October marks Cybersecurity Awareness Month. How should your organization respond to a cybersecurity incident in the new year?
We looked at the best practices to come up with this cyber incident response guide.
The cyber threat climate for 2025
Prognostication can be a fool’s errand. But when it comes to cyber incidents, we know for certain that threat actors will be evolving.
Already have likely threats input to your incident management software? Then, you might need to keep that list updated with a new catalogue of threats, which according to experts is likely to include:
Ransomware
A staple of our post-pandemic moment, ransomware is a type of malware which prevents you from accessing your device and the data stored on it, usually by encrypting your files. A criminal group will then demand a ransom in exchange for decryption.
During an incident, attackers will gain access to your network. They establish control and plant malicious encryption software. They may also take copies of your data and threaten to leak it.
The malware is then activated, locking devices and causing the data across the network to be encrypted, meaning you can no longer access it.
Typically, after that, you will receive an on-screen notification from the cyber criminal, explaining the ransom and how to make the payment to unlock your computer or regain access to your data.
Phishing
Phishing is a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in an email or on a web site, in which the perpetrator masquerades as a legitimate business or reputable person.
Denial of Service (DoS)
Denial of Service is the prevention of authorized access to resources or the delaying of time-critical operations. Distributed Denial of Service (DDoS), on the other hand, is a denial-of-service technique that uses numerous hosts to perform the attack.
Insider threats
Insider threats encompass threats that an insider will use authorized access, wittingly or unwittingly, to do harm.
The cyber incident response plan
What’s the plan of attack once you know what threats you’ll be facing? The next step is to develop the cyber incident response plan.
For the uninitiated, a cyber incident response plan is a written document, formally approved by the senior leadership team, that helps your organization before, during, and after a confirmed or suspected cyber security incident. A digitized version of that plan should be included in your incident management software.
The plan will clarify roles and responsibilities and provide guidance on key activities. It should also include a list of key stakeholders who may be needed during a crisis.
Developing a best-practice cyber incident response plan
For many, the cyber incident response plan might be old hat. Cyber incidents, after all, have been a staple of the threat environment for some time now.
Of course, the cyber threat environment is always evolving. It, therefore, behooves entities, even with the most mature cyber programs, to check out the best-practice guidance out there.
What are experts saying, exactly? Well, here’s some guidance from the Cybersecurity & Infrastructure Security Agency (CISA) on how to build a cyber incident response plan:
Mission, strategies, and goals
The National Institute of Standards and Technology outlines several elements to consider when developing a cyber incident response plan. For starters, each plan should be tailored and prioritized to meet the needs of the organization and adhere to current information sharing and reporting requirements, guidelines, and procedures, where they exist.
As appropriate, public and private sector entities are also encouraged to collaborate in the development of cyber incident response plans to promote shared situational awareness, information sharing, and acknowledge sector, technical, and geographical interdependences.
Organizational approach to incident response
Public and private sector entities should consider creating an entity-specific operational cyber incident response plan to further organize and coordinate their efforts in response to cyber incidents. Each organization should consider a plan that meets its unique requirements and relates to the organization’s mission, size, structure, and functions.
Risk assessments
Cybersecurity risk assessments assist organizations in understanding the cyber risks to their operations (e.g., mission, functions, critical service, image, reputation, etc.)
Cyber incident scoring system/criteria
Severity schema and scoring systems can help organizations provide a repeatable and consistent mechanism for estimating the risk of an incident.
Incident reporting and handling requirements
By definition, a cyber incident is an event that could jeopardize the confidentiality, integrity, or availability of digital information or information systems. Cyber incidents resulting in significant damage are of particular concern to local, state, and federal governments. Accordingly, victims are encouraged to report all cyber incidents that may result in significant loss and/or affect critical infrastructure or core government functions.
How the incident response team will communicate with the rest of the organization and with other organizations
The cyber incident response plan should ensure the capacity for timely communications in support of security, situational awareness, and operations, by any and all means available, among and between entities affected by the malicious cyber activity and all responders.
Communications with outside parties
Organizations will also have to communicate with external stakeholders, such as customers, constituents, and media, software and support vendors, law enforcement agencies, critical infrastructure sector partners, and more.
Roles and responsibilities
As noted, the main task of the cyber incident response plan is to lay out the people involved throughout the lifecycle of the incident, i.e., preparation, response, and recovery, and what they will be doing. Of course, roles and responsibilities will depend on the type of organization and type of cyber incident. However, some key roles include:
-
Cyber incident manager. Responsible for implementing the incident management process, reporting, and escalating incidents.
-
Security Operations Center (SOC). Centralized team that monitors and protects an organization's IT infrastructure from cyber threat.
-
Technical Lead. Provides technical expertise to diagnose the incident and develop a solution.
-
Legal Counsel. Offers legal advice during the cyber incident response procedure.
A training and exercise plan
Given the fluidity of the cyber threat going into 2025, organizations can’t afford to plan and forget. Not only must cyber incident response plans be tested to iron out the kinks, but they must also be updated with learnings and as new threats emerge. As a result, the plan should include a maintenance schedule/process. Incident management software should also come with exercise management functionality to facilitate plan testing.
Time to plan for cyber incident response in 2025
Although 2025 is still months away, there’s no time like the present to start planning for how to respond to a cybersecurity threat in the new year.
Already have a plan in place and looking for further guidance on how to detect and triage cyber incidents? We have you covered there, too. Check out our Guide to Improving Cyber Incident Response and Management.