Incident Response
Cyber the latest buzzword currently in the media. There are many examples about the horrors of cyber attacks. There are additionally many
types of IT security incidents that could easily be classified as a Cyber Security Incident.
- Serious Organised Crime
- State-Sponsored Attacks
- Extremist Groups (including Anonymous)
The main difference between cyber incidents and regular incidents appears to lie in the source of the attack; minor criminal compared to a
major organisation or syndicate. Not the type of incident e.g.. Hack, Malware or Social Engineering.
Organisations are seldom adequately prepared for a serious cyber incident. They often lack budget, resources, technology or recognition of
the type and magnitude of the problem. In addition, they do not have software, testing, process, technology or people to handle
sophisticated threats such as Advanced Persistent Threats (APTs).
Preparing for a Cyber Incident
Research revealed that few organisations are prepared in terms of:
- People (Incident Response Team, technical experts, fast-decision makers)
- Process (knowing what to do, when to do)
- Technology (knowing their own network, providing the right forensic evidence (logs etc))
- Information (having info close to hand about business operations and policies, critical assets, dependencies etc)
Responding to a Cyber Incident
Phase 1 - Prepare
- Conduct a criticality assessment
- Carry out a cyber security threat analysis
- Consider the implications of people, process, technology, & information
- Create an appropriate Control Framework
- Review your state Cyber Readiness Plan (CRP)
Phase 2 - Detect
- Identify the Incident
- Define objectives and investigate situation
Phase 3 - Respond
- Take appropriate action
- Recover systems,data and connectivity
Phase 4 - Post Activity / Follow Up
- Investigate more thoroughly
- Report Incident to Stakeholders
- Carry out a Post-Incident Review
- Communicate, and learn from Incident
- Update Key information, controls & processes
- Perform trend analysis