The fourth installment of Gnostech’s cyber incident response blog series will focus on containment, eradication, and recovery. Containing an incident before it escalates is critical for any business, including port and maritime organizations. If not, they could face devastating disruptions to both operations and commerce. While the global average cost of a data breach is $3.86 million and it takes 69 days on average to contain a data breach, according to the Ponemon Institute, companies that were able to respond quickly and contain a breach in less than 30 days saved more than $1 million.
Containment is the point at which you stop the incident from spreading so that it can be eradicated. The key to containment is having a strategy already in place based on known threats. Your containment strategy must prevent the incident from escalating while preserving information needed to support an investigation and possibly legal action. An essential part of containment is decision-making: creating pre-determined strategies and procedures for containing an incident.
According to the National Institute of Standards and Technology (NIST), variables that will drive a containment strategy include the following:
- Potential damage or loss of resources
- Forensic requirements
- Accessibility of services
- Availability of resources
- Effectiveness of the strategy
- Mitigation and duration of the solution to contain the threat
Keep in mind that your Information Technology (IT) strategy most likely will not work for your Industrial Control Systems (ICS). Containment for an ICS may simply be a reboot and you will not have any investigative information to save. While having these strategies and procedures to prevent future occurrences is important, it may be necessary to forgo that effort to protect information and/or property. In the case of ICS, it could even be a matter of life or death as they typically provide a level of safety to an industrial process.
Evidence gathering, if possible, is valuable for determining how the threat was introduced and could even provide law enforcement with the proof to prosecute an attacker. Evidence should be recorded with identifying information, the name, title, and phone number of individuals who handled the evidence, and the time of each occurrence. However, to use this information in court, strict custody and collection procedures must be adhered to. The NIST Special Publication (SP) 800-86, Guide to Integrating Forensic Techniques into Incident Response, provides information on preserving evidence.
With eradication, it is essential to identify all affected hosts. Sometimes this includes recovery resources, such as back-up tapes and cloud services. Often, a threat has been in place long before it has been identified and may be persistent in back-ups. Commonly performed activities for attacking host identification include validating the attacking host’s IP address, researching the attacking host through search engines, using incident databases, and monitoring possible attacker communication channels.
In recovery, administrators will restore systems to normal operations. Recovery can be as simple as installing a malware removal tool or using antivirus software, but it could also be as intensive as rebuilding a system from scratch and reloading everything from back-up devices. It could span hours, days, or even months. As part of the process of recovery, you must incorporate prevention, or you will suffer the same failure in the future. This could require patching, updating versions, or a mitigation strategy to eliminate the threat. In most cases, having a good back-up policy and disaster recovery plan will prepare you for a successful recovery.
Port and maritime organizations must have these strategies in place to return to normalcy in the event of a cyber incident.
About Gnostech Inc.:
Gnostech Inc. is an applied engineering and consulting company with expertise in information assurance and cybersecurity engineering, and major combat and space systems development and integration. For more information, visit www.gnostech.com or stay connected by following us on LinkedIn or @GnostechInc in Twitter.