Cyber Security Incident Response
7Safe is a CREST registered Cyber Security Incident Response provider
Need Expert Incident Response Advice?
Have you had a cyber breach? Act fast and speak to the 7Safe experts. Or are you looking to put preventative measures in place? Call us in confidence on +44 (0)1763 285 510 or contact us via the below.
CSIR Phase 1 - Prepare
Phase one of our model comprises of the stages below:
7Safe can assist your organisation with the preparation for a cyber occurrence. This will involve a cyber security risk assessment that comprehensively reviews your documented policies, procedures and standards to identify cyber vulnerabilities and determine your state of readiness.
To be effectively prepared, you should be able to determine the criticality of your key assets; analyse threats to them; and implement a set of complimentary controls to provide an appropriate level of protection. Considering the implications of people, process, technology and information; you can then update your cyber security response capability and review your state of readiness in cyber security response.
Cyber goals should align with business goals and be approached within a business context.
A cyber risk assessment will compare your company’s current cyber program and capability to proven cyber security frameworks such as NIST and CREST which includes evaluation against industry best practice and procedures.
- Identify security gaps
- Determine cyber security priorities
- Develop reasonable security measure
Once a cyber risk assessment has been completed, the implementation of a zero-cost framework agreement with the client will be discussed.
Many organisations do not have adequate policies, processes or methodologies (if they have any at all) to help them respond to cyber security incidents effectively. They struggle to know what to do, how to do it, who to contact – and can even compromise investigations by their actions.
To help tackle cyber security incidents in an effective and consistent manner, you should develop an appropriate strategic approach, backed up by a formal cyber security incident response process, which should include:
- Identifying cyber security incidents
- Investigating the situation (including triage)
- Taking appropriate action (e.g. contain incident and eradicate cause)
- Recovering systems, data and connectivity.
The process (which is covered in more detail in ‘Responding to a cyber security incident’) should state who should be responsible for each step, how it should be carried out and who to contact for support. Finally, you should ensure that the process has been signed off by appropriate management and test it thoroughly on a regular basis, using a range of different scenarios.
CREST’s research programme has identified that nearly all organisations are likely to use a standard security incident management process, but with cyber security attacks often being dealt with by a major incident response team (or similar). Whatever approach is adopted, a clear methodology and plan should be established to help you respond to cyber security incidents in a fast, effective, consistent manner.
Whilst every situation is unique, there are commonalities that allow for a standardised plan that you can proactively implement and adapt as needed. The plan should be sufficiently comprehensive and agile to cover, and adapt to, many different scenarios, often meaning that it will need to be written at a higher level.
However, the use of standard incident response plans can be a difficult topic for suppliers of cyber security incident response expertise to deal with as the response technique is seldom a linear set of steps and more a set of decisions.
Project research revealed that the biggest IT infrastructure challenge faced by organisations when making the arrangements to help them prepare for a cyber security incident is in failing to log the right events or turn on the appropriate logging features.
Many organisations have vastly insufficient logging, archiving, correlation and simulation capabilities. For example, when handling a cyber security incident, historical data can be very important as attacks have often been taking place over an extended period of time – but logs (if they record the right things at all) are often incomplete or do not adequately cover past events.
Effective logging saves your organisation time and money if you experience a cyber security incident. It can also be very helpful as part of a defence (or prosecution) in a court case. You should therefore:
- Establish logging standards and procedures
- Configure systems to record the right events
- Monitor these events effectively
- Maintain sufficient historical data (as logs can be overwritten or have insufficient storage space)
- Make appropriate event logs available to investigators in a suitable format
- You should combine key information from as many of the different logs as possible into one central repository, such as a Security Information and Event Management (SIEM) system. For example, evidence of an incident may be captured in several logs that each contains different types of data:
- A firewall log may have the source IP address that was used, whereas an application log may contain a username
- A network IDS sensor may detect that a cyber security attack was launched against a particular host, but it may not know if the attack was successful.
- An investigator may need to examine the host’s logs to determine that information. Correlating events among multiple indicator sources can be invaluable in validating whether a particular incident occurred.
There are a number of other significant IT infrastructure challenges, which included:
- Having the right tools, systems or knowledge to conduct a suitable investigation
- Understanding the topology of their networks (e.g. via a suitable network diagram)
- Providing details of technical controls like firewalls, mail filters and intrusion detection systems (IDS) or data loss prevention (DLP) technology
- Deploying other suitable technical controls, as required, such as patching
- Knowing what or where many of their Internet ‘touch points’ are.
It is essential to make sure that your organisation has the information readily available that will help the cyber security incident response team (including third party experts) to respond quickly and effectively. Depending on context, the kind of information that expert suppliers typically want to know about falls into four main categories:
- Business management (e.g. what the business does, main point(s) of contact, approach to business impact assessment)
- IT infrastructure (e.g. network diagrams, system architecture and layout)
- Data (e.g. what type of information is processed, where and how)
- Event logging (e.g. what types of data and events are logged; on which systems; how and when; as well as how this data is collated and analysed).
The amount of information required by an organisation will differ based on a number of factors, such as its size, market sector, internal capabilities and nature of the particular cyber security incident being investigated.
Organisations can overlook the need to gain fast access to facilities at their outsourced service providers (i.e. access to premises or equipment). They often have difficulty in getting their third party suppliers (e.g. cloud service suppliers, infrastructure outsourcers and managed service providers) to provide important information (e.g. event logs) pertaining to their cyber security incident, sometimes having to wait for several days for something to be actioned.
To operate effectively and efficiently during a cyber security incident investigation, organisations should establish relationships with important third parties in advance of a breach. These third parties may include business relationships, joint ventures, and individuals with a link into the network, contractors and anyone else who would be impacted if your organisation had to operate in a degraded capacity.
Once these parties are identified, their contact information should be retained and kept easily accessible by the appropriate individuals, including technical security specialists, business representatives and the Crisis Management Team.