Incident Response Business Continuity and Disaster - alishahbaz/Certified-in-Cybersecurity_CC GitHub Wiki
- Explain how organizations respond to, recover from and continue to operate during unplanned disruptions.
- Recall the terms and components of incident response.
- Summarize the components of a business continuity plan.
- Identify the components of disaster recovery.
- Practice the terminology of and review incident response, business continuity and disaster recovery concepts.
- Recovery Strategies
- Continuity Strategies
- Incident Management
While security professionals strive to protect systems from malicious attacks or human carelessness,inevitably, things go wrong. For this reason, security professionals also play the role of first responders. An understanding of incident response starts with knowing the terms used to describe various cyberattacks.
The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: a person other than an authorized user accesses or potentially accesses personally identifiable information; or an authorized user accesses personally identifiable information for other than an authorized purpose. NIST SP 800-53 Rev. 5
A particular attack. It is named this way because these attacks exploit system vulnerabilities.
A security event, or combination of events, that constitutes a deliberate security incident in which an intruder gains, or attempts to gain, access to a system or system resource without authorization. IETF RFC 4949 Ver 2
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. NIST SP 800-30 Rev 1
Any observable occurrence in a network or system. NIST SP 800-61 Rev 2
An event that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits.
Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the nation through an information system via unauthorized access, destruction, disclosure, modification of information, and/ or denial of service. NIST SP 800-30 Rev1
A previously unknown system vulnerability with the potential of exploitation without risk of detection or prevention because it does not, in general, fit recognized patterns, signatures, or methods.
Every organization must be prepared for incidents. Despite the best efforts of an organization’s management and security teams to avoid or prevent problems, it is inevitable that adverse events will happen that have the potential to affect the business mission or objectives The priority of any incident response is to protect life, health, and safety. When any decision related to priorities is to be made, always choose safety first.
The primary goal of incident management is to be prepared. Preparation requires having a policy and a response plan that will lead the organization through the crisis. Some organizations use the term “crisis management” to describe this process.
An event is any measurable occurrence, and most events are harmless. However, if the event has the potential to disrupt the business’s mission, then it is called an incident. Every organization must have an incident response plan that will help preserve business viability and survival. The incident response process is aimed at reducing the impact of an incident so the organization can resume the interrupted operations as soon as possible. Incident response planning is a subset of the greater discipline of business continuity management (BCM)
Business continuity planning (BCP) is the proactive development of procedures to restore business operations after a disaster or other significant disruption to the organization.
Members from across the organization should participate in creating the BCP to ensure all systems, processes, and operations are accounted for in the plan.
The term business is used often, as this is mostly a business function as opposed to a technical one. However, in order to safeguard the confidentiality, integrity, and availability of information, the technology must align with the business needs.
- List of the BCP team members, including multiple contact methods and backup member
- Immediate response procedures and checklists (security and safety procedures, fire suppression procedures, notification of appropriate emergency- response agencies, etc.)
- Notification systems and call trees for alerting personnel that the BCP is being enacted
- Guidance for management, including designation of authority for specific managers.
- How/when to enact the plan
- Contact numbers for critical members of the supply chain (vendors, customers, possible external emergency providers, third-party partners
Imagine that the billing department of a company suffers a complete loss in a fire. The fire occurred overnight, so no personnel were in the building at the time. A Business Impact Analysis (BIA) was performed four months ago and identified the functions of the billing department as very important to the company but not immediately affecting other areas of work.
Through a previously signed agreement, the company has an alternative area in which the billing department can work, and it can be available in less than one week. Until that area is ready, customer billing inquiries will be answered by customer service staff. The billing department personnel will remain in the alternate working area until a new permanent area is available.
In this scenario, the BIA already identified the dependencies of customer billing inquiries and revenue. Because the company has ample cash reserves, a week without billing is acceptable during this interruption to normal business. Pre-planning was realized by having an alternate work area ready for the personnel and having the customer service department handle the billing department’s calls during the transition to temporary office space. With the execution of the plan, there was no material interruption to the company’s business or its ability to provide services to its customers— indicating a successful implementation of the business continuity plan
The intent of a business continuity plan is to sustain business operations while recovering from a significant disruption. An event has created a disturbance in the environment, and now you need to know how to maintain the business.
A key part of the plan is communication, including multiple contact methodologies and backup numbers in case of a disruption of power or communications
Many organizations will establish a phone tree so that if one person is not available, they know who else to call. Organizations will go through their procedures and checklists to make sure they know exactly who is responsible for which action. No matter how many times they have flown, without fail, pilots go through a checklist before take-off. Similarly, there must be established procedures and a thorough checklist so that no vital element of business continuity will be missed.
The first step is to call the appropriate individuals and start to activate the business continuity plan. Management must be included because priorities can change depending on the situation. Individuals with proper authority must be there to execute operations, for instance, if there are critical areas that need to be shut down. It is important to have at hand the critical contact numbers for the supply chain, as well as law enforcement and other sites outside of the facility. For example, a hospital may suffer a severe cyberattack that affects communications from the pharmacy, the internet, or phone lines. In the United States, in case of this type of cyberattack that knocks out communications, specific numbers in specific networks can bypass the normal cell phone services and use military-grade networks. Those will be assigned to authorized individuals for hospitals or other critical infrastructures in case of a major disruption or cyberattack so they can maintain essential activity
The incident response policy should reference an incident response plan that all employees will follow, depending on their role in the process. The plan may contain several procedures and standards related to incident response. It is a living representation of an organization’s incident response policy.
The organization’s vision, strategy and mission should shape the incident response process. Procedures to implement the plan should define the technical processes, techniques, checklists, and other tools that teams will use when responding to an incident
Here are the components commonly found in an incident response plan: Preparation > Detection & Analysis Containment, Eradication, & Recovery > Post-Incident Activity
Preparation
- Develop a policy approved by management.
- Identify critical data and systems and any single points of failure.
- Train staff on incident response.
- Implement an incident response team.
- Practice Incident Identification(first response).
- Identify roles and responsibilities.
- Plan the coordination of communication between stakeholders.
- Consider the possibility that a primary method of communication may not be available
Detection & Analysis
- Monitor all possible attack vectors.
- Analyze the incident using known data and threat intelligence.
- Prioritize incident response.
- Standardize incident documentation
Containment
- Gather evidence.
- Choose an appropriate containment strategy.
- Identify the attacker.
- Isolate the attack.
Post-Incident Activity
- Identify evidence that may need to be retained.
- Document lessons learned. Conduct a retrospective of:
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-incident Activity
Disaster recovery planning steps in where business continuity (BC) leaves off.
When a disaster strikes or an interruption of business activities occurs, the disaster recovery plan (DRP) guides the actions of emergency response personnel until the end goal is reached—which is to see the business restored to full last-known reliable operations.
Disaster recovery refers specifically to restoring the information technology and communications services and systems needed by an organization, both during the period of disruption caused by any event and during restoration of normal services. The recovery of a business function may be done independently of the recovery of IT and communications services; however, the recovery of IT is often crucial to the recovery and sustainment of business operations. Whereas business continuity planning is about maintaining critical business functions, disaster recovery planning is about restoring IT and communications back to full operations after a disruption
Business continuity planning (BCP) centers on maintaining critical business functions, while disaster recovery planning (DRP) specifically targets the restoration of IT and communications services essential for business operations.
Depending on the size of the organization and the number of people involved in the DRP effort, organizations often maintain multiple types of plan documents, intended for different audiences
The following list includes various types of documents worth considering:
- Executive summary providing a high-level overview of the plan
- Department-specific plans
- Technical guides for IT personnel responsible for implementing and maintaining critical backup systems
- Full copies of the plan for critical disaster recovery team members
- Checklists for
- certain individuals.
- Critical disaster recovery team members will have checklists to help guide their actions amid the chaotic atmosphere of a disaster.
- IT personnel will have technical guides helping them get the alternate sites up and running.
- Managers and public relations personnel will have simple-to-follow, high-level documents to help them communicate the issue accurately without requiring imput from team members who are busy working on the recovery