Institutional Structure and Incident response

Mechanism in an Organisation to handle

Cyber Security related incidents

Author and Date

Introduction
What is cyber security?

• As systems are progressing on a distributed and an insecure medium such as Internet, it is critical for
corporate or government institutions to prevent cuber crimes (any unwanted action which violates the
institution’s system over the medium such as cyber extortion, denial of service attacks etc).

• Cyber security is the field of study which consists of practices architected to prevent such crimes/attacks.
Introduction
How does any institute prevent cyber crimes?

• Every institute has its specific incident handling rules depending on the type of organisation. For example: an
organisation tending to its customers in real time may have its focus on its servers rather than on data and an
organisation which stores confidential data like a bank may have more focus on data security.

• What is an incident?
• An incident is an adverse event or threat of an adverse event in a computer system (the event maybe an
misuse, hoax, intrusion or even compromise of confidentiality etc)
Incident Handling
What is it?

• Incident handling consists the set of rules/actions which was executed to protect and restore the normal
operating condition of the system and the information when an adverse event occurs.
Incident Handling
Why is it important?
Incident Handling
Stages
Incident Handling
Stage 1: Preparation

1. Identify & Prioritise assets: We need to prioritise the asset of the company. For example: What would cause its business to go under or suffer heavy losses if it
were stolen or damaged?

2. Identify Potential risks: This includes a little bit of research depending on the organisation, for example a bank may have risks like phishing calls that reveal
any confidential details from its clients.

3. Establish Procedures: After identifying the risks, a set of actions should be decided to prevent as much as you can. For example: for things like phishing calls
you can make you clients aware so that they do not response to such calls. Moreover, even if a breach happens these set of actions should be performed by the
employee to bring back the system to the original state.

4. Set up a response team: You’ll need to designate a team that helps coordinate the actions of your company after the discovery of a data breach. The goal for this
team is to help coordinate resources during a security incident to minimize impact and restore operations as quickly as possible.

5. Sell the plan: Your incident response team won’t be very effective if you don’t have the proper backing and resources to execute the plan. This is true from
enterprise organizations to smaller, one-off businesses. That’s why you need to make sure that those who control your company’s purse strings are aware of the
need and benefits of having an incident response plan.

6. Employee Training: Just having an incident response plan won’t help you in a data breach. Your employees need to be aware of the plan and be properly trained
on what they’re expected to do should you get breached. Test the response plan through tabletop exercises. These exercises familiarize your employees with their
particular roles in a data breach by testing your response plan through a potential hacking scenario
Incident Handling
Stage 2: Identification

This is the process where you determine whether you’ve been breached. A breach, or incident, could originate from many
different areas.

 Questions to address 
• When did the event happen?
• How was it discovered?
• Who discovered it?
• Have any other areas been impacted?
• What is the scope of the compromise?
• Does it affect operations?
• Has the source (point of entry) of the event been discovered?
Incident Handling
Stage 3: Containment

• When a breach is first discovered, your initial instinct may be to securely delete everything so you can just get rid of
it. However, that will likely hurt you in the long run since you’ll be destroying valuable evidence that you need to
determine where the breach started and devise a plan to prevent it from happening again.

• Instead, contain the breach so it doesn’t spread and cause further damage to your business. If you can, disconnect
affected devices from the Internet. Have short-term and long-term containment strategies ready. It’s also good to
have a redundant system back-up to help restore business operations. That way, any compromised data isn’t lost
forever.

• This is also a good time to update and patch your systems, review your remote access protocols (requiring
mandatory multi-factor authentication), change all user and administrative access credentials and harden all
passwords.
Incident Handling
Stage 4: Eradication

Once you’ve contained the issue, you need to find and eliminate the root cause of the breach. This means all malware should be securely
removed, systems should again be hardened and patched, and updates should be applied.

Whether you do this yourself, or hire a third party to do it, you need to be thorough. If any trace of malware or security issues remain in
your systems, you may still be losing valuable data, and your liability could increase.

 Questions to address 
• Have artifacts/malware from the attacker been securely removed?
• Has the system be hardened, patched, and updates applied?
• Can the system be re-imaged?
Incident Handling
Stage 5: Recovery

This is the process of restoring and returning affected systems and devices back into your business environment. During this time, it’s
important to get your systems and business operations up and running again without the fear of another breach.

 Questions to address 
• When can systems be returned to production?
• Have systems been patched, hardened and tested?
• Can the system be restored from a trusted back-up?
• How long will the affected systems be monitored and what will you look for when monitoring?
• What tools will ensure similar attacks will not reoccur? (File integrity monitoring, intrusion detection/protection, etc)
Incident Handling
Stage 6: Follow-up

Once the investigation is complete, hold an after-action meeting with all Incident Response Team members and discuss what you’ve
learned from the data breach.  This is where you will analyze and document everything about the breach.  Determine what worked well in
your response plan, and where there were some holes. Lessons learned from both mock and real events will help strengthen your systems
against the future attacks.

 Questions to address 
• What changes need to be made to the security?
• How should employee be trained differently?
• What weakness did the breach exploit?
• How will you ensure a similar breach doesn’t happen again?
No one wants to go through a data breach, but it’s essential to plan for one. Prepare for it, know what to do when it happens, and learn all
that you can afterwards.