How Can We Prevent, Detect, and Recover from Cyberattacks? - Part II
Welcome to the second blog in our series on Prevention, Detection, and Recovery from Cyberattacks.
A global survey conducted by the Ponemon Institute and sponsored by IBM Security gathered insights from 3,400 IT and cybersecurity professionals about how their organizations are preparing for security threats. The fifth annual Cyber Resilient Organization Report highlighted a troubling trend: 74% of the organizations surveyed admitted their security plans are either ad-hoc, inconsistent, or entirely nonexistent. Additionally, more than half (52%) of those with security response plans confessed they had never reviewed or had no set schedule for reviewing or testing these plans.
Given the rapid changes in business operations, especially with the growing shift to remote work, and the continuous evolution of cyberattack strategies, this data suggests that many organizations may be relying on outdated response plans. These plans no longer reflect the current threat landscape or the realities of today’s business environment.
In this post, we’ve outlined a checklist to help your organization quickly assess its incident response plans. We also encourage you to share your experiences: How does your organization perform periodic reviews of incident response plans? What do you think is the best approach?
1. Ensure Your Plans Are Comprehensive
A robust incident response plan should cover the following six stages:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
To determine if your plan is comprehensive, auditors can ask the following questions:
- Team: Is your team adequately trained to handle any type of threat? Do they regularly participate in simulation exercises, such as tabletop exercises or war games?
- Identification: Do you have a process to detect and identify the type and criticality of an incident, assess its impact, and understand associated risks?
- Containment: Is there a procedure to contain the threat, limit its damage, mitigate risk, and restore business operations?
- Eradication: Do you have a dedicated problem resolution team or third-party support to identify and eliminate the root cause of the attack?
- Recovery and Lessons Learned: Do you have a post-attack process in place to analyze the response, modify the plan, and prevent future incidents?
- Communication: Have you established clear communication channels within the team and with stakeholders during an attack? Effective communication is vital during an active threat.
2. Align with Industry Standards
Regular auditing and reviews allow an organization to ensure compliance with established incident management standards and assess the effectiveness of its response protocols. Below are some key standards that may guide your incident management strategy:
| Standard | References/Controls |
|---|---|
| NIST Cybersecurity Framework | PR.IP-9PR.IP-10DE.AE-4DE.AE-5DE.DP-4RS.RP-1RS.CO-1RS.CO-2RS.CO-3RS.CO-4RS.CO-5RS.AN-1RS.AN-2RS.AN-3RS.AN-4RS.MI-1RS.MI-2RS.MI-3RS.IM-1RS.IM-2RC.RP-1RC.IM-1RC.IM-2RC.CO-1RC.CO-2RC.CO-3 |
| FIPS Publications | All current FIPS Publications especially FIPS 140-2 |
| NIST 800-53 (rev4) | IR-1IR-2IR-3IR-4IR-5IR-6IR-7IR-8 |
| NIST 800 Series | NIST SP 800-61NIST SP 800-86 |
| HIPAA / HITECH | HIPAA 164.308(a)(6) |
| NERC CIP (v5) | CIP-008-5 |
| ISO 27000: 2013 | A.16.1.1A.16.1.2A.16.1.3A.16.1.4A.16.1.5A16.1.6 |
| COBIT 5 | DSS02 |
| CIS Critical Controls (v6.1) | CIS Control 19 |
| PCI DSS | 12.10.212.10.312.10.412.10.512.10.6 |
Related Posts
Is Your Business Prepared? Key Steps for Disaster Recovery & Continuity Certification
But how does it relate to Disaster Recovery (DR), and why are they often misunderstood or misaligned? Let's break it down:
Artificial Intelligence Governance Part I
It's becoming increasingly clear that most new cybersecurity products involve some form of machine learning (ML) or artificial intelligence (AI).
How Can We Prevent, Detect, and Recover from Cyberattacks?
A thorough investigation of cyberattacks underscores the considerable damage these incidents can cause. Below are several key points that can help organizations identify potential threat actors.
