All-of-government attacks in Australia. The SolarWinds hack. Ransomware attacks on the Colonial Pipeline and Ireland’s healthcare services. Increasing in frequency, cyber attacks are hitting our most critical assets. And the organisations tasked with keeping those assets safe are up against formidable barriers to effective cyber incident response.
Key challenges to effective cyber incident response
Let’s start with the main issue. Ensuring that your systems and personnel can detect, understand, and respond to cyber incidents involves creating and deploying structured methodologies. That’s not easy.
Add to that, policymakers are adding public notification requirements, making cyber incident response even harder.
Compliance, however, isn’t the only challenge critical asset owners face. There are myriad challenges to cyber incident response – structural information and incident management barriers come to mind. The most salient of these include:
- Too many incidents. The sharp rise in cyber incidents creates alert fatigue. And not all alerts are the big one. The rapid acceleration in alerts often compromises the ability of an organisation to respond effectively to a serious breach.
- Incident response plans (IRPs) are too generic. Guidance on how to respond to cyber incidents is prolific. Organisations are free to make use of that guidance. But simply copying and pasting those plans isn’t the best idea; one-size-fits-all IRPs aren’t tailored to the needs and specificities of individual organisations.
- Plans are untested. Another complication: generic plans are less likely to be tested before a real-world incident. Oftentimes, customised plans haven’t been tested, either, particularly since the transition to widespread remote working.
- Information pathways get clogged up. Effective cyber incident response often requires novel approaches, integration of disparate data sources, and a wide variety of outputs. Not very easy when your teams are unnecessarily segmented. Often, then, data pertinent to the incident isn’t made available to decision makers. When it is, information is strewn across hundreds of emails
What are the intelligence agencies saying about cyber incident response and threat mitigation strategies
What’s the solution? Public agencies provide a rich font of best-practice mitigation strategies for preparing and responding to cyber incidents. It’s best not to reproduce the guidance wholesale, instead tailor it to the specificities of your organisation.
So, what have these agencies been saying specifically? The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) recently recommended:
- Require multi-factor authentication for remote access to OT and IT networks.
- Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
- Implement a user training program and simulated attacks for spearphishing to discourage users from visiting malicious websites or opening malicious attachments and re-enforce the appropriate user responses to spearphishing emails.
- Filter network traffic to prohibit ingress and egress communications with known malicious IP addresses. Prevent users from accessing malicious websites by implementing URL blocklists and/or allowlists.
- Update software, including operating systems, applications, and firmware on IT network assets, in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to determine which OT network assets and zones should participate in the patch management program.
- Limit access to resources over networks, especially by restricting RDP. After assessing risks, if RDP is deemed operationally necessary, restrict the originating sources and require multi-factor authentication.
- Set antivirus/antimalware programs to conduct regular scans of IT network assets using up-to-date signatures. Use a risk-based asset inventory strategy to determine how OT network assets are identified and evaluated for the presence of malware.
The cyber threat is real, but so too are the challenges to effective cyber incident response. Overcoming the challenges will take time and effort, but technology can help. Not convinced? See how Noggin can help your organisation improve cyber incident management: