Initial incident response - When do you need it?
If you even suspect your organization has experienced a cyber incident, three questions will immediately come to mind. Did we actually experience a cyber incident? Is it a critical incident? What do we do now?
Before you jump into action, you’ll want to answer the first two questions. The trigger could be from any number of sources, such as your event management application like ServiceNow or SolarWinds, or even from a user who can no longer access their data. You’ll want to work with your security operations center (SOC) or your security and technical teams to confirm the alert is, in fact, a cyber incident. You don’t want to launch your incident response procedure only to discover it’s a false positive.
Next, you’ll want to determine the incident’s severity. If critical systems or sensitive data are involved, it should be considered a critical security incident and you’ll want to follow these preliminary six steps to protect your organization, minimize the damage and restore systems to normal operation as soon as possible.
Initial incident response procedure
Step 1 Contact legal counsel
You should have already engaged legal counsel with privacy and data security expertise before an incident occurs. Legal counsel can advise you on federal and state laws that may be triggered by a cyber incident. This is particularly true in the case of a data breach. Having external counsel can also provide additional protection in the form of attorney-client privilege.
Step 2 Assemble your incident response team
Your minimum incident response (IR) team should consist of the IR team lead (or external IR firm to lead the incident response procedure), technical leads, executive leads, legal counsel and public relations. The IR team will help you address the incident across the entirety of your organization.
Step 3 Determine your insurance coverage
Cyber insurance helps organizations mitigate cyber incident liability exposure by covering some or all of the costs associated with a cyber incident. If you have cyber insurance, determine your coverage and make sure counsel is involved. Keep in mind, that although sources differ, “the average cost of a data breach incident to large companies is over $3 million.” So if you don’t currently have coverage, it’s a good idea to start looking, before a cyber security incident occurs.
Step 4 Establish a command center
Establish the cyber incident command center to lead and direct mobilization and response to the security incident. It is the location of the recurring status meetings and the central location where the incident will be triaged. Primary and backup locations for the command center should be established ahead of time so that all resident members of the IR team know where to congregate. Secure remote access, which is out of band from the normal environment, is essential to have as well.
Step 5 Invoke the emergency communications plan
This Emergency Communications Plan outlines the roles, responsibilities, incident response procedure and protocols that guide the company in promptly sharing information with all stakeholders during a critical security incident. It ensures that facts are communicated as quickly and accurately as possible. If you advertise that you’ve had an incident prematurely, there may be regulatory and legal liability issues.
Step 6 Setup a recurring status meeting
Until the incident is resolved and a post mortem done, you’ll want to establish a recurring meeting, usually daily, to keep all stakeholders apprised of the status of the cyber incident. Communication can be done in person and via remote communication technology.
Beyond step 6 follow the typical incident response procedure
Beyond the six steps detailed above, your team should respond in the typical manner, which includes containment, eradication, recovery and lessons learned. These are important steps and make up the heart of the initial incident response procedure.
This article covered the six steps you should take after you discover a critical cyber incident, but the truth is, most of these are steps for which you need to prepare ahead of time. Before the incident occurs. Things like acquiring cyber insurance, identifying your command center, and establishing relationships with third-party services providers including legal counsel and incident response professionals.
If you’d like to speak to an incident response professional about putting an Information System Security Plan in place so that you’re prepared for a cyber incident, reach out to the folks at Cyber Defense Group. In just four short years, CDG has protected over 300 companies, helped recover from more than 100 data breaches, and protects more than $10 billion in revenue.
Contacting CDG is the step that comes before these six steps.