Optimizing Cybersecurity Incident Response
Image courtesy of Christoph Scholz under Attribution-ShareAlike 2.0 Generic License, resized to 700 x 391 pixels.
It is imperative that utilities in all sectors develop and optimize their cybersecurity incident response plans. Like outage response, the more effective and efficient your response to a cyberattack, the faster things can be brought back to normal. Here is an overview of a 6-step process for doing just that!
The 6 Steps for Optimizing Cybersecurity Incident Response
According to the SANS Institute, there is a 6-step framework for optimizing response:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons learned
The first step, preparation, is near and dear to my heart as an emergency preparedness pro. Like any threat, the key with this step is to simply ensure that employees know how to identify an issue and know what to do when an emergency hits. And of course, the best way to do this is to have a plan in place, and then conduct exercises and drills so employees can practice executing the plan.
The next step is identification, which involves increasing the organizational ability to actually know when an incident has occurred. Whether this identification happens internally or externally, it’s important to set the correct detection parameters so employees do not get “alert fatigue” due to constant alerting.
The third step is containment or minimizing the damage, which often comes down to prioritizing resources and effort. Because efforts to contain an incident can lead to unforeseen downstream impacts on the organization, this step must be very strategic in nature. Containing an incident will require both short-term and long-term tactics that need to be carefully thought out.
Fourth is eradication, which is a cleanup phase that might involve things such as disk cleaning, disk reimaging, or restoring a system backup, to remove the malicious code. A key element of this step is to ensure every eradication step is fully documented.
The fifth step is recovery – i.e., resuming normal operations. The key decision point on this one is determining when to restore operations. Finally, the last step involves gathering lessons learned by reviewing documentation from the incident and updating the cybersecurity incident response plan with these learnings to improve future performance.
So, there you have it – the 6 critical steps for effective cybersecurity incident response. Good luck!