Abstract—This paper gives us an overview of Incident Response Services importance in the cyber world and the reason that how cyber threats can affect our company and why I as a CISO of a company asking for increasing the budget for cyber threats.
As we are increasing our company to almost three times the size of employees from now. So we have to take care of the company’s cyber side also because as the company increases cyberattacks also increasing and we also have our offices at different locations like Cork, Dublin, Amsterdam, and Abu Dhabi. So a number of places lead to more threats.
Incident response help us in, what to do if a company is under an attack, how to respond to an attack and how to be prepared for future attacks by learning from the previous attacks and with addition to all these it helps the company business increasing by protecting the company and gives more profit with the increase of small budget.
It describes how to prepare an effective incident response plan. It sheds light on the risk factors of an attack and description of some past attacks – what threats it can help prevent, the probability of such attacks, the impact it can have on the business and how effective incident response plans address these problems.
Keywords— Incident Response, Security, Data Breach, Threat Detection, Risk Assessment, Business Impact, Recovery, Recent Attack, CISO, Money loss.
Introduction to Incident Response Services
Incident Response Services is a method used to manage the effect of a cyberattack on the organization. It tries to reduce the damage of an attack and recover it as soon as possible. The investigation is the main component to learn from the attack and it is also good for the future. Nowadays every company is experiencing attack at some point, SO a good incident response plan is the best way to secure your company.
Your network can only be 100% secure when you prepare your network and employee both to be secure. In addition to all this, you must need a disaster recovery plan to mitigate the risk factor caused by a breach.
According to the SANS Institute, the organization should allow a computer incident response team to lead incident response efforts. Because this team consists of IT, Information security, upper-level management, and physical security staff.
Steps to a Successful Incident Response Plan
Preparation as the name implies this phase includes the preparation for the attack which means the development of policies and processes to follow during the cyber breach. The primary key in preparation is to give training to employees regarding breach and Documentation to record actions in the breach for later review.
Identification is a process that involves detecting the attacks and providing a quick response. This defines the matter which activates the CSIRT team- Like found a random pen drive on a floor or various brute force attacks detected.
It can also be a set of circumstances like abnormal access and unusual file upload at the same hour. If security teams identify threats by various methods like intrusion detection systems and firewalls.
The first step after identification is containment used to contain the damage and prevent further penetration. This can be possible after taking important subnetworks offline and use system backups.
There are two types of containment short term and long term. Short term containment is an immediate response and stops the attack for spreading and doing further damage. Long term containments wait for all systems to return to the production to allow for standard business operation.
This stage is used to recover all systems to their previous stage. This also involves monitoring so that the affected system will no longer vulnerable to any type of attack.
Recovery is used to bring back all the systems in the running state by verifying that they are clean and free from any type of new security incident. At this level, it becomes possible to calculate the cost of damage and breach.
6. Lessons Learned
This stage reviews the documentation of the incident with CSIRT. Update the incident response plan based on feedback. This is one of the most important and overlooked stages. The incident response team takes care of how to improve future attacks.
This involves rechecking current policies and procedures as well as steps taken by the team during the incident. After all the analysis report is made for future training. To protect an organization needs hard errors against securing your network against malicious users.
Probability of Cyber Attacks for Incident Response Services
As the CISO, it is my responsibility to remind you about how susceptible we are to cyber-attacks. If we think about how much we are dependent on the internet and digital systems for our day-to-day operations, we can see how vulnerable we are to cyber-attacks and data breaches. Risk in cybersecurity is a probability. of a cyber attack on information systems due to which there is a potential loss or harm. 
Risk is calculated by multiplying impact and probability-weighted against its cost. The impact is the effect on the organization should an attack occur, the probability is the likelihood of the event occurring within a given time span and cost is the number of resources needed to mitigate the risk. Risk assessments are very important as it helps to protect assets while maintaining a balance between functionality and security. It is very important for us to identify our threats during the risk assessment. Common threats include:
- Data leakage
- Unauthorized access
- Misuse of privilege by an authorized user
- Loss of data.
After risk assessment, we need to determine the impact of the risk and accordingly categorize it to low, medium or high. Low risk means the impact is minimal. The medium risk would be that the impact will cause damage but recoverable. High risk is where the impact could be substantial. After determining the impact of the risk, we need to determine the likelihood rating of the attack. It can be rated as low, medium or high where low means the chances of the attack taking place are really slim to none or that controls are in place. The medium rating means that the attack is capable but can be controlled to a significant extent. A high rating means that the attack cannot be prevented.
Different studies show different probabilities of a company getting hacked. There are studies that show that one in every 312 companies get hacked each year while others show that 46% of all the UK businesses identify at least one cyber-attack or data breach per year.
Studies also show that the risk is higher for organizations that are relatively large, have lower leverage and have more intangible assets. The risk is seen to be lower in organizations that have a risk committee.
RECENT ATTACKS THAT NEEDED INCIDENT RESPONSE SERVICES
The reason I, as your CISO have decided to deploy Incident Response Services here is because no company is immune to cyber-attacks. Here are a few examples of big companies from over the decade that has suffered the biggest of data breaches.
Facebook had more than 540 million of its user’s data on unprotected servers till April 2019
Researchers from a cybersecurity firm UpGuard revealed that they found two massive sets of packages of user’s data publicly available on Amazon cloud servers. It contained its usernames, passwords, names, comments and likes completely ready for anyone who wants to use it.
Marriott’s reservation system was broken into leaking 500 million guests’ private information, 2018
Hackers were able to access names, addresses, credit card details, phone numbers and personal information like travel itineraries and passport details .
160 million records were stolen from multiple organizations beginning from Nasdaq to 7-Eleven in 2016
Albert “Segvec” Gonzalez, a notorious hacker along with two other Russian conspirators hacked into Nasdaq, Heartland Payment Systems, Hannaford Brothers, 7 Eleven and two other retailers using SQL injection. He stole more than 160 million credit and debit card numbers and this has been known as the biggest data breach and identity theft case to have ever been prosecuted in the United States .
150 million records were breached from Adobe, 2013
Adobe had initially claimed that 3 million of their accounts were affected out of which most of the data was invalid and inactive IDs, accounts with encrypted passwords that are invalid and test data. They then revised the value to 38 million which when investigated upon by cybersecurity watchdog Sophos revealed that it was a compromise of over 150 million breached data .
145 million E-bay customers’ data was compromised by hacking into 3 of their employees’ accounts to reach the database
In 2014, the data of so many customers were stolen by cyber thieves making it the biggest such attack launched on a corporation. The hackers got access to all the email addresses and encrypted passwords of the users. To prevent these kinds of attacks in the future, E-bay has started taking measures like avoiding back doors .
Back in 2017, Equifax was targeted which led the breach of 143 million users’ data
Equifax is a massive credit reporting agency in the United States of America. Hackers had gained access to the most sensitive personal information of its customers – Social Security Numbers and driver’s license number. Names, birth dates, addresses, and credit card numbers were also stolen along with other private documents. Upon investigation, it was discovered that the data breach was possible through a simple design flaw on their website .
Impact on Business by Incident Response Services
As the cybersecurity incidents increase significantly worldwide the impact on the financial field has also increased. In the last few years, a number of companies have reported a loss of around $20 million or almost doubled as the security incidents have been increased by 48 percent to 42.8 million incidents. As we have companies in 4 countries the impact on business will be very high. Through effective risk management. In addition to this impact on the network, the core is also increasing due to business disruption attacks. There are several cases in large retail and financial organizations. A poneman institute study says only 14% of companies participate in the incident response process . Incident response handling requires operational risk management with strong integration in a systematic manner in order to prioritize incidents.
A. Devaluation of trade name:
The companies trade name value will be decreased and this will cost millions of losses. To determine this the value before and after the incident will be assessed. This will result in erosion of revenue loose members or clients over the years. If this happens the devaluation of the trade name among all the places like Cork, Amsterdam, Abu Dhabi can happen.
B. Lose value of customer relationships:
An incident can result in the decline of annual revenue due to lost members or customers. This will happen due to the lack of confidence in the protection policies.
C. Operational Disruption:
The cyberattack can cause disruptions to the company operations to lead to billions of losses associated with a drop in productivity. There are chances of IP being stolen and this can result in the replication of functionalities and capabilities by competitors.
D. Loss of Ip:
There is a possibility of IP theft during the cyberattack which leads to millions of losses. The companies performance and market shares are largely rested on the companies proprietary technology and trade secrets.
E. Value of lost contract revenue:
In the above example provided, the contract was not canceled, because the company looked to reduce the damage of the incident , this adjusted the premium increase in millions. This happens as the premium growth rates increase steadily to meet the average growth rate.
F. CyberSecurity Improvements:
The costs associated with the improvements in cybersecurity are direct expenses for improvements in technical infrastructure, security controls, surrounding processes, monitoring capabilities which leads to recovery of the business operations after an incident or to prevent similar incidents in the future.
How IR Plan Addresses our Problems
An incident response plan helps to secure whether proper steps have been taken. This includes factors like how it supports an organization’s mission in a broader mission, the approach to incident response. An incident response plan has many phases, so we have to monitor activities required in each phase, its roles, and responsibilities. The communication between the team of incident response and the organization and the methods to capture incident responsibilities capabilities.The important thing to note that the incident response plan value doesn’t end when the incident is over. The Information acquired from the process can contribute to the risk management process and can secure better handling of the process in the future.
The cyber incidents are not a technical problem, they are real business problems. The incident response plan will be designed to align with the priorities of organization and its acceptable risk level. The possibilities of cyber-attacks are really high, so having a proper IR plan will help us the build and develop the company to grow from 150 to 500 employees. There should be a plan, according to a survey done by poneman 77% say they lack a proper formal incident plan, and the process will be lengthy, and 65% say the severity of the attacks are increasing.
During the preparation phase, the IR team includes a cross-section of technical experts and businesses take action in support. The members for this include legal, management, technical and security liaisons. In short, all departments affected during the incident will be in the loop. This plan will decide who in the organization has the responsibilities and authority to make critical decisions. The plan will be developed in this phase and any updation occurs, all people will be notified. There will be proper tools to collect endpoints and incident data. In the Detection and analysis phase, the team will be focused on the detection of an incident continuously as the if we detect as soon as possible the impact will be less.
The manager will be working closely to ensure the business response is timely and calibrated. In the last phase of the IR plan, the team will be analyzing the lessons learned.
Incident Response Services are important to factor to the company profit because if the company goes under attack only if once in a year than also the company can go under billions of dollars of loss if the company is not ready for the response to an attack.
The Incident Response Services gives a clear view of the attack and how to minimize it and how to respond to it by taking business back into the previous running condition smoothly.
An approach to incident response management is vital to keep the agenda of cybersecurity consistent with the priorities of the business and to provide an effective and practical mechanism for prioritizing the incidents. Recovery and response should be more efficient and targeted. The IR team should invest more in giving training and knowledge about the plan for members to deal with future incidents. As the company has decided to grow from 150 to 500 employees, having a proper IR plan and to be aware of this will help the company in different ways.
Being ready with the plan will make the organization handle the disaster with less time and money. A great incident response plan will ensure to mitigate future disasters that can happen. The implementation and development of this plan support companies’ mission to its customers, stakeholders’ confidence, partners, employees.
This article is also contributed by Aleena Gerard and Rhea Bonnerji
- Updated: 9/11/2018, Jeff Petters. “What Is Incident Response? A 6 Step Plan | Varonis.” Inside Out Security, 11 Sept. 2018, https://www.varonis.com/blog/incident-response-plan/
- Image: Updating Incident Response For The Cloud –. https://www.google.com/imgres?imgurl=http://blog.trendmicro.com/wp-content/uploads/2014/03/incident-response-process.png&imgrefurl=https://blog.trendmicro.com/pdating-incident-response-for-the-cloud/&docid=QXzTBBbSleMQSM&tbnid=6In7WLG97w5MYM:&vet=1&w=1750&h=625&source=sh/x/im. Accessed 24 Nov. 2019.
- “What Is Incident Response?” Forcepoint, 12 Nov. 2018, https://www.forcepoint.com/cyber-edu/incident-response.
- “What Is Incident Response?” Digital Guardian, 31 Aug. 2015, https://digitalguardian.com/blog/what-incident-response.
- ‘The real information security risk equation – Information Security Magazine’, SearchSecurity. [Online]. Available: https://searchsecurity.techtarget.com/magazineContent/The-real-information-security-risk-equation. [Accessed: 18-Nov-2019].
- B. Metivier, ‘6 Steps to a Cybersecurity Risk Assessment’. [Online]. Available: https://www.tylercybersecurity.com/blog/6-steps-to-a-cybersecurity-risk-assessment. [Accessed: 18-Nov-2019].
- Image: Risk Assessment Template Checklist – SafetyCulture. https://www.google.com/imgres?imgurl=https://public-library.safetyculture.io/media/template_311b1c55bd084c56ab007e5b188744ac/211e525e-0db5-4ad1-a6d5-3bd5b51bdb6c&imgrefurl=https://public-library.safetyculture.io/products/risk-assessment-template-fETAU&docid=WRUOTDDpsRPXoM&tbnid=dX16FZgrbN36nM:&vet=1&w=924&h=626&source=sh/x/im. Accessed 24 Nov. 2019.
- Image: Microsoft: Cyberattacks Now the Top Risk, Say Businesses | ZDNet. https://www.google.com/imgres?imgurl=https://zdnet4.cbsistatic.com/hub/i/2019/09/19/959c31de-932f-4b7a-9a40-2ee832c98f61/5aef97c90e45cacd3e19186862246d0a/screenshot-2019-09-19-at-10-11-33.png&imgrefurl=https://www.zdnet.com/article/microsoft-cyberattacks-now-the-top-risk-say-businesses/&docid=QrWQ0hV18uo0-M&tbnid=CRhGHMU-CAiDMM:&vet=1&w=1486&h=1188&source=sh/x/im. Accessed 1 Dec. 2019.
- ‘Probability of cyber-attacks’, Sjoerd Langkemper. [Online]. Available: https://www.sjoerdlangkemper.nl/2019/01/16/probability-of-cyberattack/. [Accessed: 19-Nov-2019]
- A. Holmes, ‘Hackers have become so sophisticated that nearly 4 billion records have been stolen from people in the last decade alone. Here are the 10 biggest data breaches of the 2010s.’, Business Insider. [Online]. Available: https://www.businessinsider.com/biggest-hacks-2010s-facebook-equifax-adobe-marriott-2019-10. [Accessed: 19-Nov-2019].
- K. Zetter, ‘TJX Hacker Charged With Heartland, Hannaford Breaches’, Wired, 17-Aug-2009..
- J. F. and D. Seetharaman, ‘Cyber Thieves Took Data On 145 Million eBay Customers By Hacking 3 Corporate Employees’, Business Insider. [Online]. Available: https://www.businessinsider.com/cyber-thieves-took-data-on-145-million-ebay-customers-by-hacking-3-corporate-employees-2014-5. [Accessed: 19-Nov-2019].
- T. S. Bernard, T. Hsu, N. Perlroth, and R. Lieber, ‘Equifax Says Cyberattack May Have Affected 143 Million in the U.S.’, The New York Times, 07-Sep-2017.
- C. Hari Mukundhan, ‘A Business-integrated Approach to Incident Response’, 15AD..
- Image: Risk Management. https://www.google.com/imgres?imgurl=http://www.umc.com/English/CSR/images/BCM_framework_eng.gif&imgrefurl=http://www.umc.com/English/CSR/c_1.asp&docid=5U26dhuXuKX9CM&tbnid=EX31_gsiLoTAJM:&vet=1&w=540&h=336&source=sh/x/im. Accessed 24 Nov. 2019.
- Why Every Organization Needs an Incident Response Plan’, Dark Reading. [Online]. Available: https://www.darkreading.com/edge/theedge/why-every-organization-needs-an-incident-response-plan/b/d-id/1335395. [Accessed: 22-Nov-2019].
- ‘Incident Response | What is an Incident Response Plan?’, crowdstrike.com. [Online]. Available: https://www.crowdstrike.com/epp-101/incident-response-ir-plan/. [Accessed: 22-Nov-2019].
- Image: IBM Study Shows Data Breach Costs on the Rise; Financial Impact … https://www.google.com/imgres?imgurl=https://newsroom.ibm.com/file.php/182565/Impact%2Bof%2BData%2BBreaches%2BFelt%2Bfor%2BYears.jpg?thumbnail%3Dasset&imgrefurl=https://newsroom.ibm.com/2019-07-23-IBM-Study-Shows-Data-Breach-Costs-on-the-Rise-Financial-Impact-Felt-for-Years&docid=jgaCP5IM6tx16M&tbnid=TVzb5uJ-Se08KM:&vet=1&w=600&h=570&source=sh/x/im. Accessed 24 Nov. 2019.