We hope this multi-part series on cyber incident response has been insightful, but we are at the end. This month, we will focus on the last phase of the National Institute of Standards and Technology (NIST) incident response life cycle: post-incident activity.
The post incident activity is probably the most important phase of the incident response life cycle and yet the most neglected. Incident response teams must continually evolve to reflect new threats, improved technology, and lessons learned. Teams should strive to improve security measures and the incident handling process itself. Holding a “lessons learned” meeting with all involved parties following an incident will identify what went right, what went wrong, and how to prevent an incident from reoccurring. According to NIST, key questions to be answered include:
- Exactly what happened, and at what times?
- How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate?
- What information was needed sooner?
- Were any steps or actions taken that might have inhibited the recovery?
- What would the staff and management do differently the next time a similar incident occurs?
- How could information sharing with other organizations have been improved?
- What corrective actions can prevent similar incidents in the future?
- What precursors or indicators should be watched for in the future to detect similar incidents?
- What additional tools or resources are needed to detect, analyze, and mitigate future incidents?
Meetings of this nature provide other benefits as well. Reports from lessons learned meetings are good material for future trainings and provide the opportunity to update incident response policies and procedures. Creating post-incident reports for each incident can be quite valuable when responding to similar incidents in the future. A document should also be shared company-wide so all employees know where the incident originated, what its effects on the organization were, how to avoid it in the future and what the organization has done to increase security.
Lessons learned activities should produce a set of objective and subjective data regarding each incident. Why might this be necessary? Data, such as total hours of involvement and costs, could be used to justify additional funding of the incident response team. Data could indicate systemic security weaknesses and threats, as well as changes in incident trends. It might also measure the success of the incident response team. Keep in mind that organizations should focus on collecting data that is actionable, rather than collecting data simply because it is available.
Another key activity in this phase is the preservation and retention of evidence. How evidence is collected and stored will determine if it is admissible in court. There are many ways to ensure evidence has not been tampered with, such as hashing, encryption, and chain of custody. Organizations need to plan for it and put that plan into action. Retain evidence long enough to be available for prosecution.
If personal information of employees and customers has been exposed, organizations have an obligation to notify individuals of the incident and the extent to which their information was disclosed. It is important to note that privacy laws differ from location to location. It is always a good idea to get legal advice so that organizations address the spirit and intent of those laws. Failure to do so can have far reaching legal and financial obligations. Organizations should know that cyber liability insurance is available to cover many of the financial and reputational risks that may arise from cyberattacks.
Sharing incident information publicly can help others to identify and react to similar system threats. Additionally, notifying software vendors is the first step in getting a vulnerability patched. Without your notification, a software vulnerability could go unnoticed for weeks, months or even years. Reporting an incident to the U.S. Computer Emergency Readiness Team (US-CERT), www.US-CERT.org, ensures that others know about the threat and gives software vendors encouragement to fix the problem.
Gnostech highlighted key considerations for your organization’s cybersecurity incident response plan. Our own incident handling capabilities are based on NIST standards and help port and maritime organizations prepare and respond to a cyber incident. Very few can afford such a disruption without a severe impact to a region’s commercial and economic viability. Again, having an established and executable incident response plan is crucial to limiting the potential operational and financial damage a cyberattack can cause.
About Gnostech Inc.:
Gnostech Inc. is an applied engineering and consulting company with expertise in information assurance and cybersecurity engineering, and major combat and space systems development and integration. For more information, visit www.gnostech.com or stay connected by following us on LinkedIn or @GnostechInc in Twitter.