It’s hard to believe there are only two installments left in our series on the CIS Critical Security Controls, but here we are, so close to the finish line we can almost taste it. This particular post will focus on CIS Critical Control 19, incident response and management.
In today’s ever-evolving attack landscape, it’s not a matter of if, but when, a security incident will occur in your organization. If your company suffers a data breach or a phishing, ransomware, or DDoS attack, are you prepared to respond?
The key principle of CIS Critical Security Control 19 is to protect the organization’s information—and reputation—by developing and implementing an incident response infrastructure for quickly discovering an attack and effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of network and systems.
Let’s go through how to implement and manage an effective incident response plan:
Incident response plans, procedures, and runbooks
Your incident resposne plan serves as the foundation of your incident response strategy, so if you don't have one already, it's a good idea to start developing one now. If you do have one, consider reviewing and updating it.
Related Blog: How to Build an Incident Response Plan
Different types of security attacks merit different response strategies. It is important that your incident response plan details separate procedures (runbooks) for various type of incidents, such as:
- Malware/ransomware outbreaks
- Phishing attacks
- Data loss/theft
- Unauthorized access
- Privilege escalation
- Improper use
For a more in-depth look at building out your incident response plan, check out Rapid7’s eBook, “Prepare for Battle: Building an Incident Response Plan.”
Building your incident response team
Your incident response plan should include a definition of personnel roles, assigned job titles, and duties for handling computer and network incidents in your organization. Specific employees should be assigned to each role and their contact information included in the plan. Each of these roles requires specific training to ensure employees are clear on the role they play in an investigation when the plan is activated.
Key personnel to bring in are those who maintain skill sets that allow for sufficient access to various data types. This includes the people managing your security and application log information, support personnel, system administrators, and network engineers.
In addition to the IT and security teams, bring in legal, public relations, communications, senior leadership, human resources, supply management, and vendors.
Testing your incident response plan
Testing is vital to ensure your incident response plan will be effective during an actual incident and that employees understand current threats, risks, and their responsibilities in supporting the incident handling team. Incident response tabletop exercises, which are discussion-based exercises in which personnel meet to discuss roles, responsibilities, coordination, and decision-making in a given scenario, are recommended, along with functional/simulation exercises. Security awareness training should also be included as part of both initial and ongoing training. The development of incident response testing plans and threat simulations can be internal or outsourced to a third party.
Incident response awareness
Both your employees and the public should be aware of how to report an incident to your organization’s security group. Develop standards for the time required to report anomalous events and security incidents, the mechanisms for such reporting, and the types of information that should be included in the incident notification. This reporting should also include notifying the appropriate community emergency response team in accordance with all legal or regulatory requirements.
Publish information regarding reporting computer anomalies and incidents to the incident handling team for all personnel, including employees and contractors. Such information should also be included in routine employee awareness activities.
Assemble and maintain information on third-party contact information that should be used to report a security incident in your organization. For example, you could maintain an email address or web page specifically designated for security incidents.
Though this guidance is not specifically spelled out in the sub-controls of Critical Security Control 19, we often recommend the following to our clients:
- Join communities: Your company is not the only one that experiences incidents. Consider joining the Information Sharing and Analysis Center for your industry and following organizations such as US-CERT.
- Managed detection and response: Managed detection and response services provide 24/7 detection and response in your environment and can be a great fit for organizations that don’t have the staffing, budget, or time to fully support incident response activities internally. Check out this evaluation brief, “How to Choose a Managed Detection and Response Provider,” for some helpful questions to ask when deciding on a provider.
- Incident response retainer: Incident response retainers offer customers the ability to rapidly engage skilled personnel to perform a forensic investigation in the event of a suspected compromise or the real deal. These retainers are often an annual expense you either use or lose, so ensure your pick allows you to move from being reactive to proactive and reallocate your hours toward penetration testing or tabletop exercises, like we do here at Rapid7.
- Cyber-insurance: For many companies, cyber-insurance is a “check the box” control. When purchasing cyber-insurance, it is important to understand what is and isn’t covered as part of your plan. For example, many insurance policies will be nullified if you are not properly managing your logging infrastructure. It is also important to realize that cyber-insurance is not a replacement for implementing security controls. Do your research before purchasing a cyber-insurance policy and be sure your legal team weighs in, too.
To learn how Rapid7 can help improve your detection capabilities and incident response program—or take care of the whole thing for you—explore our SIEM solution, which allows you to detect and respond to attacks in-house. We also have incident detection and response services if you would like to consult with our team of highly trained professionals.
Like what you see? Check out our next (and final!) post in this series, “CIS Critical Security Control 20: Measure Your Security Standing with Penetration Tests and Red Team Exercises.”