Given sufficient time, resources, and motivation, a cyber threat group can breach any organization. While prevention is important, companies should treat data breaches as inevitable and ensure that they are prepared to handle them and minimize their impact.
According to the 2021 Cost of a Data Breach Report developed by Ponemon and IBM, the average cost of a data breach is $4.24 million. However, having an incident response (IR) plan in place is one of the best ways to drive down the cost.
Organizations with an IR team and a developed and tested IR strategy have an average data breach cost of $3.25 million. Failing to do so increases data breach costs by an average of 54.9% to $5.71 million. Given how much a data breach costs, it’s important for organizations to have an incident response plan in place and tested to minimize cost, damage, and impact.
Incident response is the process of detecting, investigating, and remediating a security incident. Having an incident response plan and team in place is important because a rapid response to an incident reduces the overall cost and impact of the event.
A company may structure its incident response teams in various ways, including:
An organization may have an in-house security team, outsource these capabilities to a third-party provider, or pursue a hybrid model. Often, this decision is based on an organization’s resources and ability to retain the necessary expertise for incident response in-house. Whatever option an organization chooses for their IR purposes, what’s most important is that they have a plan for dealing with security incidents. Here’s a helpful framework based on NIST guidelines.
An organization’s incident response plan should start before an incident occurs. Preparation is essential to ensuring that an organization can rapidly detect and respond to an attack. Some key steps that an organization should take to prepare for future security incidents include:
Before you can respond to an incident, you need to know that it is happening. This is why implementing detection and monitoring solutions is such a critical part of the preparation process. The faster that you identify that an incident is occurring, the lower the cost to the organization. Catching an attack early can help mitigate the cost and impact of major attacks.
Some major contributors to the cost of a cybersecurity incident include:
In addition to detection, forensic analysis is a critical component of the incident response process because it provides important data about the incident that can prevent future incidents. Via forensic analysis, you can:
Detecting security incidents requires visibility across an organization’s infrastructure and the ability to collect and analyze security data. Many detection tools can also support forensic analysis, to learn more about the actions taken by an attacker. Solutions that an organization should have in place to help with detecting a potential compromise or other anomalous events while also providing key forensic analysis capabilities include:
Putting these solutions in place before an incident occurs is a proactive move that can help you to more quickly and effectively respond to an incident, driving down the cost and impact to the organization.
The details of containment, eradication, and recovery can vary differently from one attack to another. For example, restoring data encrypted by an attacker requires different actions than addressing a data breach (even if it’s by the same attacker).
However, some steps remain the same across different types of attacks. For example, incident response should begin with containing and isolating the infected host, and removing the attacker’s access by deleting malware, cleaning an infected device, or removing access to and from a user’s account.
Containment is an important step in the incident response process. Containment limits the damage that an attacker can do by restricting their access to an organization’s systems.
However, containment must be done carefully to avoid tipping off the attacker. If an attacker detects containment efforts, they may attempt to install a backdoor or move laterally to avoid containment, making the incident more difficult to remediate.
Depending on the types of tools and resources you have access to, you can remove the attacker’s access to your systems and ensure that any malware they’ve installed is completely removed from all devices and systems. This will typically involve removing network access by:
After the threat has been contained, you can turn your focus to eradicating it and restoring affected systems to normal operations. The actions taken at this stage depend on the incident and might include:
Incident response doesn’t end with removing the attacker and restoring systems. After the threat has been handled, incident response teams should take action to help prevent incidents and improve incident response in the future.
Over half of companies suffer repeat attacks from the same attackers. If you’ve performed a forensic investigation and know what caused the issue, this is the time to close that security gap. Common post-incident remediation actions include:
This is a crucial step – attackers are always looking for low-hanging fruit and easy targets. If they can regain access to your organization with the same techniques they used before, they definitely will.
A security incident can affect stakeholders across and outside of the organization. Depending on the severity of the incident, multiple parties may need to be notified, including descriptions of:
Preparing and sending these reports will likely require collaboration across multiple departments in the organization, including legal, IT, public relations and communications, finance, executives, and more.
These disclosures are especially important if required under law or regulations. Any such reporting requirements should be identified during the preparation stage.
There is always room for improvement in an incident response plan. After the response is complete, the team should perform a retrospective to identify:
This is an iterative process that should be considered after every incident to further improve your incident response. This will enable faster, smoother responses that limit the cost and impact of a breach on the organization in the future.
SMEs need to know what to do in case of a compromise. This will help speed up reactions and responses and ultimately minimize damage.
For many of these steps, a company may want to enlist the services of vendors or key cybersecurity partners like a modern MSSP, who can help with investigation, remediation, and recovery. Talk to SolCyber to find out how we can help!