Incident Response Plays a Key Role in Effective Cybersecurity
Experts say that a security breach is virtually inevitable — that it’s a matter of “when” not “if.” How an organization responds to a security incident ultimately determines its cost and impact.
State and local government agencies face an elevated risk of cyberattack due to a lack of robust security controls. However, many agencies have not developed a plan for detecting, containing and eradicating cyberattacks, and recovering business systems. An incident response plan also directs the activities of a cross-functional team that communicates with the outside world, takes steps to restore or modify business processes, and develops a risk-mitigation strategy to help prevent future cybersecurity incidents.
Agencies Are Highly Vulnerable
Two security incidents in March 2018 point to the vulnerability of state and local governments. First, the City of Atlanta was hit by a massive ransomware attack that took many city services offline for more than a week and permanently deleted many legal documents and police files. It cost at least $10 million to recover. Then, a cyberattack disrupted Baltimore’s 911 emergency system for 17 hours, forcing support staff to manually manage incoming calls. Baltimore was hit again in May 2019 by a ransomware attack that took down the city’s phone system, email, and online billing and payment systems.
Experts say that state and local government agencies are “soft targets” because of weak security controls. A nationwide study conducted by the International City/County Management Association and the University of Maryland found that nearly 20 percent of local governments experience a cyberattack at least once per day, while nearly 28 percent said they experience a cyberattack hourly or more. The actual numbers are likely higher given that nearly 30 percent didn’t know how frequently they were attacked.
More than two-thirds of respondents said that the number of cyberattacks had stayed the same or increased over the preceding 12 months. However, most government agencies were unprepared to prevent, detect or respond to these attacks. For example, just 36 percent said they could prevent a data breach and just 38 percent said they could detect a security incident. Respondents said the top barriers to effective cybersecurity included lack of support from top officials, lack of awareness, training and accountability, and lack of adequate funds.
Not surprisingly, just one-third of respondents said their agency had a “formal, written plan for recovery from breaches.” Of those that did have a plan in place, fewer than one-third rated its effectiveness as “high” or “very high.”
More than IT
Incident response refers to the process of addressing a cyberattack in order to minimize downtime, damage and costs. With an effective incident response plan in place, organizations can contain a cyberattack and prevent it from reaching crisis levels.
Many business leaders consider incident response to be an “IT issue.” However, the incident response team should include representatives from executive management, legal, human resources, public relations and customer service as well as IT. While IT is working to contain the threat, the remainder of the team will be responding to inquiries from customers, business partners, law enforcement and regulators, and possibly the media and the general public.
In the first hours and days, the team should be prepared to provide information on what is known and not known, and what the organization is doing to address the attack. Team members should also work with business partners to change processes and information sharing as needed to reduce risk. Legal counsel, whether internal or external, should address the threat of lawsuits or regulatory action early, and ensure that all mandated notification and reporting requirements are met. Employees may be concerned about the impact on their jobs, and human resources should be prepared to respond.
The team should also focus on restoring business operations, prioritizing functions that are mission-critical. It’s important to recognize, however, that the full lifecycle of incident response may extend for weeks, months or even years. After the immediate crisis has resolved, the team should focus on evaluating security controls and developing a long-term risk mitigation strategy.
IT’s Role in Incident Response
From an IT perspective, incident response begins before a cyberattack occurs. The incident response plan should include proactive functions, starting with the deployment of a resilient IT infrastructure and ongoing monitoring to detect security threats. Threat intelligence data should be assessed against the organization’s risk posture to prioritize security efforts.
After an attack occurs, IT should focus on containment, eradication and recovery. The incident response plan should define what constitutes an “incident,” which might include data exfiltration, unauthorized access, malware infection, denial of service attack and other security-related events. Incidents should be categorized based upon the type of data involved, the type of perpetrator responsible, the scope of the event, and any legal or regulatory compliance requirements involved.
Once a potential incident has been identified, the response team will likely need to conduct an investigation in order to understand what type of event it is dealing with. The initial investigation should be conducted as rapidly as possible and involve digital forensic experts at an early stage. Forensic experts can analyze systems in a way that preserves evidence.
Only then can the IT team work to contain and eradicate the problem and recover systems, applications and data. As a final step, the response team should assess the incident and how it was addressed, and look for ways to improve the process.
According to the SANS Institute, incident response begins with proper preparation and planning, so that key personnel know the procedures they should follow when a security breach occurs. The first step is to identify personnel who should be involved and define their respective roles in implementing the incident response plan.
IT is involved throughout the incident response lifecycle, from pre-event monitoring and the implementation of security controls, to containing, eradicating and recovering from an attack. The goal is to prevent incidents insofar as possible and to quickly identify and respond to them when they do occur.