Creating a Reliable and Effective Incident Response Process
It’s 11:24 pm on December 24th. The stockings have been filled, the gifts have been laid under the tree, the milk and cookies have been left out, the kids have been tucked into bed and the Christmas lights have been turned off for the evening. Exhausted, you climb into bed excited for the joy and excitement tomorrow will bring for you and your family. As your eyes begin to close, you hear the jarring sound of your phone vibrating on the nightstand next to you. Annoyed, you check the caller ID and see the name of one of your district’s technology team members. Reluctantly, you answer the phone, and much to your dismay it’s not good news. A security incident has just been detected on the network and the incident response team has been activated to deal with the threat. The relaxing winter vacation you were expecting has now taken an unexpected and rather unenjoyable turn.
We often forget that attackers don’t care about our holiday plans. In fact, over the years we have seen a direct correlation between observed holidays and the number of cyber attacks, with attackers becoming more active during holiday periods. Last year, Darktrace, a global leader in cyber security AI, in their December 2nd Press Release reported that its security researchers discovered a 30% increase in the average number of attempted ransomware attacks globally over the holiday season in every consecutive year from 2018 to 2020 compared to the monthly average. Additionally, researchers also observed a 70% average increase in attempted ransomware attacks in November and December compared to January and February. This data paints a clear and frightening picture, attackers use the holiday seasons to catch people with their guards down in hopes of an easy money-making opportunity. With this in mind, in this article, we will cover some basic incident response management processes and procedures that we can put in place now that will help us with any future security incident, even if it happens during our holiday vacation.
The first incident response management process to implement is designating a person or team to manage incident handling. In order to have a quick and complete incident response process, a person or team along with a backup person or team needs to be selected and assigned the role of incident response personnel. The incident response person or team is responsible for the coordination and documentation of incident response and recovery efforts. This person or team can be made up of internal employees, third-party vendors, or a hybrid approach combining both internal employees and a third-party vendor. If a third-party vendor is being used, it is important to designate at least one internal employee to oversee any third-party work. When a cybersecurity incident happens, speed is critical in assessing, containing, and mitigating any threat. The longer it takes to respond to the threat the longer the attacker has to steal more data, deploy more persistence techniques, or remove more evidence. By designating this incident response person or team we are able to respond to any incident in a quicker and more efficient way.
The second incident response management process to implement is establishing and maintaining contact information of parties that need to be informed of security incidents. When a security incident happens there are people that need to be contacted and depending on the scope and severity of the incident there may be additional parties that need to be informed and updated on the situation. These contacts may include internal staff, third-party vendors, law enforcement, cyber insurance providers, relevant government agencies, Information Sharing and Analysis Center (ISAC) partners, or other stakeholders. Having a list of contacts with correct and detailed contact information will go a long way in helping the speed and efficiency of your incident response team. A great example of this process in action is the recent Ransomware attack on the Los Angeles Unified School District (LAUSD) that happened on October 2, 2022. LAUSD activated its incident response plan and alerted law enforcement and even the governmental agency, the US Cybersecurity and Infrastructure Security Agency (CISA) which was then able to assist the school district in responding to the attack. It is important to note that at the time of the attack, LAUSD was the 2nd largest school district in the nation, which is why CISA was contacted to help with the attack.
The third and final incident response management process to implement is establishing and maintaining a process for staff to report security incidents. When leveraged properly our teachers and staff can be our security eyes and ears on the ground across the district. However, if no reporting process is put in place, oftentimes those security incidents never get reported. Having a readily accessible process for any staff to report a potential security incident could be the difference between catching an incident early or picking up the pieces after the incident has already happened. The reporting process should include a reporting timeframe, a mechanism to report incidents, and the baseline information that is to be included in the report. This process should be publicly available for all staff to access whenever needed. Additionally, if your district is using a 3rd party as a managed security provider or just as an additional incident response team, be sure to implement any mechanisms the 3rd party uses to conduct triage operations or incident response escalations.
Implementing an incident response management process for your district can feel like a daunting task. However, by breaking the process down into pieces like designating a person or team to manage incident handling, establishing and maintaining contact information of parties that need to be informed of security incidents, and establishing and maintaining a process for staff to report security incidents, we can start taking the first steps forward to bring this from concept to reality.