PGI's guide to Cyber Incident Response

When a cyber incident does occur, cyber incident response is required.

This is the response following an incident that seeks to minimise and reverse the impact to the organisation, its systems, and its data.

To reduce the impact and costs of a cyber-attack it is essential to be prepared. Organisations may not have complete control over the occurrence of an incident, but they can control how they plan for, respond to, and recover from one.

To prepare for a cyber incident, a plan must be put in place to respond to the attack swiftly and appropriately.  At PGI we adhere to the CREST methodology, following three phases:

1. Prepare
2. Respond
3. Follow up

Within phase one, PGI follows five steps to efficiently prepare for a cyber security incident:

1. Conducting a criticality assessment of your organisation
2. Carrying out a cyber security threat analysis, supported by realistic scenarios and rehearsals
3. Considering the implications of people, process, technology, and information
4. Creating an appropriate control framework
5. Reviewing your state of readiness in cyber security incident response

About the CREST methodology

When responding to a cyber security incident, organisations face a number of challenges. The key challenges are:

• Identifying the threat
• Establishing a response operation
• Analysing the incident
• Determining the type of incident that has occurred
• The information that has been leaked to the attacker
• How it happened
• Any underlying reasons that the circumstances that allowed the attack to take place
• The potential business impacts
• Leading a sufficient investigation

Despite cyber security incidents becoming a norm, CREST found that few organisations are well prepared in terms of people, a plan, and the technology available.

The lack of a well-prepared plan leaves organisations vulnerable. Having to develop these ad-hoc adds to the time taken to mount a response and increases the stress of the situation exponentially. It may also cause conflict with other internal processes.

Attackers use their highly advanced and evolving capabilities to attack and exploit their carefully chosen targets.

There are a wide range of different methods for attackers to choose from and highly sophisticated online marketplaces sell tools and expertise to cyber criminals as they evolve.

Despite the wide range of methodologies, attacks typically follow three phases:

1. Carry out reconnaissance (using Open Source Intelligence)
   • Identify the target
   • Look for vulnerabilities

2. Attack target
   • Exploit vulnerabilities
   • Defeat remaining controls

3. Achieve objective
   • Disruption of systems
   • Extraction (e.g. confidential data, money, or Intellectual Property (IP))
   • Manipulation (e.g. modifying, adding, or deleting important information)

For a fast and efficient response to an incident, it is important to have an Incident Response (IR) team in place to manage the response; they will be responsible for analysing incidents and actioning necessary responsive measures.

For smaller companies with limited resources, this can be outsourced to specialist companies.

Fundamentally, an Incident Response team will consist of the following functions:

• Incident Response Manager: This role is responsible for overseeing and prioritising response actions when detecting, analysing, and containing an incident. The IR manager is also responsible for communicating with the rest of the organisation either directly, or via the point of contact, abstracting technical detail while providing sufficient information.
• Security Analysts: This role is responsible for supporting the incident response manager by working directly with the affected network to research details of the incident, such as the time and location.
• Threat Researchers: This role is responsible for supporting the security analysis by providing threat intelligence and context for the incident. The researchers archive all information from cyber security incidents to build and maintain a database of broader intelligence.

While the Incident Response team has responsibility for managing a cyber security incident, it cannot not be solely responsible for an organisation’s overall response strategy.

The team must be supported by all elements of the business to ensure that emergency actions run efficiently and to ensure the input of key stakeholder knowledge about the organisation’s operations.

Every area of an organisation has their own responsibilities throughout an incident. For example:

• Management are required to deliver resources, staff, funding, and time commitment for planning and implementation of an incident response.
• Human resources are essential if an employee is found to be involved with the incident.
• Audit and risk management specialists carry out vulnerability assessments and develop threat metrics while teaching best practices across the organisation.
• In larger organisations, a legal team or general counsel ensure that the evidence collected maintains its forensic value in case the organisation wishes to take legal action. They also provide advice regarding liability problems when a cyber security incident affects vendors, the general public or customers.
• Public relations communicate with team leaders and to control how the narrative of the incident and any issues surrounding it are communicated to other stakeholders and the press.

Communication within and across teams is vital during the incident, but information should be shared on a need-to-know basis with the incident response manager at the centre of all communication. Information regarding key details must be treated as highly confidential.

It is also important to remember that communication must occur securely so as not to notify the attacker that there is an investigation underway.

Any indication that the attacker has been exposed could lead to a change in strategy to further hide their activity – thus significantly hindering the investigation.

Detecting a cyber security incident isn’t always as straightforward. While some incidents have obvious signs and are easily detected, some are near impossible to detect. Research (such as IBM’s 2020 Cost of a Data Breach Report) has shown that it can take many months for a breach to be identified.

To maximise the likelihood of rapid and successful detection, multiple systems are often in place at the same time.

There are many different methods of detecting a cyber breach, each with varying levels of accuracy and detail. Often alerts are generated by technical monitoring systems, e.g. antivirus software, Data Loss Prevention (DLP), log analysers, or intrusion detection systems (IDS), which may be operated by a Securty Operations Center (SOC).

But this monitoring process can’t only rely on technical means. Staff reporting of suspicious events is also an effective monitoring system. This reporting usually happens internally via the company’s IT help desk or externally, from by customers.

Another way breaches are detected is via investigations, audits or reviews, which are carried out by security specialists. This is known as threat hunting and is where a team is ‘hunting’ or searching for signs of an intrusion. This is equivalent to security guards surveying a property looking for signs of an intrusion.

IBM’s 2020 Cost of a Data Breach Report

There are many incident response processes available, all of which are fundamentally similar – such as the SANS model and the National Institute of Standards and Technology (NIST) model.

PGI’s Security Consultants and Incident Responders use the CREST methodology. A typical incident response following CREST method is comprised of four steps:

Step 1 – Identifying the cyber security incident

Identification of an incident is known as the ‘trigger point’ for the incident response plan to ‘go live’.

Organisations must determine not only whether an incident has occurred, but also the type, extent, and magnitude.

Accurately identifying an incident is often the most challenging part of the IR process.

Step 2 – Defining objectives and investigating the situation

Upon confirmation of a cyber security incident, objectives must be defined regarding the response actions. Typically, investigators seek to find out the nature of the attack, what the scope and extent of the attack is, when it occurred, what the attackers took—if anything—and aim to enumerate attacker objectives.

The first part of the response if often called ‘Triage’. During this stage, the priority is to understand what has taken place in broad terms, and the effects of this upon the organisation. This is about providing a basis of truth to work from in the following stages of the response. This stage isn’t about detailed understanding how and therefore, but about orienting the response so the correct outcome is achieved.

During the investigation, it can be extremely beneficial to use cyber threat intelligence. Cyber threat intelligence is research into the attackers to determine their capabilities, likely actions, and motives. Such intelligence enables the response team to better understand the tactics, techniques and procedures of the attackers which can help to defeat certain attacks. Threat intelligence can also be used before an organisation has been attacked (during the reconnaissance phase) as part of preventative measures.

Many organisations do not have the required tools, systems, or knowledge to conduct an adequate investigation. Members of the response team need to determine whether any specialist resources will be required, such as third-party experts. As such, it may be prudent to plan for an organisation to maintain its own ‘initial triage’ capability, before requesting specialist support from a pre-planned and approved provider.

Step 3 – Taking action

Following the initial investigation, the damage being done by the attacker must be contained as soon as possible.

The IR team primarily aim to remove the attackers’ access to the system, e.g. through isolating systems or blocking malware sources.

Once the cyber security incident has been contained, often it is required to eradicate key components such as disabling breached used accounts.

Identifying and mitigating exploited vulnerabilities is essential to prevent a return of the attacker.

Meeting forensic requirements for a cyber security incident, such as preserving evidence or maintaining a chain of custody, proves significantly difficult for organisations according to CREST.

Evidence needs to be gathered at various points throughout the investigation. There are two main rules that govern all evidence: admissibility of evidence (legitimacy of evidence to be used in court) and weight of the evidence (the quality and comprehensiveness of the evidence).

A third party’s involvement in the process helps to reduce possible “conflict of interest” in the evidential gathering and retention process.

Step 4 – Recovering systems, connectivity, and data.

Restoring systems to their normal operation, confirming normal functionality of systems, and remediating vulnerabilities to prevent similar incidents are the closing steps when responding to a cyber security incident.

It is important to have a recovery plan in place which includes the following:

• Removing temporary constraints from the containment step
• Resetting passwords on compromised accounts
• Rebuilding infected systems
• Replacing compromised files
• Testing systems thoroughly
• Confirming the integrity of controls and business systems

An independent penetration test of affected systems alongside a security controls assessment is an important final step to securing the organisation.

Often advanced attackers will try to re-access the networks through any method they have access to. After their first incident has been contained, they will be aware they are being investigated and that their initial methods have been exposed.

This is why it is so important to ensure all elements of the attack have been completely eliminated so the attackers cannot proceed with additional attacks.

Aftermath

When following up a cyber security incident, CREST methodology follows six key steps:

Step 1 – A post-incident investigation

Once the main priority of responding to a live incident has passed, a more thorough post-incident investigation looking at the circumstances leading up to the incident should be conducted.

This investigation will provide a detailed account of what happened in order to carry out the subsequent five steps when following up an incident.

Step 2 – Reporting the incident to relevant stakeholders

Formal reporting is often required to both internal and external stakeholders. The report should include a full description of the incident including its history and what actions were taken to respond.

Recommendations are given to more effectively prevent, detect, or recover from incidents.

Step 3 – Post-incident review

After a cyber security incident has been resolved and analysed, a review must be conducted regarding the organisations existing security procedures to prevent recurrence.

Reviewing and updating security practices should be an iterative process that is re-examined every time there is a security incident – no matter the severity.

Step 4 – Communicate and build on lessons learned

Organisations may seek to update their processes or increase security measures around sensitive information.

Cyber security awareness training courses, such as phishing awareness training, have been  found to be extremely beneficial when preventing future breaches.

Step 5 – Update key information, controls, and processes

It is essential to update response approaches, controls, and related documents after a cyber security incident.

Research by CREST found the attack vectors leaving organisations most vulnerable were poorly designed web applications, internet downloads, misconfigured systems, personal devices (e.g. smart phones) and authorised third parties (e.g. business partners, customers, or suppliers).

Step 6 – Perform trend analysis

Records should be kept of all cyber security incidents. Relevant data should be reviewed regularly to evaluate patterns and trends, to identify common factors influencing incidents, to determine the effectiveness of controls, and to understand the costs and impacts related to cyber security incidents.

About the CREST methodology

Overall, it is clear that a well-prepared incident response plan is imperative to conduct an effective cyber security incident response.

A good response strategy helps the organisation’s recovery as well as minimising the impact of the incident. Every organisation needs to make the decision as to whether they carry out incident response services themselves or, as many choose to, outsource the services to qualified companies such as PGI.

PGI offers a broad range of cyber security solutions and consultancy services. From a defensive perspective our services include CREST accredited penetration testing, supply chain assurance frameworks and secure configuration reviews.

We also provide a number of preventative measures such as NCSC accredited staff and Executive-level cyber security awareness training, cyber exercises with tabletop walkthroughs and phishing campaigns.

As a final note – while the growing expertise of cyber attackers may seem daunting, it’s helpful to remember that defences are developing simultaneously.  PGI offer up-to-date incident response services to protect your organisation against cyber security attacks!

About Incident Response services

About Executive cyber awareness training

About Incident Response exercises

About phishing vulnerability assessments

About Configuration reviews