Cyber Security Incident Management

The first step of understanding incident management is to look at what the phrase Cyber Incident actually means, the NCSC defines a cyber incident as:

“The NCSC defines a cyber incident as a breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990).”

This definition covers number of potential scenarios – e.g. intentional or accidental data breaches, disruption of services due to DDoS, web application exploitation – it’s no longer just about how you fix a malware outbreak in the environment.

Understanding Incident Management

Incident management has historically been an aspect of Cyber Security that wasn’t considered until it’s too late primarily since it meant a malware outbreak. Today, with the instances of cyber incidents becoming increasingly frequent many organisations are developing Incident Management processes either because they have suffered an attack and understand the value in being more organised, or they realise the likelihood of one occurring and want to be prepared.

Cyber incidents can range in severity from a minor inconvenience to complete loss of the ability to conduct normal business, they are invariably stressful, frequently involving big decisions being made without necessarily having the full picture and may require a co-ordinated response from multiple areas of a business – it’s not just the IT department problem anymore.

The crux of why Incident Management is an essential component in a modern business is in a word control:

• • Control of understanding what has happened when an incident occurs, i.e. the scope and severity of the incident.

• • Control of the response to manage the situation and ensure the response doesn’t ultimately cause more harm than the incident.

• • Control of the recovery to restore normal operation as efficiently and quickly as possible.

What does Incident Management mean?

Before we get into this, there are two terms we need to be aware of – Cyber Incident Management, and Cyber Incident Response.

The Incident Management element is the overarching banner that manages the 6 different stages of the Incident response:

1. Triage

2. Analyse

3. Contain/Mitigate

4. Remediate/Eradicate

5. Recover

6. Review

I’ll talk more about these in the next section. But for now, lets just say that incident management is more of an oversight aspect that might be managed by a dedicated cyber response management team made up of stakeholders from across the business.

So, lets looks at what the response piece actually looks like; lets consider the NCSC definition again:

“The NCSC defines a cyber incident as a breach of a system’s security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990).”

A cyber incident response therefore is a pre-existing methodology of steps to be taken during and after a cyber incident occurs with the cyber incident management being the management ‘plane’ co-ordinating and sometimes controlling the stages of the response.

As a whole the term incident management is a collection of pre-defined processes that direct who, how and when a business responds to the occurrence of cyber incidents.

It’s worth noting that the model in the graphic is a guide, individual cyber incident response plans may differ from business to business depending on requirements.

How do you do Incident Management?

First you are going to need to develop a process to follow.

I’ve already mentioned that Incident management is more of an overarching term or function that acts as command and control to the actual incident response; this would typically be a team of stakeholders from across the business that provide oversight and guide the response to ensure it is proportionate.

Again, there are no hard and fast rules as such since no two businesses are identical, but broadly speaking there should be a tiered approach to incident management – e.g. having a minor, intermediate and major response plan could be a starting point since it would be impossible to develop a response plan specific to every potential scenario. Each tier would then dictate a different level of response and perhaps even a different approach to the incident.

Triage

When there are indications that an incident has or is occurring, the incident management team need to convene and begin understanding the scope of the incident they are looking at, its nature and decide which level of response is most appropriate – this could be determined by one or several factors such as the number of customers affected, the number of users affected, have mission critical services been affected – the criteria will likely depend on what is most important to your business’ operation.

Often the Triage phase will dictate which of the incident management plans will be invoked, part of the process would then be to set the response team off conducting the analysis phase, whilst the incident management team brief the business on the initial situation, provide notification of outages or disseminate preventative action they wish users to take.

Analyse

The purpose of the analyse phase is to understand exactly what is going on as quickly as possible, this phase is to help plan for the next phase but it’s also an opportunity to verify any assumptions were correct with regard to the scope of the incident – e.g. what looked like a minor incident may prove to be more serious once investigation is underway and the incident management team need to be briefed and take action accordingly.

Contain/Mitigate

Once analysis has been concluded there should be a good understanding of what is happening in the environment and steps can be initiated to stop the problem getting worse. The specific response is going to depend entirely on the nature of the incident but the intent of this phase to prevent the incident escalating further and to limit the damage to services and infrastructure. This phase may also extend to damage control to the business from a reputation perspective through the use of press releases to demonstrate honesty.

Remediate/Eradicate

Once the incident is controlled and is not worsening, the task of rectifying the issue or removing the threat that caused the incident begins, again the structure and processes of this phase depend on the nature of the incident as different cyber incidents will have different responses.

Recover

With the Cyber Incident now dealt with the focus needs to be on restoring business-as-usual operation and this is the recovery phase, i.e. getting the environment/business from the post incident state back to the point where normal operations can be resumed. This phase is made immeasurably easier if you had robust backup processes in place as restoring system services and data becomes a question of how long instead of how do we do it!

Read blog post: Recover from a cyber attack | CyberLab®

Review

The review phase is exactly what it sounds like, an after action debrief of what has happened, what did we do well, what could have been done better, did any part of the process not work, why didn’t it work and how to we make sure it works next time.

Review is almost as vital as any other area of the response plans as it means you will be better equipped next time to deal with the problem.

Training

One last section that isn’t part of the NCSC plan, but is recommended, is security training. Running desktop exercises should be conducted quarterly to ensure there is familiarity with the processes but it can also contribute to the Review section to help improve processes and increase the efficiency and speed of the response.

Want to test your incident response plan? The NCSC provide a great tool: Exercise in a Box – NCSC.GOV.UK

In Conclusion

Incident management processes deliver several benefits to your business:

• Effective incident management lessens the impact of a cyber incident.

• A practised plan will help you make good decisions under the pressure of a real incident.

• A well-managed response, with clear communication throughout, builds trust with shareholders and customers.

• Learning from incidents identifies gaps and issues with your response capability.

If you haven’t done so already, our Posture Assessment tool is a quick-and-easy way to identify your strengths and weaknesses, and get a better picture of your overall security posture. 

We have put together a page of recommendations for improving your Incident Management, and which tools can help, which you can read here. 

If you’d like to learn more about how to secure your organisation and keep your data secure, book a consultation with one of our experts.