@ISACA Volume 21  19 October 2016

Five Key Cyber Security Incident Response Playbooks Every Organization Should Have


“Be prepared” is the mantra that all organizations that are concerned about cyber security should follow. In many organizations, the concern about cyber security incidents is not about if they will occur, but when. The best way to minimize business impact and provide effective incident response capabilities to defend against cyberattacks is to develop and maintain incident response playbooks for key incident types in advance and regularly practice their use.

Cyber security incident response playbooks should include simple and highly prescriptive guidance to address issues for at least the first 72 hours after an incident has occurred. This period of time is often considered the “shock and awe” period, and many times the individuals involved in the response and the organization itself will be under stress. It is often during this time that critical mistakes and oversights are made due to stressful conditions. The playbooks should contain checklists, frameworks and materials that can be used to provide operational guidance, minimize business disruption, and ensure a comprehensive and effective response. There are many cyber security incident types that an organization can prepare itself for with playbooks. The following 5 incident playbooks are often useful since these incident types are both highly likely to occur and often lead to material business impacts if not properly contained and addressed:

  • Ransomware—Ransomware attacks are not only technical in nature, but attack the morals and values of the individuals and organizations that they impact. The first reaction of many business leaders is not to pay ransom to regain access to their data or systems, but in some cases this may not be the best course of action. Playbooks for ransomware attacks should include decision trees and analysis tools for decision makers to understand the business impacts of the attack and identify their options regarding whether they should pay the ransom.
    In some cases, the playbook may be as simple as to restore data from secured backups. Unfortunately, ransomware is becoming more sophisticated and multifaceted, which may make this option no longer viable. The backups that are relied on may become infected with ransomware or some other malicious software and become ineffective. In the case of potential denial of service (DoS) ransomware attacks in which networks will be flooded with data (making critical and revenue-generating systems unavailable), the investments and business disruptions required to defend against them may actually have more of a business impact than if the ransom is paid. The playbooks that are developed need to account for these considerations and the options that may be available to recover costs from this kind of incident, such as cyberinsurance.
  • Malware/virus outbreak—Malware and virus outbreaks are not new phenomena in computing environments, but can often cause significant business disruptions and impacts if they are using sophisticated methods or leveraging zero-day vulnerabilities that vendors may not yet be aware of or for which they may not be able to quickly provide fixes. Incident response playbooks for this type of cyberincident should consider both business and operational response methods that account for everything from the easily identified and remediated outbreak to the advanced and persistent attack that may change and escalate during the response activity.
    In the current state of attack, many of the more sophisticated malware and virus attacks are often not discovered until they have been operating within a computing environment for a significant amount of time. It is important to include investigative capabilities for the effective identification of all systems that may have been exposed to the malicious code and techniques to remove the code and remediate any impacts that may have been realized as a result of its use.
  • Data breach—A data breach is a top-of-mind concern for many business leaders, especially those whose businesses interact with sensitive data elements such public identifiable information (PII), private health information (PHI), and bank and card data. There are many forms of data breaches. They tend to have far reaching impacts and consequences both from the breach and the disruptive nature of the incident response activities that are used to address them. For this reason, this playbook is often the most critical and difficult to develop and maintain for organizations.
    Playbooks for data breach incidents need to include many elements, including internal and external communication plans, forensic discovery and investigation checklists and techniques, remediation plans, legal and regulatory considerations, third-party relationship management for both the breach response and possible impacts to and from the other party, and financial considerations. The key to developing a data breach playbook is to focus on the data and the highly likely and business-impacting threat scenarios that can impact it.
  • Denial of service—DoS incidents are not new, but often can cause significant business impacts to organizations that have little tolerance for downtime in their operations. DoS attacks are often associated with the overwhelming of networks with data that prevent others from being able to access them. While this scenario should be included in a playbook, it is also suggested that other forms of DoS be considered as well. For instance, if an adversary can take advantage of a vulnerability in either a vendor or internally developed application, they can disable them with relatively little effort and without the need to flood networks with data.
    When developing playbooks for DoS incidents, it is important to understand to what degree the organization can provide effective defenses internally compared to when they need to reach out to third parties for assistance. In the case of a network-based DoS attack against the organization’s web presence, it may be possible to implement tools and capabilities to mitigate the attack locally in its initial stages. As the traffic increases to considerable sizes, contacting network service providers and other outside parties who can implement network filtering and other defenses within their network infrastructure to address the malicious traffic closer to its sources is often required.
  • Insider—An organization’s users are its greatest assets and its most challenging adversaries. It is difficult for many organizations to believe that their trusted employees and constituencies may actually turn against them. Unfortunately, these individuals tend to be able to conduct the most effective, covert and business-impacting attacks. When developing playbooks for insider incidents, it is important to be sensitive to trust issues and the identification of who should actually conduct the incident response. It is not recommended that internal individuals carry out these responses as they may be involved. It can also be damaging to the culture of an organization to have employees investigate each other. This can create long-lasting trust issues and negative morale.
    Playbooks for insider incidents need to be coordinated with many groups, including human resources, senior leadership, legal and external incident response assistance, if used. These playbooks should consider the fact that insiders may be well aware of the security capabilities and controls that the organization currently has in place and how to evade them without notice. It is also important to remember that insiders who are carrying out malicious actions often are sensitive to investigative actions, changes in the environment, and adjustments to their access to systems and environments. The playbooks that are developed for insider incidents should be developed and distributed on a need-to-know basis and access to them should be strictly controlled.

John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP is the president of IP Architects LLC.


Risk and Value Considerations With Application Containerization


Source: Yagi
Studios/Getty Images

It is a fact that risk decisions are more time intensive than usage decisions. If that sounds strange, consider the analogy of a car. What does one need to know to operate a car? One needs to know how the controls work, the rules of the road, how to steer and brake, and so on. Now, consider what one needs to know to evaluate whether that same car is safe to operate. Not only does one need to know how to drive, but also the vehicle maintenance history, condition of the safety systems (e.g., seatbelts and airbags), the road conditions, and the condition of the engine, to name just a few of what is likely to be a fairly long list.

The reason this matters for practitioners (whether audit, security, governance or risk) is that, while business teams might make decisions about technology on the basis of usage, it is up to practitioners to understand, evaluate, report on and make recommendations based on the risk dynamics. This means practitioners have more to do relative to those who are evaluating usage and, typically, less time in which to do it.

This dynamic makes it a near certainty that practitioners start out under the gun when it comes to understanding the risk/value equation when faced with new technology usage, fast-paced adoption, shadow IT and other modern-day challenges. The faster the rate of adoption, the more pronounced the pattern becomes.

With this in mind, ISACA has issued guidance on the use of application containerization (for example, technologies such as Docker and rkt) in 2 parts. The first part outlines what the technology is and why it matters to the business, while the second part focuses on the impacts to the practitioner. Both are important to understand for several reasons. First, there are differences in how container-based services are secured and audited relative to other environments. Second, in many cases, use of containers can provide a security or assurance benefit to the organization (again, depending on usage). Lastly, it is important that practitioners start to understand the risk dynamics and value advantages now so that they are well positioned to provide the guidance to their organizations that internal stakeholders expect.

To download this publication, visit the Understanding the Enterprise Advantages of Application Containerization page of the ISACA web site.


Join the 2016 Member Get a Member Program


You can earn rewards by recruiting members to ISACA. From now until the end of 2016, earn credits for each colleague you recruit to become an ISACA member through the Member Get a Member program and your credits can add up quickly to a reward for your efforts. The more colleagues you recruit, the better reward you can enjoy. The prizes vary based on the number of members you recruit.

Referring colleagues to become ISACA members is easy. You can send them a modified version of the sample email. To earn credit for recruiting the member, ensure the email you send includes your colleague’s name and your member ID number. You will receive credit for recruiting your colleagues once they complete the application, pay their membership dues and enter your ISACA member ID number. Learn more on the Member Get a Member page of the ISACA web site.


Connect With the COBIT Community


The worldwide COBIT user community is a dynamic, engaged group of practitioners with significant knowledge and experience to share. Become more deeply involved in the COBIT community by sharing your knowledge. Consider submitting an article on your experience to COBIT Focus, ISACA’s weekly, peer-reviewed e-magazine. COBIT Focus articles include case studies, practical use articles and tips from COBIT trainers.

Writing for COBIT Focus is a flexible process that is intended to accommodate the needs and preferences of you and your enterprise to the greatest degree possible. Sharing your COBIT knowledge and experience with colleagues worldwide benefits everyone.

For more information, visit the COBIT Focus Submit an Article page of the ISACA web site. To submit an article, please contact mjasper@isaca.org.


Advance Your Career and Grow Your Network With a CISM Certification

Tim Sattler, Ph.D., CISA, CRISC, CISM, CGEIT, CCSK, CISSP, Shares His Experience as a CISM

Before entering the information security field, Tim Sattler was a Ph.D. graduate in physics. Once he entered the information security field, Sattler knew that the Certified Information Security Manager (CISM) certification could help him go from consultant to manager. “I wanted to benchmark my skills against a renowned job standard for security managers,” he says. “After some market research, I came to the conclusion that the CISM certification would best meet my requirements.”

Being CISM certified helped Sattler land his job and it also helps him address obstacles at work. “One of the biggest challenges is to get and maintain a commitment to information security from the executive board and the line-of-business managers,” he says. “My CISM certification has helped me in this task because it fortified my ability to communicate information security issues in business terms.”

While the information required to earn and maintain a CISM certification is useful, Sattler finds the biggest benefit of the CISM certification to be unrelated to the knowledge it provides. “I would say the biggest benefit is being part of a huge network of peers within ISACA,” Sattler says. “If you just take the CISM exam and do not use the opportunity of networking with other CISMs, you will probably miss the best part.”

While Sattler has benefitted from a CISM certification, he knows that professional experience is just as important as being certified. “Certification is a good way to put your skills to the test and identify areas for improvement,” he says. “It also increases your recognition by potential employers, but let me put a caveat here: Certification alone will not get you the job. It certainly helps to get past the human resources department, but in the end, you will have to demonstrate your experience, performance and personal qualities beyond a certification.”

To learn more about ISACA certifications, visit the Certification page of the ISACA web site.