Breaches happen every day. Is your business prepared?
This blog post is based on OWASP Top 10 Guidance for Incident Response, and it will provide a proactive approach to incident response planning.
A security incident is an identified occurrence or weakness indicating a possible breach of security policies or failure of safeguards, or a previously unknown situation which may be security relevant.
Incident response is the reaction to an identified occurrence whereby responders classify an incident, investigate and contain the incident.
Why is Incident Response Important?
Any challenge or problem which is not properly contained and handled can and will spiral into bigger problems that can eventually lead to the total collapse of the system. A competent incident response operation will help to minimize loss, mitigate the weaknesses that were exploited, restore services and processes and reduce the risk that can occur from future incidents.
Where Do We Start?
The OWASP Top 10 Guidance for Incident Response project provides a proactive approach to incident response planning. This guidance should be considered when building a comprehensive approach.
OWASP Top 10 Guidance for Incident Response
- Consideration 1: Audit and Due Diligence
Performing an audit will let you know how well prepared the organization is for incident response in terms of people, process, equipment and materials.
- Consideration 2: Create a Response Team
Preventing and managing attacks or incidents that can occur without prior notice is best managed by experts that belong to an incident response team. When creating an incident response team, ensure that you have a competent team leader who is in charge and has a clear chain of command. Also remember to document the roles and responsibilities of the team members and communicate this clearly to all relevant stakeholders.
- Consideration 3: Create a Documented Incident Response Plan
An organization should have a well-documented incident response plan that would guide the incident response team during an incident. A comprehensive plan at minimum, should cover roles and responsibilities, investigation, triage and mitigation, recovery, and documentation process.
- Consideration 4: Identify your Triggers and Indicators
What would be categorized as an incident at your organization? How important or weighty are the factors that would trigger an incident? You need to clearly define what can trigger an incident. Some of these events may include loss or theft of equipment or information, or attempts to gain unauthorized access to data, computer or information storage device.
- Consideration 5: Investigate the Problem
A thorough investigation will require input from the incident response team and might require input from external resources. The investigation will document the incident details, including what to look for, who to involve, and how to document what is found.
- Consideration 6: Triage and Mitigation
Investigation leads to the triage and resolution process. As the team identifies potential exposure, they should plan and execute effective mitigation accordingly. In summary , the triage process should cater for the following activities; classification of the incident, incident prioritization, and assigning specific tasks to specific people.
- Consideration 7: Recovery
Recovery is a significant step for restoring whatever services or materials might have been affected during an incident. The recovery step is the transition from active incident to standard monitoring. The recovery procedure should include the steps for transition given the specifics of the firm’s environment and approach.
- Consideration 8: Documentation and Reporting
Reporting and documentation is a critical action that will always occur before, during and after incident response. A comprehensive incident report is required in keeping with best practices and with the incident response plan. The type of reports that might be required might vary, but should help in managing and reviewing incidents satisfactorily.
- Consideration 9: Process Review
It is imperative to continuously monitor an incident and the workload/performance of the team or incident handler. Process review can help you to answer several questions. Should I increase or decrease the number of incident handlers? Do we need to develop automated procedures for incident handling? What risks did we identify during the incident that needs to be followed up for action and monitored closely?
- Consideration 10: Practice, Practice, Practice
Do not wait until an incident occurs before you put your team to work. It is important that your incident response team understand how important mock drills and practice are to the firm. Sometimes you can practice the organization’s plan by simulating a live scenario. This test can be as simple as dropping a thumb drive on the floor of the office and seeing what happens, to simulating a data breach or phishing attack.
Incident response cuts across the whole organization and should not just be restricted to the IT unit or particular units. It should be clearly communicated that an organization’s service delivery can be endangered when incidents occur. The incident response team has the mandate to prevent, handle, resolve and adequately document incidents that may arise. Incident recovery is a significant tool of overall governance and to have it is a necessity.