Incident Response

Cyber the latest buzzword currently in the media. There are many examples about the horrors of cyber attacks. There are additionally many types of IT security incidents that could easily be classified as a Cyber Security Incident.

Serious Organised Crime
State-Sponsored Attacks
Extremist Groups (including Anonymous)

The main difference between cyber incidents and regular incidents appears to lie in the source of the attack; minor criminal compared to a major organisation or syndicate. Not the type of incident e.g.. Hack, Malware or Social Engineering. Organisations are seldom adequately prepared for a serious cyber incident. They often lack budget, resources, technology or recognition of the type and magnitude of the problem. In addition, they do not have software, testing, process, technology or people to handle sophisticated threats such as Advanced Persistent Threats (APTs).

Preparing for a Cyber Incident

Research revealed that few organisations are prepared in terms of:

People (Incident Response Team, technical experts, fast-decision makers)
Process (knowing what to do, when to do)
Technology (knowing their own network, providing the right forensic evidence (logs etc))
Information (having info close to hand about business operations and policies, critical assets, dependencies etc)

Responding to a Cyber Incident

Phase 1 - Prepare

Conduct a criticality assessment
Carry out a cyber security threat analysis
Consider the implications of people, process, technology, & information
Create an appropriate Control Framework
Review your state Cyber Readiness Plan (CRP)

Phase 2 - Detect

Identify the Incident
Define objectives and investigate situation

Phase 3 - Respond

Take appropriate action
Recover systems,data and connectivity

Phase 4 - Post Activity / Follow Up

Investigate more thoroughly
Report Incident to Stakeholders
Carry out a Post-Incident Review
Communicate, and learn from Incident
Update Key information, controls & processes
Perform trend analysis