You’ll recover faster if you’ve prepared a cybersecurity incident response plan, writes Nigel Phair. Maybe you even need a CERT.

It’s called incident incident response (IR) management in the cybersecurity world: detecting and responding to computer and information security events, and protecting organisational assets and systems from further interference.

Global computer networks, mobile phone services, and e-commerce have created an astonishing interconnectedness. IT systems and networks were already the backbone of most businesses, providing communications, storage, business functions, and administration. All these new connections are a boon for both business and the end user, but they also bring system vulnerabilities.

As a result, the number of cybersecurity incidents effecting businesses is on the rise.

According to Australia’s 2015 Cyber Security Survey: Major Australian Businesses (PDF), some 50 percent of businesses surveyed experienced at least one cyber incident in the previous 12 months, up from 39 percent the previous year. As the SANS Institute’s Incident Handler’s Handbook (PDF) therefore reminds us, it’s “a matter of when, not if, a compromise or violation of an organisation’s security will happen”.

The constant stream of new cyber threats means that incident response often feels like a brand new encounter every day. An effective IR capability must therefore respond rapidly and effectively to those threats.

This challenge is usually addressed by setting up a CERT, a Computer Emergency Response Team, sometimes called a Computer Emergency Readiness Team.

The US Department of Homeland Security’s US-CERT defines a CERT as “a concrete organisational entity (i.e. one or more staff) that is assigned the responsibility for coordinating and supporting the response to a computer security event or incident.”

Any organisation can use the CERT concept, including governments, commercial businesses, and educational institutions.

At a minimum, a CERT should respond to incidents as they arise — but even that simple-sounding task can include numerous responsibilities as part of the organisational response.

  • Legal and Policy: What are the organisation’s obligations? Have there been breaches of the Privacy Act? Who needs to be informed? What are the policy implications, particularly if the attack is against a government entity?
  • Communications: What is the messaging to the media, staff, customers and stakeholders? Who is the spokesperson, and what are they authorised to say?
  • Technical: What is the in-house capability to respond technically? Do outsourced providers need to be brought in?

If it’s going to perform effectively, the CERT team needs a solid a foundation, so the first phase of IR is creating that foundation. Setting up the CERT should be a process based on communication, planning, and even rehearsal of the IR procedures themselves.

Once the organisation becomes aware of the breach of a critical system, the IR process moves through three further phases, all of which needs to be planned for: analysing the breach once it has been detected; deciding upon and implementing an incident containment and eradication strategy; and finally, feeding the lessons learned from that breach back into the IR plan, and the organisation more generally.

The Four Phases of Incident Response

Developing and drafting an incident response plan is critical to ensuring the organisation can at least start the response.

An effective initial response is important, and will help in the later phases. Without understanding the incident, it may be difficult to limit the damage or prevent any further damage from happening.

The post-incident activities phase — putting practices in place to prevent, or mitigate, that particular kind of incident in the future — will also benefit from having documented the incident.

The Australian 2015 Cyber Security Survey notes that 77 percent of responding businesses have cyber security incident response plans in place, with 82 percent using externally-developed IT security standards or frameworks in preparing that plan.

The incident response plan can be further enhanced by taking some additional steps in its development.

  • Know your data. It helps to know what data is exposed by your systems and where, and it helps to know what data might have been targeted in a particular breach.
  • Have a strategy in place for contacting stakeholders or entities affected by the security incident.
  • Make sure your organisational CERT understands threat management, both before and after an incident occurs.