Deep Dive: The 3 Keys to a Successful Cyber Incident Response Strategy
Ask any CISO and they’ll tell you dealing with the immediate challenges of an active cyber incident is only half the battle (less, actually). An effective response requires a well-executed strategy that covers both before and after an incident to limit both major disruption to operations and financial harm.
As ransomware events have become commonplace (and, unfortunately, more profitable for threat actors), cyber risk has become top of mind for a broader set of organizations than ever before. Thus, we’ve witnessed the rise in popularity of robust, standalone cyber liability policies — what were previously a niche product.
With more organizations eager to invest in their cyber resilience, preparedness, and insurance, there are two key angles of incident response to consider:
1. The things your organization can do independently to prepare
2. The way your organization works with your cyber insurer, before, during, and after a cybersecurity incident
We’ll cover both in this post, but you can dig deeper on what to do after a cyber attack with our two downloadable guides: Incident Response Done Right and How to Work with Your Cyber Insurer on Incident Response.
What Are the 3 Keys to a Successful Cyber Incident Response?
1. Prep Before the Incident
Lucky you: you’ve never had a breach at your organization. You haven’t experienced any frantic alerts from IT, any belligerent ransom demands, and the IT system is generally an afterthought. At this moment, incident response may not be top of mind. But time and time again, we’ve seen that those who prepare accordingly before a worst-case scenario have the quickest and most effective turnarounds after a cyber attack. Below, we’ll highlight some key preparation must-haves to ensure your organization can bounce back fast if that unfortunate day rolls around.
- This written document showcases that your organization has a system in place before there’s a breach, enabling a quick response. If you don’t have an IRP in place yet — that’s where to start. The SANS Institute, a provider for security training and certification, published a handbook on a structured 6-step plan for incident response which includes details on developing an IRP and practicing a “fire drill.”
- Your IRP should clearly outline your carrier’s contact information, as they’ll be a first line of contact for providing you with resources to get out on the other side, such as breach coaches and forensic teams.
Develop an asset inventory.
- The Corvus team has seen countless organizations deal with cyber incidents, but one of the most efficient responses we’ve seen started out with an advantage. They had a clear asset inventory established before the incident, saving them precious time in the early hours of the incident. Half the battle is knowing what you have. Outline all of your systems and their associated applications.
- Know your Tier 1 infrastructure, which is the bare minimum of what you need up and running to be able to do anything.
A robust backup strategy.
- Properly maintained and protected backups can be your strongest asset for bouncing back quickly after a ransomware attack. Consider the 3-2-1-1-0 backup strategy, which ensures you have multiple copies of your data stored with different forms of media (your own production data, offsite storage, and immutable backups — to name a few).
2. Knowing the Key Steps of Incident Response
Maybe you’ve received an alert from your COO — there’s a suspected breach at your organization, and you need to be wary of incoming emails — or everything has gone offline completely. No matter the circumstances, the panic might be setting in. Before anything else, we’d like to highlight how parallel work streams can help your organization move forward in the incident response process. As opposed to constricting your teams to working through a linear timeline, waiting on one result before starting the next stage, we suggest the practice of different work streams occurring simultaneously that spawn from one Incident Response Lead that oversees the entire process.
The sub-teams will focus on recovery, containment and forensic, all with the common goal of resolving the incident.
The first phase of the recovery process typically involves a third-party performing a forensic examination of the IT system. They want to paint a picture of exactly what happened within your environment, and the investigation will run smoother with coordination from a team of employees providing resources to the forensics experts.
The goal here is to prevent further access or damage to your systems. With the help of insights from the forensic team, you can go beyond the basic preventative security methods (like changing passwords of admin accounts and disconnecting the environment) to pinpointing specific measures to decrease risk to your organization.
RecoveryAfter making significant progress with the above efforts, new sub-teams can form to start repairing damage, restoring data, replacing hardware and generally getting back on-line. A huge organizational help can be working from one single document that contains the status of all of the systems. This enables everyone, across teams, to update the tracker to the current status of each system.
For more on how each of these steps can be done optimally, read our full guide to Incident Response Done Right here.
3. Work WITH Your Insurer
Your cyber insurance provider can be your greatest advocate in responding to a cyber incident. But it’s important to know how to leverage their resources for maximum impact and to avoid common mistakes that can derail the incident response process. Below are some quick best practices (dive in deeper here) for working with your carrier through an incident:
Before an incident
- Socialize the IRP among necessary staff and do training on how to recover from a cyber attack. When creating an IRP, make sure to document the who, when, and how of contacting your carrier — they can help if needed!
When you discover an incident
- Follow the instructions in your IRP on who will contact your carrier, and how. Do so with safety in mind (don’t use email accounts that may be compromised).
As you work with vendors
- Tell your carrier what you know, but resist starting your own internal investigation. Your vendors have your best interests in mind.
- Your carrier’s claims team has the experience and knowledge to recommend vendors, use it to your advantage!
- Be forthcoming with vendors — tell them everything you know so they can better serve your organization
As you work with counsel
- Be ready to act quickly on the advice of your counsel to ensure you comply with notification laws and avoid additional fines that would increase the cost of the incident
When you can reflect
- Have an honest post-mortem to understand what your team did well in responding to the incident, and where planning was insufficient. Unlike lightning striking twice, unfortunately attacks can (and do) happen again to victims, and you can be even better prepared in the future.
Be ready to show investigators the extent of your preparations and the ways in which your team acted in accordance with those preparations.
What’s the difference between your most overprepared travel buddy and a cybersecurity pro?
The following interview was originally published as part of Corvus’s quarterly Cyber Risk Aggregation report, known as the Nutcracker Report. We deliver these insights on trends in the aggregation of cyber risk to a select group of reinsurers, reinsurance brokers, and program managers. If you’d like to receive the report in the future, please send your inquiry to firstname.lastname@example.org.