Cyberattacks Happen. A Fully Integrated Incident Response Plan Will Get You Through It.
Why an Incident Response Plan is Critical in Today’s Threat Environment
Security incidents are, by their nature, unplanned and unpredictable. The one thing IT leaders can be sure of is that the threat is growing and that the actors behind those threats continue to improve in sophistication and efficiency. One of the best ways to respond to these threats is to have a fully integrated incident response plan.
An Unpredictable But Growing Threat
Cyber threats of all types are on the rise and for virtually every organization, it’s not simply a matter of if – but when – they will encounter an incident. Consider the following statistics (Verizon):
Frequency of security incidents in 2019 alone:
- 53,308 security incidents
- 2,216 data breaches
Who you’re defending against:
- 73% of cyberattacks were perpetrated by outsiders
- 50% of breaches were executed organized criminal groups
- 12% of breaches involved nation-state or state-affiliated actors
- 28% of attacks involved insiders
What they want:
- 76% of breaches were financially motivated. Stealing payment card data, PII, and intellectual property are all fair game
- Less than 30% of breaches were motivated by espionage or a grudge
“If you’re facing a cyberattack, you can’t predict what the attacker is going to do next, especially if it’s an APT attacker. If it’s more than just a botnet or a robot network that’s out there, and there’s a human behind it, you simply can’t predict what’ll happen next.”
-Mark Houpt, Chief Information Security Officer, DataBank
Integrated Response: Combat Uncertainty With Planning
While the nature, timing and origin of an incident may be uncertain, the likelihood of one occurring demands IT leaders be prepared to respond. Having a fully–integrated and regularly-practiced incident response plan is the best way to know how to handle a cyberattack from start to finish. A well-crafted response plan will spell out communications, documentations, and who’s going to be on the team to take on responsibilities for various response processes.
Response plans are critical within an enterprise, but they are even more important when you’re working with a cloud service or colocation provider. In a corporate environment, it’s usually easier to corral all the individuals who are needed for execution, however, doing so may not be a formalized part of your plan. When you’re operating within a multi-organization environment, it becomes even more important to have a documented plan that identifies how communications go between multiple organizations, when notifications are to occur, and how much transparency is needed between entities.
For instance, as a cloud service provider, at DataBank we have the concern about how much information we give out during an incident. We always maintain transparency, but must also ensure we’re not compromising security, or that any security events that take place don’t impact customer relationships. There are many layers of complexity to address.
Regardless of the unique properties of your organization, establishing and maintaining an integrated IR plan prior to an event occurring lets everyone know where they stand and what to expect. Testing throughout the year is also important for ensuring the process is smooth when an event comes to pass.
A Real-Life Case Example: Fighting DDoS at DataBank
Let’s review a real-life case example our security team dealt with right here at DataBank.
No one’s immune to cyberattacks; that includes data center and cloud service providers. In September 2018, and later in November, a DDoS attack was launched against two of our facilities, more so in an attempt to disrupt our service than take it down entirely. The incident involved a multi-day attack, likely executed by an APT attacker.
Our security team is well-trained in incident response, so we immediately ran our IR plan and communicated to customers what was taking place. Internal tech teams as well as vendors worked together to identify the threat and where it was sourcing from, which in this case was a distributed, multi-location attack. When the attack pattern was identified, we were better prepared to defend against it.
How to Effectively Combat a Cyberattack
Effectively combating against cyberattacks starts with a single best practice: have a security response plan. One of the best places to look for a plan template and plan guideline is NIST. NIST offers a “Computer Security Incident Handling Guide,” which includes Special Publication 800-61, Revision 2 which identifies how you should work through an incident, including a template for creating your own IR plan.
Here are six steps to incident response we employ at DataBank, and frequently recommend to customers.
- Prepare documentation
- Training personnel
2. Detection and analysis
This step takes place when the incident starts occurring. When set up properly, the appropriate alarm systems go off and alerts are generated.
Post-detection, the security team has to contain and stop the attack from spreading or causing other problems.
4. Eradication and recovery
- Removal of threat or attack vector from systems
“NIST actually groups containment with eradication and recovery, but I like to break these steps out because I find that once your security team has everything stabilized, you then move into actual eradication and recovery.”
-Mark Houpt, Chief Information Security Officer, DataBank
5. Return systems or data center to an operational state
6. Post-incident activities
- Bring team back together
- Reviewed the event in detail
- Determine areas of improvement for future incidents
- Update documentation
“A lot of people forget about post-incident activity. Once everyone has gotten systems online and has had the chance to get some sleep, you’ve got to get your people back together so you can review what happened and figure out how to do better next time. Documentation changes could be as small as updating someone’s phone number that was incorrect when you were trying to get hold of them. Do not forget the post-incident activities!”
–Tyler Treat, Security Architect, DataBank
Post-incident activities are particularly important because it ensures no one forgets some of the smaller details that can end up costing you when another event comes to pass. This brings the cycle back to the preparation step in ensuring your security team is 100% ready for the next attack that will occur. Unfortunately, it’s a guarantee, and the best way to deal with it is having these steps firmly in place to enable the ability to recover and work forward, regardless of the event.
Benefits of NIST-Based Incident Response, DataBank-Style
One way to ensure your incident response practice is covered is to enlist a security partner. Here at DataBank, we have an extensive team dedicated exclusively to recovery, containment, and detection. In many cases, smaller or medium companies may not have the ability to staff a seven-person security team, or establish the necessary resiliency for protection.
Keep in mind: part of preparing for an incident is doing risk assessments. Know how you have your organization set up and determine whether you can sustain through an attack. Conduct a threat to vulnerability risk assessment and determine if the current location of your data, IT resources, and systems, is good enough for your company. This is a key factor.
For example, if the average medium-sized company was attacked in the same way DataBank was in September, they’d probably have been taken down. This level of force is designed to take an unprepared organization off the grid for days, whereas a provider with resilient systems is built to withstand the attack.
“When we dealt with the DDoS attacks, we had access to multiple data centers and a full staff of people who can be involved. Plus, we were able to leverage the power of vendor resources. We were able to sustain that attack with minimal downtime for our customers. That TBRA is something everyone should evaluate prior to walking into the IR process so you know what you’re dealing with.”
–Stephen Maiorca, Sr. Security Engineer, DataBank
Three Key Takeaways for Incident Response
1. Find an IR plan that’s based on an industry standard.
We recommend NIST 800-s61 revision 2. Your industry standard of choice needs be emphasized in the documentation. If you cobble together a plan, it’s harder to execute on and put together, plus it will be subject to auditing scrutiny.
2. Consider working with a redundant, resilient security partner rather than trying to tackle IR internally.
If you’re understaffed, trying to deal with a full-scale cyberattack won’t be easy, and neither will creating an incident response plan. A supporting partner such as DataBank can offer resiliency and redundancy that will allow you to remain up all of the time.
3. Always test your plan.
Test your plan and ensure it’s ready to go. Incidents occur at a moment’s notice and they certainly aren’t designed to give you and your time to sit down and figure out how to deal with it. Have your fully tested plan in place in advance so it can be effectively activated when an incident occurs.
Looking for more tips on putting together an incident response plan? DataBank can help point you in the right direction to ensure you’re prepared in the event of an attack. Reach out to DataBank, or call us at 1.800.840.7533 and speak to an incident response expert immediately.