The RSA Conference is the largest cybersecurity conference in the United States. Approximately 45,000 people attend RSA each year. CU*Answers attends each year to learn the latest trends in cybersecurity technology, attack vectors, and compliance. In this series, we summarize what we learned to help our network remain current regarding cybersecurity events and report confidently to their boards, members, and examiners. This article discusses how and why having a well-tuned and tested incident response plan is a critical component of your cyber information security program.
Your security and technical teams work to prevent breaches every day, but even the best defended networks may have weaknesses that could allow an attacker to gain a foothold on the network. According to the Identity Theft Resource Center, through September 2018, the financial services industry alone had suffered 106 data breaches exposing over 1.7M records. On average, that represents one breach every day and a half and 16,000 records exposed per breach event.
The odds are that you may someday experience a breach and your ability to detect and respond to it will make all the difference in limiting its impact. Doing so successfully requires a mix of technical controls and a well-drilled team with a plan.
Incident (or breach) response plans should be documented and tested by your team. At minimum, teams should conduct annual table top exercises that put the plan to the test. Ideally, teams should seek opportunities to activate and test the plan using real-world situations, even if there is not an actual breach of your network. This can be done by choosing an industry event (i.e. a reported vendor vulnerability) and using that to run through your response plan. Responses should be documented, and any identified gaps addressed.
Here are some basic ingredients of a well-tuned breach response team and plan:
1. Identify the breach response team in the plan
These should be individuals with responsibilities that include detecting, containing, and communicating incidents with staff, management, the board, vendors, law enforcement, and regulating authorities. Assigning communications and documentation responsibilities to non-technical individuals is preferred, as that allows technical resources to focus on containment and remediation activities without the distraction of formulating messages to the marketplace. A third-party documenting the event also provides separation from the event and helps limit confusion due to the “fog of war” that will occur while technical teams are actively battling a bad actor.
2. Develop pre-canned communications templates and include them in the breach response plan
This allows well-drafted and thoughtful messages to be drafted in the calm of normal business and not during the confusion and chaos an actual breach. Include authorization and publishing instructions for your staff in the plan in the event senior leadership are not available to approve their use.
3. Determine what outside experts, such as forensics or cyber remediation teams, you will engage in advance of a breach
Negotiate contracts or understand their availability and costs to you when needed. Some security vendors will offer remediation assistance for low or no cost if you use their products. Understand and document those conditions and services in your plan.
4. Understand your breach insurance plan and payout conditions
Document when in the process to engage your carrier and understand the services they offer and those you are solely responsible for, such as forensic or remediation activities. Understand what actions may invalidate your coverage and document those in your plan.
5. Select an outside counsel prior to a breach event
The counsel should be an experienced coach that can assist navigating a breach event and will be especially useful for forensic approaches and maintaining chain of custody for collected evidence.
6. Implement regular testing of your breach/incident response plan
This can be accomplished by selecting an industry event (such as a published Microsoft or other vendor vulnerability). The team can then activate the response plan, inventory the technology in use, determine the scope and impact of the vulnerability either through manual investigation or use of automated tools such as vulnerability scanning, research mitigation tactics, implement the tactic as necessary, and document and report on the exercise to credit union management. Executing two or three events per year is not difficult and allows the team to identify weaknesses in the plan and make adjustments as necessary.
7. Use breach detection controls and event logging
You can’t detect a breach if you don’t understand baseline activity in your network. Intrusion detection and log analysis tools can help enumerate unusual or unexpected behavior in a network that can then be contained by your technical teams.
8. Implement regular penetration testing of your network
Use an experienced third-party to test your controls and incident plan annually, and use the exercise as a learning experience to further educate your technical staff on available controls and tactics. Your team should always be smarter about cyber security after the penetration testers leave your site than before they arrived.