Proactive Incident
Response can help
prevent cyber
attacks

Author: Phil Muncaster

As cyber security experts frequently remind us, it's not a case of if your organization will be breached but when. Since the start of the pandemic, threat actors have found a winning formula in targeting the distributed workforce and the tools it uses to collaborate and remotely access systems. What does this mean for enterprise risk management? That more effort must be made to achieve a higher level of cyber resilience through a proactive incident response plan.

Stopping 100% of threats is no longer possible. The next best thing is to take proactive cyber security measures, which will help you detect and respond to attackers before they've had a chance to impact the organization.

Why do you need an incident response plan?

One security vendor claims to have blocked over 62.6 billion cyber threats for its customers in 2020 alone, according to Trend Micro. That's 62.6 billion reasons why you need an incident response plan. Yet organizations are increasingly on the back foot due to a confluence of factors including:

  • Distributed working: This has created two challenges. First, employees that may be more distracted and therefore likely to click on phishing links. Phishing attacks increased 11% year-on-year in 2020, and 85% of breaches involved a human element, according to Verizon's 2021 Data Breach Investigations Report (DBIR). Second, use of potentially less-secured devices, PCs and networks at home rather than corporate equivalents increases risk.
  • Digital transformation: With the shift to mass home working came a new surge in digital investment from organizations keen to support staff productivity and engage with customers online. But this expansion of cloud-based services and infrastructure has also increased the size of the corporate attack surface. Attacks on web applications last year represented 39% of all breaches, according to the DBIR.
  • Supply chains: Threat actors are increasingly scrutinizing the complex web of business partnerships that enable global trade. They range from audacious nation state-backed efforts, such as the SUNBURST campaign, to more straightforward targeting of small-scale service providers.
  • An IoT explosion: IDC has claimed that by 2025 there will be 55.7 billion connected devices worldwide. Many of these contain vulnerabilities that are rarely patched, as well as passwords that are easy to guess or crack. If exploited, these devices can help attackers to sabotage industrial facilities and gain a foothold into corporate networks.
  • The criminal underground: As Cybercrime Magazine reports, thanks to a black market economy said to be worth trillions, attackers have never had a greater advantage over IT security teams. Zero-day threats circumvent traditional defenses, encryption is used to hide malicious behavior, and phished or cracked passwords allow attackers to walk into networks through the cyber front door, posing as real users. Legitimate tools such as Cobalt Strike are also being used to enable post-compromise lateral movement without setting off any security alarms.

The cumulative effect of these challenges is to make effective, proactive incident response an essential part of any cyber security strategy.

What should an incident response plan include?

Proactive incident response plans describe the roles and responsibilities for all main internal stakeholders, different incident types and response playbooks, essential tools and technologies, and communication plans. The Verizon Incident Preparedness and Response Report breaks the process down into six key phases:

1. Planning and preparation

Here, you draw up the incident response plan, including any key internal stakeholders and external parties such as regulators, service providers and outside legal counsel. Breach simulation exercises can help to uncover key areas of focus.  Verizon’s 2021 Mobile Security Index suggests you identify your organization’s VAPs - Very Attacked Persons, often C-level executives who are targeted for phishing attacks.

2. Detection and validation

Cyber security incidents must be detected and classified early on for a swift response. "Incidents"—which require stakeholder action—should be differentiated from "events." There's useful federal guidance to help define incident categories, attack vectors and impact categories.

3. Containment and eradication

Once you've detected and classified the threat, it's essential to work quickly to contain its spread and ensure there's no additional damage to critical assets. Effective cyber threat intelligence programs are a useful source of insight here.

4. Collection and analysis

As long as data is current and of good quality, further analyses will help with the containment, eradication and remediation stages of incident response.

5. Remediation and recovery

Now, it's time to get back to business as usual by fixing any vulnerabilities exposed in the breach to prevent successful copycat attacks in the future and restoring operations.

6. Assessment and adjustment

The incident might be over, but that doesn't mean it's time to move on. One of the most important phases comes right at the end. By reviewing how successful your incident response plan was, you can identify any systemic weaknesses and make tweaks to improve proactive cyber security measures. Key metrics to measure could include response and resolution time, monetary cost and number of systems impacted.

What are the challenges?

With so many variables, proactive incident response planning can be a complex process. Some common challenges you might encounter include:

  • Alert overload from disjointed, poorly configured security tools.
  • A lack of in-house skills to develop and operationalize incident response plans.
  • Complexity of overlapping and increasingly onerous regulations.
  • A lack of good quality threat intelligence data.
  • Budget constraints.
  • Volume of threats, including those stemming from negligent or malicious insiders.
  • A lack of customization.

Why customization is important

The threat landscape is a volatile, unpredictable place. Breaches can come out of nowhere, requiring a streamlined and coordinated response. This makes it more important than ever to design an incident response plan specifically customized to your business culture, IT environment and risk appetite. Anything too generic could contain so much information that it slows down first responders and makes an already stressful situation even more challenging.

It's also true that the landscape is continually shifting, and so must your incident response planning. Only 40% of organizations studied in Verizon's 2019 Incident Preparedness and Response Report explicitly specified periodic reviews, tests and updates to their plans. Customization is a continuous journey, not a destination.

Find out how partnering with a third party can help with your incident response planning.