Today we continue down the National Institute of Standards and Technology Cyber Security Framework (NIST CSF). In our earlier blog posts, we learned how to identify our assets and then we did our best to protect them. Then since nothing is 100% secure, we detected the bad thing happening. What do we do next? We need to respond to the detection.
What is involved in being able to respond in a meaningful way?
First, we need to plan for a response. Remember it’s been said that to fail to prepare is to prepare to fail. Response Planning involves knowing what to do after the detection. This involves having a process and knowing whom to notify and how to initiate the response plan, followed by those who respond knowing the plan, and taking action to stop the incident in a timely fashion.
Communications are critical and require executive involvement. Who are we obligated to communicate with and at what point? Some laws define these thresholds, but the organization needs to have decided if they want to exceed those and get ahead of it or not. Folks, these are not decisions the IT people should be making without input from the executive team.
Analysis is where the information security folks try to find all the affected assets and impact on the organization. This is also the stage where forensics are performed to collect and preserve evidence that might be needed for future litigation.
Mitigation is a critical step that includes processes to contain the incident, prevent it from spreading and mitigate the potential damage of the threat. In addition, any new vulnerabilities not identified in the past are documented and included as part of the company’s overall understanding of risks.
Finally, we have improvements. This is the postmortem phase. It’s critical in this phase to honestly review what went well and what didn’t. If this turns into a finger pointing session however, all value of this phase will be lost.
Have you tested your response process? Usually this is done in what is called a ‘tabletop exercise’ where a scenario is developed and walked through methodically. It begins with the operational group and moves to the executive when it becomes an incident. An example might be a ransomware incident, the scenario evolves from inception, to escalation to resolution.
If we can follow all of the NIST CSF subcategories for Respond with a high level of maturity, after we have detected, we are ready to move on to how we recover. Our final blog post in this series will cover that next and very important function of the NIST CSF.