Coordinated Response
Services and tools for incident response management

Highlights

GAO Statistics for Cybersecurity Incidents

Cybersecurity incidents double in 5 years

In a report of recent congressional testimony, GAO provides statistics that provide insight. The report is available from the GAO Web Site.

Incidents over Time

GAO Incidents Time

Incidents by Category

GAO Incidents 2013

Coordinated Response

How does this compare with your experience? Does your response plan address this range of cybersecurity incidents? At Coordinated Response we use this type of information to inform our response plan development and response plan reviews.

Enhance Data Breach Response – 6 Recommendations

The GAO in Congressional testimony made the recommendations

A report of the testimony is available from the GAO Web Site. For some interesting statistics from this report refer to GAO Statistics on Cyber Security.

Key Management Practices

  • Establish a data breach response team;
    rely on IT security staff for technical remediation;
    identify an extended team that includes the information owner, the CIO,
    the CISO, the privacy officer, public affairs, and legal counsel among others.
  • Train employees on their role;
    train of employees with access to sensitive data on their responsibilities;
    train the response team on their role in the incident response plan.

Key Operational Practices

  • Submit reports to appropriate entities;
    prepare and submit reports for internal use, to the US-CERT within 1 hour of discovery,
    and to other external entities as appropriate.
  • Assess the impact both in breadth and in depth;
    identify the nature of the data, the number of individuals, the likely potential for harm,
    and the possibilities for mitigation; this assessment determines incident actions and reports.
  • Offer affected individuals assistance;
    as appropriate and as required, help  mitigate the individual’s risk
    through credit monitoring for example.
  • Analyze the breach response; identify lessons learned.

 

Coordinated Response

With this information the response team makes informed decisions on what resources to apply and what actions to take. Refer to our Response Management Framework for added insight.

Let us help you with a response plan review that considers your information security risk assessment.

Harvard Business Review on Incident Response Planning

Ten Steps to Planning an Effective Cyber-Incident Response.

Tucker Baily and Josh Brandley, both with McKinsey, published an article on the HBR blog network identifying the 10 steps towards an effective incident response plan. Their article highlights some of the experiences that led to their conclusion. It’s worth a quick read.

Here I paraphrase their list to emphasize the key points and I relate these points to our response management framework.

  1. Assign a lead executive responsible for the plan and its implementation.
    This executive is a key member of our core response team.
  2. Develop a taxonomy of risks, threats, and potential failures
    or as we like to say “align incident response to risk assessment”.
  3. Develop quick response guides for likely scenarios.
    This is our incident-action matrix – each row represents actions for a specific incident type.
  4. Focus on major decisions, for example, when to isolate a system or part of a network; establish the procedures for these major decisions. This is a continuation of the incident-action matrix.
  5. Maintain relationships with external stakeholders, for example, law enforcement.
    External stakeholders are part of the extended response team.
  6. Develop relationships with external experts and service providers; include service level agreements.
    These are additional members of your extended response team.
  7. The response plan needs to be refreshed and available.
  8. Ensure response team members know their role (see 10).
  9. Identify key response team members; insure redundancy.
  10. Train, practice and simulate incident response activities.

Coordinated Response

This is a good list of 10 key success factors for an effective incident response program. It serves as a good checklist against  our Response Management Framework. Let us help you with a response plan review that considers your information security risk assessment.

Citation

Bailey, Tucker and Brandley, Josh, “Ten Steps to Planning an Effective Cyber-Incident Response”, Harvard Business Review Blog Network, July 1, 2013. Retrieved 03/07/2014 from: http://blogs.hbr.org/2013/07/ten-steps-to-planning-an-effect/.

NIST to Publish Cybersecurity Framework Soon

The Response Management Framework extends the NIST Framework

The Preliminary Cybersecurity Framework is available on the National Institute of Standards and Technology (NIST) Web Site. Next week the final version is due. The preliminary paper identifies 5 core functions. The Response Management Framework compliments the NIST framework and extends three of the core functions.

Some experts have been critical of the framework, but others support it. See Taylor Amerding’s article “NIST’s finalized cybersecurity framework receives mixed reviews”, January 31, 2014, in CSO Online.

Identify, Protect, Detect, Respond, Recover

  1. Identify – Identify Systems, Assets, Data, and Capabilities at Risk for Cyber Incidents.
  2. Protect – Implement Access Controls, Awareness & Training, Data Security, and Protective Technologies.
  3. Detect – Detect Anomalies and Events; Employ Continuous Monitoring and Detection Processes.
  4. Respond – Include Response Planning,  Analysis, Mitigation, and Improvements.
  5. Recover – Address Recovery Planning, Improvements, and Communications.

Of course, Detect, Respond, and Recover are the context for your incident response plan.

  • In Detect, potential incidents are analyzed to determine their nature.
  • Respond encompasses additional analysis, containment, more analysis, and eventually eradication.
  • Then Recover proceeds unhindered to restore impacted capabilities.

Coordinated Response

The Response Management Framework provides the details of who, what, when, where, and how.

Of course, Coordinated Response uses the information provided from the Identify function to help build the Impact Assessment and to properly Prioritize the Incident.

A Descriptive Definition of an Incident Response Plan

This definition may not explain how to get there, but it tells you where you want to go. It provides a descriptive definition of an effective incident response plan.

An Incident Response Plan:

  • is an implementation road map;
  • describes the team structure and organization;
  • is reviewed and approved at the right level;
  • provides organizational context;
  • defines reportable incidents;
  • identifies key metrics; and
  • defines needed resources and management support.

This makes a good list of New Year’s resolutions for improving an incident response plan and program.

Many readers may recognize this description. This description paraphrases the description of the Incident Response Plan security control (IR-8) in the NIST Publication SP 800-53. For more information on SP 800-53 refer to What Does NIST Say about Incident Response?, March 2013.

Coordinated Response

Let us help you with a response plan review that moves forward on these valuable measures.

Adjust the Incident Response Plan – Address Insider Threats

An effective incident response plan addresses the nature of insider threats and includes a range of specialized response actions.

This is the second note on Insider Threats reflecting the Common Sense Guide to Mitigating Insider Threats4th Edition, CMU/SEI-2012-TR-012, December 2012. The first note, Insider Threat and Incident Response, summarized key elements of the guide related to incident response planning and management. This note applies those elements to the incident response planning process.

The guide identifies the following items and practices of special importance to incident response when dealing with an insider threat:

  • A wide range of organizational staff support the response to an insider threat.
  • Consistent enforcement of documented policies and controls support defensible actions.
  • A comprehensive employee termination procedure mitigates the risk of insider threats.
  • Know and document your assets.
  • Consider insider threats in an enterprise-wide risk assessment.

According to the 2012 Cybersecurity Watch Survey a company has a 50% chance of experiencing an insider incident in any given year or a certainty of experiencing an incident in a 2 year time frame (see Insider Threat and Incident Response for specific references). Our note, A Data Breach and Insider Threats, examines the cost of a data breach and the potential roles played by insiders.

The response to an insider incident involves a wide range of organizational staff.

In our Response Management Framework we describe this as  the Core and Extended Response Team.
An insider incident is likely to involve legal, human resources, and physical security. More importantly, the actions require special authorizations and notifications as the response proceeds. Using an agile approach – iterating through incident actions with the extended team members – provides a useful delineation of the appropriate actions.

Consistent enforcement of documented policies and controls support defensible actions.

Documented policies that are consistently enforced support defensible actions including employee or contractor termination. Documentation and consistent enforcement are even more important when stronger legal remedies apply. The incident response plan with its associated actions is a key element for documenting policies and for insuring consistent actions.

A comprehensive employee termination procedure mitigates the risk of insider threats.

The Common Sense Guide recommends developing a comprehensive, enterprise-wide checklist to use at the time of separation. The checklist might identify: (1) a list of employees who need to know of the termination; (2) a list of accounts assigned to the employee; and (3) a list of resources to monitor after the termination.

The last point recognizes that terminating an employee may result in escalating the threat presented by the employee. Monitoring key resource post-termination may identify an incident before a serious impact occurs. The checklist can be used to help identify likely insider incidents.

It is important to note that when any insider incident occurs, the incident response may collect important documentation needed to support the termination process.

Know and document your assets.

The guide recommends maintaining an up-to-date inventory of (1) all data types being processed; (2) all devices including network devices, mobile devices, and credentialing tools; and (3) your information geography: sensitive areas; single or multiple locations; domestic or foreign locations; and physical or virtual (cloud-based) locations.

These inventories are important tools needed for all effective incident response, not just insider incidents. Understanding your assets is a critical element of the next practice: an enterprise-wide risk assessment.

Consider insider threats in enterprise-wide risk assessments.

The guide recommends a number of controls that mitigate the risk of an insider threat, for example, background checks. But, the enterprise-wide risk assessment does more. It considers the risk insider threats pose against assets beyond information resources. It provides potential impact assessments associated with various assets. This information is important to building and effective incident response program.

In an earlier note, Risk Assessment and Incident Response, we talk about this important linkage.

Coordinated Response

A coordinated response is a bigger challenge when an incident involves an insider. Establishing en effective plan is an important step and the Common Sense Guide provides elements and practices to hone the perfect plan.

Let us help you with a response plan review that considers your exposure to insider threats.

Insight from Incident Response for Industrial Control Systems

ENISA examined Industrial Control Systems (ICS) cybersecurity incidents  to identify lessons learned. Many of these lessons apply to any high-value system.

ENISA – the EU Network and Information Security Agency – examined cybersecurity incidents associated with Industrial Control Systems (ICS) and System Control and Data Acquisition (SCADA) systems. The findings were published in a white paper: Can We Learn from Industrial Control System Security Incidents?, ENISA web site, October 2013. The link references a press release that provides the background and a summary of the paper, as well as access to the white paper itself.

ENISA’s Key Findings from ICS Incidents

ENISA’s key findings apply to many high-value information systems:

  • Coordinate cyber and physical security response processes.
  • Understand the overlap between cyber and physical critical incident response teams.
  • Increase awareness of the location of digital evidence and the appropriate actions to collect and preserve it.
  • Design and configure systems to enable digital evidence retention.
  • Complement existing skills base with ex post analysis expertise.
  • Increase inter-organizational, public/private, and cross country collaboration efforts.

All of these practices should be addressed in your incident response plan if you are dealing with a high-value system.

Coordinated Response

Let us help you with a response plan review that (1) includes physical security as an extension of your incident response team; (2) addresses evidence collection and control; (3) identifies ex post analysis expertise for more effective incident review; and (4) recognizes inter-organizational communications requirements and opportunities.

A Data Breach and Insider Threats

Insiders pose a unique threat. A Data breach involves legal issues. Does your incident response plan reflect the required actions?

The Verizon 2013 Data Breach Investigations Report provides insight into the role of insiders when data is breached.

Profit-driven organized crime groups were tied to over half of all breaches.

Attackers targeted mostly finance, retail, and food service industries. Attackers profit from selling payment data or personal information. Almost all states and the District of Columbia have data breach laws governing this type of incident.

State-affiliated Actors were linked to 21% of all breaches.

Here the attackers were seeking intellectual property – trade secrets, sensitive internal data, or systems information. The targeted industries were Manufacturing, Professional Services and Transportation. This raises issues of liability or economic loss.

There are two important statistics associated with cyber-espionage campaigns.

  • First, over 95% started with a phishing attack. Companies need to take their anti-phishing controls seriously.
  • Second, smaller companies, those with less than 10,000 employees, were attacked 4 times more than larger companies. Small professional services or law firms were often targets due to the sensitive information they held for their clients.

Malicious Insiders account for 14% of data breaches.

But, Verizon also states that External Actors are involved in over 90% of all data breaches. So, often an external actor recruits or coerces an insider.

Risk Awareness is the first step.

Include insider threats and the potential impact of a data breach in your risk assessment.

An Incident Response Plan is the second step.

When dealing with insider threats, consider the legal and human resource issues. Managing employees or contractors involves legal and regulatory issues. When dealing with a data breach, appropriate legal steps need to be followed.

Coordinated Response

Coordinated Response can help you develop a plan that anticipates the unique actions needed to address a data breach or an insider threat.

ISACA Incident Management and Response

ISACA – The Information Systems Audit and Control Association – is a good resource for Incident Response Teams.

The ISACA Web Site offers a white paper: Incident Management and Response. This is a link to the base page with access to the white paper as well as a good set of additional resources for Incident Planning and Response.

The paper makes key points that help strengthen a response plan including:

  • The importance of the link between risk planning and response planning;
  • The business value of a good response plan; and
  • The importance of supporting enterprise governance in the response plan.

Attacks Expose the Enterprise to a Variety of Risks and Associated Impacts

Risk planning and response planning are linked. The risks and resulting impacts occur in the following areas:

  • Reputational Risks including public relations or legal issues with customers.
  • Regulatory Risks including the inability to meet regulatory compliance.
  • Operational Risks including the inability to deliver key business capabilities.
  • Internal, Human Relations Risks including inability to process payroll or violations of employee privacy.
  • Financial Risks including loss of physical assets or remediation expenses.

This is an idea that Coordinated Response embraces in The Risk Management Framework specifically in the area of Impact Assessment and Incident Prioritization.

Business Value – An Effective Response Plan Addresses Response Risk

A robust incident response program reduces the risk of response – the probability of the response itself contributing inadvertently to risk exposure. The paper stresses the characteristics of an effective program:

  • Is the plan endorsed by management?
  • Is the team well-trained?
  • Is the team interdisciplinary? Does the team include operational, administrative, legal, HR, PR, and management?
  • Does the program employ proven plans and processes for operations and execution?
  • Are metrics employed for evaluating effectiveness and identifying gaps?
  • Is there a charter for the team?
  • Does the plan address declaration and notification procedures? A well defined communication plan?

Impact Levels

For each impact area, it is important to provide metrics or descriptions that differentiate the impact level. Low, medium, and high are not enough as impact measures. Without metrics different people assign different meanings to the terms low, medium, and high.

An Incident Response Plan Review

It’s worth stressing that the impact component of the risk assessment can and should be used during the Incident Impact Assessment. The Response Team measures adverse impact to determine the needed response.

With this information the response team makes informed decisions on what resources to apply and what actions to take. Refer to our Response Management Framework for added insight.

Let us help you with a response plan review that considers your information security risk assessment.

Insider Threats and Incident Response

Insider Threats place added requirements on an incident response plan.

In December 2012, The CERT/CC Insider Threat Center published the Common Sense Guide to Mitigating Insider Threats4th Edition, CMU/SEI-2012-TR-012. The guide uses extensive research to examine the nature of insider threats and their probability. It is an excellent resource.

This is the first in a series of notes on insider threats – the first note examines the guide and the next considers the impact on incident response planning and handling.

The response to insider threats often involves a wide range of organizational staff.

“Insider threats are influenced by a combination of technical, behavioral, and organizational issues” (from the Executive Summary). As a result, management,human resources (HR), legal counsel, and physical security may be involved in the response along with the Information Technology (IT) and Information Assurance (IA) departments.

Of course, this aligns with the Core and Extended Response Team in the Response Management Framework.

Insiders reflect a range of company relationships and behaviors.

The range  includes:

  • The traditional threat posed by current or former employees;
  • Collusion with outsiders – employees recruited or coerced by competitors or organized crime;
  • Business partners – suppliers, contractors, or distribution channels;
  • Mergers and acquisitions introducing new, unknown insiders; and
  • Cultural issues – both national and corporate – introducing tensions.

Each of these may require specialized incident actions as part of the response.

The 2011 CyberSecurity Watch Survey informs the guide.

The CyberSecurity Watch Survey provides the following statistics:

  • 43% of respondents experienced a malicious, deliberate insider incident in the past 12 months.
  • 23% of identified perpetrators were insiders – 1 in 4 incidents perpetrated by insiders.
  • 46% of respondents felt insider incidents caused more damage than incidents perpetrated by outsiders.

This annual survey is sponsored by U.S. Secret Service, CERT Insider Threat Center, Deloitte, and CSO Magazine.

The 2012 CyberSecurity Watch Survey provides additional support.

The following chart suggests that all organizations – large and small – have close to a 50/50 chance of experiencing an insider incident in any given year. Or every 2 years give or take a month an insider incident will occur. NOTE: there were 479 respondents, 1/3 were organizations with 5,000 employees or more, 2/5 were organizations with less than 500. This suggests a representative survey.

2012cyberwatch
The 2012 Survey was retrieved from a Google search for “2012 CyberSecurity Watch”.

The guide recommends 19 practices to mitigate insider threats.

The guide recommends 19 practices for mitigating Insider Threats (See the table at the end of this article). Many of these are well known security controls, but they are presented through the lens of the insider threat. For each practice, the guide (1) defines the protective measure; (2) identifies challenges; (3) provides case studies; (4) identifies quick wins applicable to all organizations; (5) identifies additional quick wins for large organizations; and (6) maps the recommend practices to NIST, CERT, and ISO standards.

Coordinated Response – Review your plan.

We can work with you to incorporate or improve how your response plan addresses insider incidents.

The 19 Practices for Mitigating Insider Threats.

Emphasized practices have a direct bearing on incident response planning and management.

1 Include insider threats in an enterprise-wide risk assessment. 11 Institutionalize system change controls.
2 Clearly document and consistently enforce policies and controls. 12 Log, monitor, and audit insider actions with log correlation or SIEM system.
3 Incorporate insider threat security training for all employees. 13 Monitor and control remote access including mobile devices.
4 Beginning with the hiring process, monitor suspicious or disruptive behavior. 14 Develop a comprehensive employee termination procedure.
5 Anticipate and manage negative issues in the work environment. 15 Implement secure backup and recover processes.
6 Know your assets. 16 Develop a formalized insider threat program.
7 Implement strict password and account management policies and practices. 17 Establish a normal network behavior baseline.
8 Enforce separation of duties and least privilege. 18 Be especially vigilant regarding social media.
9 Define explicit security agreements for any cloud services – address access restrictions and monitoring capabilities. 19 Close the doors to unauthorized data exfiltration.
10 Institute access controls and monitoring on privileged users.

From the SEI/CMU Common Sense Guide for Mitigating Insider Threats, 4th Edition.