Plan for When...
According to Forbes, there was a 72% increase in cyber breaches from 2021 to 2023. Based on the number of big names seen in the news already in 2024, it’s safe to say that cyber breaches are continuing on their upward trend. Even MITRE, the not for profit organization that developed the ATT&CK Framework for modeling cyber adversary behavior and their attack life cycle, confirmed they suffered a data breach.
How did an organization that is on the cutting edge of security get compromised? In MITRE’s case, a threat actor was able to take advantage of the Ivanti Critical Vulnerability with a Zero-Day exploit and bypass MFA accessing the internal network and compromising an administrator account. If it can happen to MITRE, it can happen to anyone. It's become clear, our approach to cyber incidents should be a strategy of not if, but when a breach happens how will we respond.
Plan for When
- Identify your Response Team. Except for in the smallest organizations, there is not normally a single person that has all the access and authority needed to quickly respond to a cyber incident. Before an incident occurs, you need to know who will lead the investigation, who is able to approve emergency changes to your environment, and who can implement remediation actions like disabling accounts or containing systems. This may be different people or departments inside your organization or it may be a third party like a Managed Service Provider (MSP) or Incident Response partner. Some common roles you should expect to fill:
- The Incident Lead is the more senior security person on the team. This person either has the authority to approve emergency changes or they work with executive leadership to make emergency response and containment decisions.
- The Incident Responder(s) are hands on the keyboard investigating the incident and determining root cause. They provide guidance for emergency and containment actions. This may be your IR partner or Managed Security Service Provider (MSSP).
- The Technology Team may be your internal IT Department or could be a Managed Service Provider. They will support the responders during containment and remediation and may be asked to help with the investigation.
- The Non-Technical Support will vary for each incident but you should know who they will be. This could be a legal representative for regulatory reporting, a public affair representative for formalizing notices to external stakeholders. The number and type of non-technical support members you have will vary significantly based on the size and type of organization you are part of.
- Create your Communication Plan. Unfortunately, security incidents rarely happen between 9 and 5 on a work day, so knowing how to reach all members of your Response Team is critical. Can you reach your network administrator after hours if you require firewall changes? If email is involved with the security incident, do you have an alternate method to share updates and information during the response? If you have an MSSP or Incident Response partner they should provide you multiple methods to contact them after hours and escalate for more critical incidents.
- Document your Plan. Your plan should be a usable document that you can follow during an incident. For common incidents like phishing, you may choose to have a play book that has individual steps to follow, but for larger more complex incidents the plan should include high level guidance for root cause analysis and who outside the response team needs to be notified and updated during the response operations.
- Exercise your Plan. At least once a year and any time major changes occur, make sure to exercise your plan. This can be a tabletop exercise or you could take advantage of a Penetration Test or Purple Team with a third party to validate the plan with your team. Check with your MSP and/or MSSP to see if they can participate in the exercise. A table top with all members can help clarify roles and responsibilities and build a partnership before the incident occurs.
No one is able to prevent all zero-day attacks, but everyone can be prepared for when they happen. Take the time now to make sure you have a plan. Ensure that the plan is current and that all the people you will be working with are familiar with their roles. If you don’t have a plan or even if you are just lacking in confidence on your existing plan, Recon can help. We are the Incident Responders for all of our Managed Security Operations customers and can provide guidance to help build your plan. Managing security operations is what we do for our clients everyday and ensuring we know how to respond for each and every customer is a crucial part of our role.