INCIDENT RESPONSE PLAN EFFECTIVENESS

by

Naeif Ibrahim

W
A Capstone Project Submitted to the Faculty of

Utica College
IE
May 2021
EV

in Partial Fulfillment of the Requirements for the Degree of

PR

Master of Science in Cybersecurity

 W
© Copyright 2021 by Naeif Ibrahim
IE
All Rights Reserved
EV
PR

ii
 Abstract

This research examines of implementing an effective incident response plan throughout an

organization to better address internal and external threats. The project answered the following

questions: What issues do organizations encounter due to inadequate or not implementing

incident response plans? How does implementing an incident response plan help organizations

prevent or mitigate internal and external network threats? How should an incident response team

be structured? As technology advances, new cyber threats emerge and are becoming more

complex. The need to fix an incident as soon as possible is important in reducing the damage it

can cause. The problem is that organizations are unprepared to handle incidents properly due to

W
inadequate or not implementing an incident response capability. To protect the organization from
IE
incidents, the project discusses structuring an incident response team depending on the size and

resources of the organization. With a cybersecurity policy in place, personnel will understand
EV
their roles and the procedures in place to act immediately when an incident occurs. Organizations

will be better prepared for incidents through preparation, identification, containment,

investigation, eradication, recovery, and post-incident activity phases. A comprehensive plan

PR

prepares organizations’ personnel to properly deal with network threats. Staff will know how to

isolate and discover the severity of an incident. Then, the staff will contain and eradicate the

underlying causes of the network threat to recover systems and networks. A well-organized

incident response plan is important in protecting sensitive data, assets, customer information,

business reputation, and mitigating damages caused by incidents.

Keywords: Cybersecurity, Professor Paul Pantani, computer security, incident

management, remediation, detection, information security.

iii
 Table of Contents
Statement of the Problem ................................................................................................................ 1
Growing Concerns with Legislation and Policy ......................................................................... 5
Literature Review............................................................................................................................ 8
Incident Response Team Structure ........................................................................................... 10
Incident Team Experience and Roles ................................................................................... 13
Preparation ................................................................................................................................ 14
Identification ............................................................................................................................. 16
Containment .............................................................................................................................. 17
Investigation .............................................................................................................................. 20
Eradication ................................................................................................................................ 20
Recovery ................................................................................................................................... 21
Post-Incident Activity ............................................................................................................... 21
Discussion of the Findings ............................................................................................................ 23

W
Cybersecurity Issues and Being Unprepared ............................................................................ 24
Developing an Incident Response Team................................................................................... 26
Recommendations ................................................................................................................. 27
IE
Mitigating Risks with an Incident Response Plan .................................................................... 28
Recommendations ................................................................................................................. 29
Conclusion .................................................................................................................................... 30
References ..................................................................................................................................... 33
EV
PR

iv
 Statement of the Problem

The purpose of this research project was to evaluate incident response plans to provide

recommendations for organizations to better address internal and external network threats. The

project intended to answer the following questions: What issues do organizations encounter due

to inadequate or not implementing incident response plans? How does implementing an incident

response plan help organizations prevent or mitigate internal and external network threats? How

should an incident response team be structured?

Peer-reviewed scholarly articles, journals, and books were utilized for this research paper.

In addition, the National Institute of Standards and Technology (NIST) framework was utilized

W
in gathering information on an effective incident response plan. This project will benefit both
IE
organizations and individuals that are interested in incident response plans. Organizations that

utilize Internet of Things (IoT) to conduct business and other needs will benefit from this
EV
research. As this project explored the effectiveness of an incident response plan to prepare for

internal and external incidents.

A significant component of information technology (IT) systems is computer security

PR

incident response. Attacks linked to cybersecurity have not only been more frequent and

complex, but also more destructive and disruptive. New forms of incidents related to security are

frequently emerging. Preventive measures based on the outcome of risk assessments can

minimize the number of accidents, but it is not possible to avoid all incidents. Therefore, an

incident response capability is needed to identify incidents quickly, reducing damage and

degradation, mitigation of exploited vulnerabilities, and reconstruction of IT services (Cichonski

et al., 2012).

1
 When information is the primary target, hackers attempt to steal the data. However, the

recent trends suggest that they are seeking to damage data integrity instead of exfiltrating it.

Methods of attack are also developing. Cyber criminals target and attempt to exploit human error

involved in a system to gain access to systems even when the targeted system has many security

measures implemented. This illustrates that humans are the weakest and most frequently targeted

cybercrime victims (Shinde & Kulkarni, 2021).

Cyber-attacks, for different reasons, are inevitable from an organizational viewpoint. One

explanation is that companies do not detect all potential exploits and they cannot remove the

human element, the weakest link in the cyber security process. Therefore, to reduce the impact

W
on their businesses when attacks occur, they need to take not only preventive steps, but also
IE
corrective measures to deal with cyber-attacks in various ways. The goal of incident management

frameworks is to reduce the possible harm from network and human error incidents and to
EV
recover faster from such events (Shinde & Kulkarni, 2021).

A weak incident response plan or no incident response plan can lead to legal

repercussions, loss of sales, brand harm, and loss of consumer confidence. Such issues could call
PR

into question the survival chances of a business following a serious cyber security attack. The

U.S. retail chain Target encountered a serious cyber security attack in 2013. A lack of internal

control and incident response preparation were the principal causes of the attack. The legal

ramifications and compensation from the incident eventually cost $18.5 billion to resolve

(Shinde & Kulkarni, 2021).

The Equifax data breach that occurred in 2017 caused significant harm to their brand.

The event resulted in a breach of the data of 147 million customers of Equifax. The organization

made the mistake of not disclosing the specifics of the data breach with their clients at the right

2
time due to the lack of incident management planning. This incited customer frustration that led

to a court dispute and a settlement of lawsuits where Equifax ended up paying the individuals

affected by the incident $425 million (Shinde & Kulkarni, 2021).

In September 2015, R.T. Jones Capital Equities Management, a St. Louis-based

investment advisor, was charged $75,000 by the Securities and Exchange Commission (SEC) for

failing to set up the necessary cybersecurity policies and procedures in advance of a July 2013

breach. After an unknown hacker infiltrating R.T. Jones’ third-party vendor, the

attacker obtained access to sensitive information and compromised the personal identifiable

information (PII) of nearly 100,000 people, including thousands of customers of the company.

W
The incident left the customers of R.T. Jones exposed to fraud theft and caused the decision of
IE
the SEC for breaking Rule 30(a) of Regulation S-P under the US Securities Act of 1933.

According to the former Co-Chief of the SEC Enforcement Division’s Asset Management Unit,
EV
Marshall S. Sprung, “Firms must adopt written policies to protect their client’s private

information and they need to anticipate potential cyber security events and have clear procedures

in place rather waiting to react once a breach occurs” (Reuvid, 2018, sec. 1.3).
PR

In February 2015, Kaspersky Lab and Interpol reported that approximately $1 billion was

stolen over a two-year period from financial institutions globally by a cyber-criminal group made

up of members from China, Ukraine, and Russia. The Moscow-based security company called

the crime crew Carbanak. The criminal case demonstrates that financial institutes are as

susceptible to cyber-attacks as retailers that carry card information or telcos and utilities among

others (Reuvid, 2018).

The Ponemon Institute conducted a global study in 2015, addressing organizations’

preparedness when it comes to withstanding and recovering from a cyber-attack. The study

3
found that an overwhelming majority of surveyed entities are still unprepared to react

appropriately to cyber threats, with seventy-seven percent of respondents suggesting that they do

not have a consistently implemented cybersecurity incident response plan throughout their

business. Around fifty-four percent of the organizations surveyed that have a plan in place do not

routinely test their plans, which can make them less equipped to handle the dynamic processes

and collaboration effectively that may take place during an attack. Although, studies show that

enterprises that can react rapidly and effectively to contain a cyber incident in thirty days, save

over $1 million on the overall cost of a data intrusions on average. The study concluded in 2019

and found shortcomings in adequate cybersecurity incident response preparation remained

W
constant (Lalan, 2019).
IE
The study also examined the effect of automation on cyber resilience. Automation refers

to allowing security mechanisms that enhance or substitute human intervention in identifying and
EV
containing of cyber vulnerabilities or breaches. Machine learning, artificial intelligence,

analytics, and orchestration are based on these techniques. Only twenty-three percent of

respondents said they were big automation users, while seventy-seven percent said their
PR

companies only use automation mildly, insignificantly, or not at all. Companies that use

automation heavily can prevent, detect, respond, and contain a cyber incident faster than the

overall sample of respondents. Using automation is a lost opportunity to improve cyber

resilience, as companies that have completely implemented security automation have saved $1.5

million on the overall price of a cyber intrusion. Compared to organizations that have not

leveraged automation, which had a higher amount total cost of a cyber incident (Lalan, 2019).

The deficit in cybersecurity skills seems to be further weakening cyber resilience, as

companies indicated that their ability to efficiently handle resources and needs was hampered by

4
 a lack of personnel. Survey respondents suggested that they lack the number of staff to

adequately manage and evaluate their incident response plans. Moreover, only thirty percent of

participants reported that cybersecurity staffing is adequate to ensure a high level of cyber

resilience. In addition, seventy-five percent of respondents rate their challenge as moderately

high or high in recruiting and retaining professional cybersecurity staff. Adding to the difficulty

of skills, almost half of the participants (forty-eight percent) stated their company implements

too many different protection methods, increasing organizational uncertainty and decreasing

visibility into the overall security posture (Lalan, 2019).

Growing Concerns with Legislation and Policy

W
Cyber-attacks have escalated since 1988, and many cybersecurity problems encountered
IE
since the turn of the century are still troublesome. Although, technical capabilities have increased

by leaps and bounds, security mechanisms and protocols struggle to stay current with the rapidly
EV
evolving field. They are often rendered useless quicker than new software and hardware can be

released (Lino, 2015).

In 2014, a study, by Senator Tom Coburn a senior member of the Committee on

PR

Homeland Security and Government Affairs, exposed alarming statistics about the government’s

inability to keep security threats under control was published. The study suggests that

government networks were the victim of 48,000 identified cyberattacks, including thousands

more unsuspected incidents. In addition, only four out of ten cyber breaches are identified by

civilian authorities, and with reporting to the public becoming much worse, most attacks are

unknown to the public, except on rare occasions when hackers publish their attacks. Although,

different organizations are vulnerable to these cyber threats, the recurring theme among them is

that common and fixable vulnerabilities are usually exploited by the intrusions. Out-of-date

Reproduced with permission of copyright owner. Further reproduction prohibited without permission.