up. This phase also includes the investigation of the depth of the compromise, its source, and its success or failure.
Identification is done through review of log files... lots and lots (and sometimes lots and lots and lots) of log files.
In forensic log review, the systems which were involved in the compromise are investigated for additional evidence. This stage is where having security in place in advance, like SIEM, EDR, and other solutions that either integrate system logs or correlate them, can make a big impact on both understanding and properly containing a security incident. In addition to log review, investigation may also include looking through the hard drive and the memory stack at the time of the compromise.
The important consideration at this point is not to disrupt any potential evidence of the incident. This is where a well-trained response team can be the difference between a successful remediation or a repeat incident. A well-trained and equipped response team will be able to rapidly parse log files, review forensic images, and do so without damaging any evidence in the process.
Containment often happens concurrently with identification or immediately following. Damaged systems removed from production, devices are isolated, compromised accounts are locked down — the bleeding stops here.
Eradication is exactly what it sounds like. Removing and remediating any damage discovered in the identification phase. This is normally done by restoring systems from backup and re-imaging workstation systems.
It's important to note that proper eradication of a cyber infection should be done by trained professionals and should only be done after a comprehensive investigation into the incident is completed. Time and time again, small organizations will be quick to delete, restore, and re-image at the first sign of an incident before they've learned how the attacker got in or how much damage was really done. In many cases when systems are reset so quickly, the organization has no way of going back to learn what happened and, as a result, is often hit by the same type of attack again and again.
Recovery is the testing of the fixes in the eradication phase and the transition back to normal operations. Vulnerabilities are remediated, compromised accounts have passwords changed or are removed altogether and replaced with other more secure methods of access. Functionality is tested and day-to-day business resumes.
6. Lessons Learned
The last phase is the one that many organizations skip, but it’s arguably the most important to prevent future incidents. Lessons Learned involves reviewing the steps that were taken during each phase and improving both your incident response capability and your security footprint are the important takeaways from this phase.
If you rush to get back up and running but never stop to consider the implications of what caused the security incident, you may never improve your cybersecurity standing. Whether it was human error, security holes, or a flaw in a security product, your organization should review what went wrong and use the incident as a stepping stone to work toward a solution. Without this stage, you may find yourself running back through these steps again and again with every subsequent (preventable) incident.
The Lessons Learned stage is about taking security seriously and working toward future improvement wherever possible.
Incident responses are best performed by persons trained and equipped for it, with proven processes and full support from leadership within the business. In addition, with the advent of cyber insurance, it’s becoming more and more common for a full response to be required before a settlement can be made. If you're in need of incident response or are looking to build your organization's IR plan, reach out to a cybersecurity service provider to get the conversation started.
If you have any questions about cyber incident response or suspect you may be compromised, contact Ascend today. We’re here to help!
Published 2016, updated 1/14/2020.