Plan and Train for Security Incidents Now
Sunday, August 2, 2015

In order to minimize potential damage to company assets, employees, and customers, it is critical that companies take quick and effective action upon the discovery of any suspected or actual cyber incident (e.g., any unauthorized access, use, or disclosure of data or other information security breach). To achieve an effective response to an incident, you need an incident response plan in place and employees who are trained to execute it before the need arises. The incident response plan should address, at a minimum:

  • Preparation

  • Detection and analysis

  • Containment

  • Eradication

  • Recovery

  • Follow-up capabilities

Each of the above elements is discussed briefly below.

  • PREPARATION

    • Have a plan —now. Establish and maintain an incident response plan that keeps pace with the rapidly evolving threats to data and use of technology in your company (e.g., automobile manufacturers must now adjust their response plans to address threats to vehicles).

    • Incident response testing and exercises. Companies that develop and implement a trial run of their incident response plan at least once a year are in a significantly better position to identify vulnerabilities and address them before a real attack strikes. The feedback and lessons learned from executed trial runs should be reviewed and incorporated into existing incident response plans to make them more effective.

    • Incident response training. Detailed, practical, up-to-date training is critical. Everyone with any responsibility under the incident response plan should know their role in the plan and how to execute it. Training must be focused and contextual for each participant, rather than generic.

    • Resources. Set aside appropriate resources (including all applicable hardware and software) that are available and accessible to execute the plan.

    • Protect your communications. Engage legal counsel — with knowledge in information management and security — to advise and assist in the implementation of appropriate preventive measures in compliance with the evolving standard of care. This will increase both the assurance that your plan will be viewed as reasonable, if questioned, and the likelihood of protecting communications with and actions directed by counsel under applicable attorney/client privilege and work product doctrines.

  • DETECTION AND ANALYSIS

    • Detection. Detection capabilities that automatically scan, monitor, and search for incidents, along with manual scanning and monitoring (where automated processes are not feasible), routinely form part of effective incident response plans. Regularly reviewing reports on new vulnerabilities and access logs are a couple of examples of manual monitoring. Incidents should be reported immediately to the appropriate individuals upon discovery of an incident.

    • Incident analysis. A response to a suspected or actual incident starts with an analysis to determine the scope, nature, and origin of the incident, as well as the people, software, and hardware involved in the incident. The analysis should identify affected systems and data, the origin of the incident, any malware implicated, any remote servers that received data, a list of affected individuals, and any additional impact on company networks, systems, and information infrastructure.

    • Incident documentation. To ensure that incidents are resolved in a timely manner and that the company complies with its own policies and applicable legal requirements, it is critical that any suspected or actual incident be properly documented, and that, to the extent that it is practical, documentation and communication be under the direction of a company attorney to maximize the protection of the communications. Identifying, collecting, and maintaining records regarding the company’s response to incidents should be standard operating procedure.

The documentation should include: a status report and a summary of all related incidents and responsive actions taken by the company; an impact assessment; contact information for every individual and entity involved; a comprehensive list of the collected evidence; and a summary of incident prioritization, notification, containment, eradication, recovery, reporting, and follow-up actions to resolve the incident and prevent future recurrences. Depending on the nature of the incident, companies may consider additional steps such as:

      • Arranging for a “forensic image” of the affected computer systems

      • Locating backups and checking for any unauthorized changes to network

      • Using uncompromised media to store copies of retrieved and stored data — and safeguarding media from being compromised

      • Preserving logs, ongoing notes, records and data — to be preserved, if possible, by a single designated custodian

      • Recording any continuing activity for ongoing incidents and, subject to legal limitations, employment agreements, privacy policies, and pre-clearance from legal counsel, considering monitoring and recording communications between intruder and targeted server in order to protect the entity’s property or rights or with advance documented consent of system users

    • Incident prioritization. Multiple incidents occurring simultaneously or in a short time period can wreak havoc on company systems and employee morale. If more than one incident adversely affects a company, it may be necessary, depending on a company’s resources and the nature of the incidents, to prioritize the response to account for each incident’s overall impact.

    • Incident notification. In many cases, incidents (and even suspected incidents) may require notification of state and federal agencies and others. Depending on the resources available to the company, identifying a point-of-contact and at least one backup contact to address incidents with the media, law enforcement, incident reporting organizations, and other third parties will help ensure consistent and accurate responses. Training a designated company manager to communicate effectively about the incidents and the company’s compliance before any security incident occurs is an essential part of an effective response plan.

  • CONTAINMENT, ERADICATION, AND RECOVERY

    • Incident containment. Upon discovery, containment is critical —stop the breach, contain the damage, secure the information, and recover compromised information. Incidents encompass a wide range of issues, including severity, information type, causes, and risk. Be sure to assess how various incidents may affect the particular operations and assets of your company, prioritize them and take extra measures to safeguard the most valuable from attack. A detailed containment strategy may include the following:

      • A range of measures, from blocking access to monitoring activity to identifying the source or scope of the incident

      • Re-routing network traffic

      • Filtering or blocking a distributed denial-of-service attack

      • Isolating some or all of compromised network

      • Restoring the network to prior uncompromised state if back-up copy of important data has been preserved

      • Preserving records of mitigation/response measures and related costs

    • Incident eradication. Response, resolution, and containment may not be sufficient. The lingering effects of an incident can harm a company immediately or long after an incident occurs. After an incident has occurred and the company has carried out its containment strategy, an eradication process may be necessary to eliminate any harmful remnants. A supplemental action plan may be called for: delete malware, disable breached user accounts, and rebuild systems.

  • POST-INCIDENT ACTIVITY

    • Each incident can help educate companies to become smarter, draft more sophisticated and comprehensive security response plans, and improve their execution capabilities to detect, prevent, and respond to incidents. Taking full advantage of lessons learned is critical —doing so will enhance a company’s detection and response capabilities, make them stronger, and render managers better equipped to safeguard the operations and assets of their companies.

    • Consider implementing new and improved technology and ensuring that lessons learned are incorporated into the company’s information and security training programs, policies and protocols. After an incident, conduct meetings and training sessions with all involved parties to address the incident in its entirety: from detection, investigation, and diligence to containment and eradication. As part of the post-incident recovery phase, a thorough review of the company’s incident policy should be conducted and modifications made to incorporate the lessons learned.

  • ACTIONS TO AVOID

    • Don’t ignore the incident. Your response actions may have more impact on the operational and reputational damage and liability incurred than the incident itself.

    • Suspend use of the compromised system or run suitable antivirus programs. Failing to do so may spoil, alter, or destroy evidence.

    • Do not hack back for any purpose, including accessing, damaging, impairing, or preventing another attack or further damage from a system believed to be connected to the intruder. Even with a good motive, such conduct is likely illegal, under U.S. and some foreign laws, and therefore may well result in civil and criminal liability.

    • Leave examination of the affected systems to the forensics experts. Non-experts commonly spoil, alter, or destroy evidence.

 

  • SOME FINAL THOUGHTS

    • Each plan should also be tailored to the company’s particular business model and customer base (e.g., an organization that accepts credit cards is required to have an emergency response plan consistent with PCI Data Security Standards).

    • In addition to a training program for employees, training for and obtaining cooperation from contractors and others with access to company information is a critical program component.

    • Periodic auditing also is necessary to test company performance against plan requirements.

    • Finally, company cyber managers should oversee the compliance with applicable laws and the enforcement of the company’s policies, either through or via the combination of internal and external resources, including engaging counsel as appropriate.

    • Responding to information incidents is an iterative process. Lessons learned as part of an investigation or incident response, as well as any trial run of the plan, will aid the company to better understand what happened, how to be better prepared for future incidents, and how to help avert future incidents.

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins