Preparing for cyber incidents involves more than merely being ready to react
to (and neutralize) a one-off cyber attack. It involves the ability to respond effectively, plan proactively, and to defend your critical systems and data assets. To get ahead of evolving threats, and to recover thoroughly when attacks do occur, you need to be familiar with the Cyber Incident Management Life Cycle.
Cyber incidents can run the gamut, from a simple email phishing attack to sophisticated malware or ransomware. Organizations now are investing more than ever in cyber-incident and attack preparedness, with 74% of companies saying Best Practices for incident prevention are their number one cybersecurity priority, followed by compliance mandates at a close second. A major part of this investment in readiness is the Incident Management Lifecycle, which lays out a framework of event management and how companies should respond in the event of an attack, hack, or breach.
But what exactly is the incident response lifecycle? What are the various stages in the life cycle of incident management, and what specific elements, steps, and processes do they entail? Read on to learn about the incident management lifecycle process, and how it can be used to protect your business.
What is the NIST Incident Lifecycle?
All 4 phases of the incident response lifecycle stem from standards and best practices set forth by the National Institute of Standards and Technology. By law, Organizations must create and operate a formal incident response capabilities in alignment with NIST’s incident management and response lifecycle framework for incident handling. That’s primarily because, in the event of an actual cyber breach or incident, organizations will need to report to (and coordinate with) appropriate government agencies who will expect that the issue is being handled in accordance with NIST’s incident response lifecycle.
Per NIST, organizations should document their guidelines for interactions with government agencies and any other organizations throughout the entire process of the incident management lifecycle. This could include response teams, law enforcement, media, vendors, and any potential victims affected by a hack. Because these communications need to occur quickly at various stages of the lifecycle, organizations need to have predetermined communications guidelines so that the appropriate information is shared with the correct entities.
In general, having written guidelines for how incidents will be responded to, and prioritized throughout the organization, is a point of emphasis in the NIST cybersecurity framework. Prioritizing the handling of individual incidents is a critical decision point in the incident response process. Effective information sharing and communication throughout the lifecycle can help organizations identify situations that are of greater severity and demand immediate attention, and coordinate teams, parties, and departments throughout all four stages of the incident management lifecycle.
Finally, one of the key functions of the NIST incident management lifecycle is for organizations to use lessons learned throughout the process to gain valuable lessons for future use. After any major incident has been handled, organizations should hold a debrief and review to make necessary process improvements, and proactively identify systematic weaknesses to be remedied. While we’ll discuss this stage in greater detail later on, before diving into the four stages it’s important to remember that the NIST incident management lifecycle isn’t just about taking steps to limit the damage of an attack, but about analyzing what exactly happened to prevent similar attacks in the future.
Phase 1: Preparation
The nature of your business, data types, and critical systems will determine how you approach the first phase of the incident management lifecycle, which is Preparedness. Defenses against potential hackers and attacks should be formulated based on the potential impact on your company, the likelihood of such an occurrence, and exactly how critical the systems or data affected might be. This is typically determined by a formal risk assessment (with your cybersecurity partner), designed to identify potential systems vulnerabilities so that your organizations can implement proper protective (and preventative) countermeasures.
In short, the preparedness phase is designed to determine (and quantify) the potential risk to your systems and data. You’ll work with your cybersecurity partner to pinpoint your risk appetite, and then begin developing an effective Incident Response Plan (IRP) in accordance with the NIST lifecycle guidelines. Your IRP will cover not only preparedness but also the other three phases of the incident management lifecycle. You’ll want to periodically review your IRP, and keep it up to date as potential threats and risks to your systems and data evolve. The preparedness phase is vital because it ensures that, if and when an attack does occur, the harm caused to your finances, operations, and reputation is limited as much as possible.
The basic components of your phase one preparation plan should include:
- Design and development of an IRP covering organization, processes, and procedures.
- Design and implementation of a resilient IT infrastructure to sustain business operations in the event of an incident.
- Proactive response and incident management team exercises to test incident response processes, procedures, and personnel.
Phase 2: Detection and Analysis
Hopefully, your organization never moves beyond phase one of the incident management lifecycle, meaning that hackers aren’t able to break into your systems in the first place. However, if they do manage to breach your defenses, you’ll need to be ready for what’s going to take place in phase two of the lifecycle, which is threat Detection and Analysis. On a high level, the detection part of phase two includes setting up alerts and notification for any suspicious activity that might take place within your systems. But this also includes periodic monitoring and follow-ups of suspicious activity, even if it’s deemed harmless upon initial analysis.
Surprisingly, far too many organizations actually fall flat when it comes to phase two of the incident management lifecycle. That’s because, all too often, management comes to the conclusion that the expense and effort of proactive threat monitoring, detection, and analysis far outweigh the risk. Maybe the company has never had a breach, and there are seemingly more pressing projects or initiatives that demand those financial resources. While this type of thinking makes some logical sense, it’s akin to driving a car without insurance. Experiences show that there are far too many instances when an enterprise becomes aware of a data breach or attack, only to find out later that it’s actually been an ongoing attack for several weeks, months, or even longer.
In last year’s Target cyber attack, for example, it was found that hackers had gained access to critical customer information months before the actual breach was identified. Therefore, the importance of proactive threat detection and incident analysis can’t be overemphasized. Effective implementation of phase two will help identify the source, extent, impact, and details of any breach before it metastasizes too far. And without proper analysis, managing the next two phases of the lifecycle will prove far more difficult.
Work with your cybersecurity partner to create a phase two plan that includes:
- Leveraging of cyber threat intelligence (CTI) capabilities and other methods to formulate a comprehensive monitoring program to support ongoing monitoring and detection.
- A cyber compromise assessment to detect unknown compromises and validate the ongoing health of your network environment.
- Information gathering (and prioritizing) of individual incidents and concrete steps for incident response.
- Methods of forensic preservation and analysis of threat detection data to determine the extent and impact of any potential malicious actors within your systems.
Phase 3: Containment, Eradication, and Recovery
For organizations that haven’t effectively implemented steps for all four phases of the incident management lifecycle, phase three is all too often the first phase that’s actually acted upon. Due to whatever reason, companies don’t adequately prepare or monitor for threats and are then left reacting to a specific incident in an effort to contain the problem, eliminate the issue, and attempt to restore the system to its state prior to the incident. Needless to say, this can be time-consuming, disruptive, and costly. Phase three activities, while necessary, will be much more effective if phases one and two are carried out in close accordance with the NIST framework.
For example, your organization will need to take the time and resources necessary to identify the type of incident (malware, ransomware, phishing attack, etc.), in order to take the right steps to contain and eradicate the threat, as well as recover critical systems and data. And as your incident response team works towards these ends, many of your users may not be able to conduct business as usual. The result is not only lost man hours, but potentially revenue losses and damage to your reputation.
That being said, the focus of phase three should be containment and eradication of any and all threats. This will require a certain amount of downtime, which you should plan for along with your cybersecurity partner. After the threat has been eliminated, during remediation all affected systems need to be restored to where they were before the incident took place. Proper phase one and two planning will substantially reduce the time, financial cost, and organizational effort required for all phase three activities.
But in a nutshell, your phase three planning should cover the following:
- Taking risk-mitigating actions to prevent further impact and damage to your organization.
- Removing any known existing threats from the network completely.
- Plan for near-term incident remediation, remediation strategy, and roadmap for recovery.
- Resuming normal business operations, as well as developing long-term risk mitigation based on documentation of lessons learned.
Phase 4: Post Incident Activity
Once a cyber incident has been contained and remediated, and operations normalized, your phase four post-incident activity should focus on what lessons you’ve learned. Be sure to ask some of the following questions:
- How did the incident occur in the first place?
- How can similar incidents be prevented from reoccurring in the future?
- What existing preventive measures can be strengthened, or additional ones that can be put into place?
- How can monitoring and alerting processes be improved to ensure more timely and accurate notifications?
- How can containment, remediation, and recovery processes be better streamlined to minimize overall downtime and disruptive activities?
- How can management ensure that the incident (and others like it) have not negatively impacted the overall business?
You’ll also want to review incident logs to answer some (or all) of the questions above, especially to map out any soft spots in your security configurations. Subsequently, work with your cybersecurity partner to tweak any policies or procedures needed to eliminate any of the weaknesses you’ve spotted. Finally, begin testing any new processes, rules, or systems configurations to validate their effectiveness (while bearing the potential of false positives in mind). A well-equipped cybersecurity partner can offer services like breach assessments, forensic analysis, and penetration testing to help optimize your approach and implementation of phase four of the incident management lifecycle. Any claims management, legal, or regulatory compliance issues should also be taken into account in phase four.
By now you should be able to recognize the basic four phases of the incident management lifecycle and realize that adhering to those phases as set forth by NIST is truly a team, organization-wide effort. Moreover, all four phases need to be implemented in concert for optimal protection, elimination, and remediation of any cyber attack that could potentially affect your critical systems or data.
You’ll want to work with your cybersecurity partner to understand the how’s and why’s of the NIST framework, and how they apply specifically to your business. And while you might think that a cyber attack is something that simply won’t (or can’t) happen to your organization, investing in early-stage phase one preparedness is simply not an option.
Once you’ve formulated an IRP in phase one of the incident management process, it’s also critical to invest the proper amount of resources and tools into phase two early detection and analysis. Many malicious actors can exist within a system for long periods of time, stealing data or doing damage to your systems, if adequate threat detection and incident management tools aren’t implemented with your cybersecurity partner. And once an attack or cyber crime does occur, having a plan for phase three response, containment, and elimination is essential to making sure the damage is limited and that workflow can continue. Once all systems have been restored, conduct a thorough post-mortem to bolster your defenses and lessen the odds of a similar attack occurring in the future.