One of the interesting characteristics of human beings is being wary of what is happening around and also at the same time, being skeptical about certain situations. This character of us is also extended to Cyber Security, where we often make decisions based on the risk which accompanies the situation. It is happened to be that we foresee the scenario about what will happen if a cyber attack occurs. The decisions about security countermeasures are often taken based on a specific threat scenario.
The common answer we receive from many of our customers is that “We have no formally defined process which is already tested about how to recover from a cyber attack or in other words, we do not have a tested Incident Response Plan”. Most of the established organizations have a very good Incident Response plan but how effective is the plan when it is put into action? According to EY Global Information Security Survey 2016-2017, the Oil and Gas sector invests more money in Business continuity (47%) than they invest in other solutions. An Incident Response plan defines how to react in case a cyber attack occurs, and it is one of the key components of a Business Continuity plan. With all this said, how to recover from a cyber attack?
Follow the actions of the Incident Response Plan
Most of the cyber attacks are not immediately identified. It takes about 206 days on an average for a company to detect a cyber attack or realize that a cyber attack has happened. Why does it take so long? There are various reasons for this such as insufficient monitoring and a lack of proper security policy in place. There are few actions out of the Incident Response Playbook that have to be performed such as to find out the time and date of the attack, type of attack, impact of the cyber attack, collecting logs from the affected system (if possible), etc. These steps will make it easier to respond to the problem. After identifying the attack, it’s about containing it and prevent it from spreading to other systems or networks. If failed to contain the breach, it can lead to a worst-case scenario where the impact is all on a large scale (loss of human life, environmental disaster, etc.). As a part of the containment process, the following steps have to be performed:
- separating sensitive data from the affected data
- performing login and authorization reset
- patching the system with recent security updates and
- perform a data recovery process
Informing the Stakeholders and Customers about the breach
Different countries have different laws about informing the cyber attack to the corresponding government institutions. Some countries have strict rules that organizations must inform the federal organization about the breach. This will help them to get more information about the breach and also levitate support from the government. Informing the stakeholders or customers is equally significant. The stakeholders and customers must be informed about the impact, the response activities are taken to solve the situation, and any compensation if they are obliged to provide. They should also be informed about the strategies to prevent future attacks and the containment of such attacks. This shows the organization’s commitment to solving the breach.
Measuring the Consequences after the breach
The Organization’s risk matrix explains the impact of a cyber attack in terms of safety, finance, environment, and reputation. After the breach happened, the impact matrix has to be assessed and if needed, changes are to be made. This will facilitate a more accurate measure of the impact of a cyber attack. The initial identification procedures, containment measures, and informing the stakeholders are the first steps in responding to the consequences of the breach. It is important that an organization learns from the breach. This means also to check the effectiveness of the security countermeasures in place. The breach happened in the first place due to improper and ineffective security countermeasures. So as to assess the consequence of the breach, it is also important to revamp the security.
Improving the security countermeasures
Assessing the breach will give out useful information such as the source of the attack, impacted assets/systems, and other technical details such as log data, type of attack, etc. This information will not only help to check the effectiveness of the already existing countermeasures in place but also improve them. The Cyber Kill Chain can help to decide on the countermeasures. Deciding on SIEM or other monitoring solutions has to be in the list of countermeasures if not already installed. The countermeasures have to be periodically tested against its full operation in order to avoid another breach in the future.
To improve and check the readiness of the Incident Response plan, Yokogawa strongly recommends the organizations to conduct cyber war games. Through these cyber war games, the readiness and the accuracy of the Incident Response Plan can be tested. It also provides the organizations a real experience about cyber attacks and how to react if one happens. A periodic review and validation of the Incident Response Plan are pivotal in Business continuity of an organization. Is your Incident Response Plan already fireproof? Did it pass the test?
