Defending Against Cyber Threats with Incident Response

Last year may have been “the year of the breach,” but so far this year, a number of federal, state and local governments have fallen victim to high-profile breaches. Given the sophistication of recent incidents, agencies are starting to rethink how they approach cybersecurity. This means moving from the development of security programs based on prevention to ones based on anticipation of a breach.

Incident response plans are integral to this shift, allowing government leaders to ready themselves for future threats by running simulated trainings and scenarios in which a hacker attempts to break-in. This approach is a push toward preparedness, says Don Maclean, Chief Cybersecurity Technologist at DLT. With an incident response plan in place, government can move with precision and speed to mitigate damage from an attack, he says.

To learn how agencies are responding to threats, we asked Maclean, and his colleague, Robert Myles, National Practice Manager for Government at Symantec, to lay out the essential elements of an incident response plan.

Q: When agencies are thinking about cybersecurity, how important is the incident response plan? Can you describe what a plan might look like?

Don Maclean: Every threat report shows a very high percentage of organizations being compromised today, and these incidents are occurring with increasing frequency. We’re seeing high profile cases, such as the Office of Personnel Management breach or the Internal Revenue Service breach. In my view, you have to accept that this will happen to you, which is why it’s so important to have an incident response plan. You need a plan that takes the threat seriously, and you also need to exercise that plan routinely. Using simulations and test scenarios, government leaders can help put a plan into action.

Robert Myles: It really does come down to preparedness. When agencies prepare for the possibility of a cyber incident, they should develop a breach response plan, know how to exercise it and have identified who the key stakeholders are. The incident response team should include personnel from IT, legal, HR and public affairs, as well as anyone responsible for policies or procedures tied to cybersecurity. Agencies should also be using a retainer service to help in the event of a breach. When you have the key stakeholders in place, you’ll see incident response times speed-up, and the organization will recover quicker. Ultimately, what you want to do is mitigate the damage, recover, then get back to business.

Q: Given the number of recent cyber breaches, are agencies changing the way they address incident response planning? Are agencies taking a different look at their plan?

Maclean: Keep in mind that government is facing a shift in mindset. Agencies are starting to look at security threats differently. Reputational damage used to be the main concern, but now agencies must also be thinking about the victims. Remember, government has enormous amounts of data and records. The impact of a breach today goes beyond simply affecting the institution. People are often harmed by breaches.

The first triage response to the OPM breach was a cybersecurity sprint, and that sprint was oriented around prevention, rather than response. But, as you’re thinking about preventing attacks, you also have to be thinking about the next compromise. Federal leaders need to be spending much more time looking at incident response planning. A threat report from Symantec says that “mega” breaches have happened more frequently in the last year, and typically these breaches have taken longer for organizations to identify. As we’ve seen from recent attacks, it’s usually a third-party security team that will identify breaches within institutions.

Q: Talk about how an outside security support can help an agency identify threats and breaches.

Myles: Both at the state and federal levels, there are examples where breaches were discovered by third-party support. Most of the time organizations don’t detect breaches within their own systems. It’s usually someone else pointing out the unusual activity and recommending remediation steps.

Why does this happen? Remember: We’re not dealing with a single hacker anymore. These are unified teams of attackers, and you need a similar unified team that can be on-guard. The only way agencies can survive today is through rapid response. But, precision and speed will only come from preparation. The National Institute of Standards and Technology requires agencies to implement incident response planning. This requirement is good, but agencies need to go beyond checking off a box. For incident response to be effective, you have to work through multiple, hypothetical scenarios. In addition, automation should play a big role in your incident response planning.

Q: Why should agencies be thinking about including automation in their incident response plans?

Maclean: Automated response and systems give agencies a way to implement security policies across the organization. If you have a security requirement that mandates employees to change their password every 90 days, then an automated tool can do the scan to ensure that compliance is happening. There are also technologies, like multi-factor authentication systems, that help to ensure your organization is protected. If you think about the style of attacks happening today, they’re mostly remote attacks, so automated systems like multi-factor authentication will go a long way to protecting an agency and preventing an attack.

To learn more about how agencies can prepare for future attacks with an incident response plan, watch this Nextgov viewcast.

This content is made possible by our sponsor. The editorial staff of Nextgov was not involved in its preparation.