CREATING AN INCIDENT MANAGEMENT FRAMEWORK
In the past 1 year, there have been 304 million reported ransomware attacks globally. This has been a 62% increase from the previous year (2019). Why? Your guess is as good as mine, most organizations are never fully prepared for such incidents until they get hit. As such it is evident to say that while organizations set up budgets for all other expenses, cyber security is an area that is the least prioritized.
In this article, we will be reviewing what, how, and when an organization should consider creating an incident management framework. One of the cyber security incidents that had much media attention, revolved around an energy company that was hit by ransomware twice. The first event was the exploitation of a vulnerability by attackers where snake ransomware was deployed in the network. The response from the organization Event Detection and Response was to block the execution of the ransomware. The IT personnel immediately remediated the exploit and submitted the malicious artifacts for further analysis. However, in 2 months there was another ransomware incident and this time the attacker crafted a proper phishing attack.
The user clicked on the malicious artifact executing the ransomware leading to encryption of all files on the computer. The ransomware variant executed was a mailto ransomware that depends on the user’s actions, and it’s easily deployed via phishing attacks. From this incident, it is clear that the incident response team was incapable of managing that incident. An incident management framework is a guiding principle built from governance and technical perspective. An incident management framework comprises the processes, technology, and the team.
An organization creating an incident management framework should consider a guidance standard for guiding in this implementation such as ISO 27035, NIST Cyber Security Framework, and SANS Incident Handlers Handbook. The above professional bodies guide on a standard manner of setting up an incident management framework which is based on preparation, detection, response, and remediation. In all these four phases, the organization utilizes technology, people, and defined processes to maintain this framework.
During the preparation phase, the organization assesses the current controls and processes put in place. In this phase a risk assessment is done, policies and procedures are reviewed and created in situations where they didn’t exist. An organization then hires independent personnel to test the adequacy of these controls which have been created and improved. From the assessment, the gaps identified are remediated through the creation of a road map which must have managerial approvals. This phase is closed by the organization identifying set skills required by the team, technology required, and setting up of a security operations center.
In detection, the organization has already set up the tools used to gather intelligence and provide visibility to the threats. The team selected is competent to be able to distinguish between cyber security events and cyber security incidents. A clear reporting structure has been formulated to ensure the organization is receiving actionable intelligence about its current security posture. During this phase, the organization’s highest priority is to ensure the technology and processes put in place serve the desired purpose. There are cases where organizations deploy security solutions that do not work for them as their processes have not been streamlined to achieve a consistent collection of data, detection, response, and investigation.
Once an organization has got the first two phases right, response and remediation’s phases will be fluid as the team will have had proper processes and dashboards which enhance proper monitoring. An organization’s top priority at this time is to ensure in the event of the occurrence of an incident there will be as minimal damage as possible. Hence proper business continuity plans should be put in place and tested.
In conclusion, every organization has a chance to leverage lots of public threat intelligence feeds which could aid an organization to protect its assets prior. Rigorous testing exercises by executing red teaming will ensure that the Security Operation Center Team or the CSIRT is adequately prepared for any kind of incident.