Editing task

The following chapter has been checked by a technical reviewer

(Leighton). We also have some feedback from customers about the
previous edition of this book:

1) The book is written in an unprofessional way and the chapters lack

organisation.
2) The content is at a low level. It doesn’t meet the needs of more
experienced professionals in the cybersecurity field.
3) There are inconsistencies between chapters and some information
is technically inaccurate.

This shows that the book is currently not aligned with the needs of Packt’s
customers.

Task 1
Here is the published version of the book. Please find two books on a
similar topic. Can you identify any common factors that led to either
positive or negative reviews on Amazon? Please name the books and add
your notes below.

Task 2
Use the feedback provided to give editorial direction to the author. How
should the author improve the chapter?
 2
Incident Response – Evolution
and Current challenges
Introduction
Incident response is the approach used manage security incidents to reduce
damages to an organization and improve the recovery of any affected services or
functionalities. Incident response activities follow an incident response plan and
are executed by an incident response teams. The incident response team is made
up of employees from different departments and part of the security team. The
incident response plan is the set directions that outline the response procedures
and the roles of different team members. Incident response has become a
necessity for organizations facing rising threat levels, and this chapter discusses
its importance.

Benefits of Incident Response

Handling incidents effectively

When a security incident occurs, confusion might hit organizations especially if
they have never handled similar security events before. An informed incidence
response plan guides organizations, regardless of prior experiences, on how to
handle each aspect of an incident. Incidence response also mitigates the effects of

2
a security event to ensure minimal damage and fast recovery of key business
processes. Therefore, depending on the stage of an attack or intrusion, the incident
response plan will detail the steps that must be taken to ensure the best outcomes
for the organization. Without this guiding tool, the organization would find it hard
to systematically contain any security event.

Protecting the company brand

IT security is closely tied to the reputation and valuation of an organization. As
observed in recent breaches, poorly handled security incidents hurt the brands of
the affected companies. For instance, Yahoo's valuation dropped by 350 million
US dollars after its 2017 hack that was reported to have affected one billion users.
Similarly, a report by Kacy Zurkus indicated that a common aftermath of security
breaches in organizations is a decrease in stock price. She estimated the average
drop to be 7.5%. Security incidents, if correctly handled, might not have a
terminal effect on the brand of the company. Due to effective incident
management, Sergei Klebkinov reports that big-name companies that have been
victims of security breaches mostly recover and outperform the market in as little
as six months after the breach. For instance, post-incident activities in such
companies might include more optimized customer relationship management to
ensure that the existing clientele is retained and new customers strategically
acquired. Thus, incident response provides ways that the organization can use to
prevent negative publicity thus maintain or grow its market share.

3
Figure 1: There are two types of companies, the ones they know they been hacked
and the other.

Preventing future breaches

As discussed in another chapter of this book, the last phase of an incident
management plan is the avoidance of future security incidents. Therefore, incident
response will mostly lead to better-secured organizations since the response team
will identify the exploited vulnerability and implement permanent fixes to prevent
the incident from recurring. Some of these fixes include setting up schedules for
patching, security evaluations, and backups to ensure that the organization will be
best placed to deal with any future security incident. Therefore, incident response
acts as a deterrence to future potential attacks.

Preparing for attacks

With the increased number of attacks, organizations are being advised to adopt
cyber resilience to survive security breaches. One of the ways to ensure resilience

4
is by having ready incident response teams and plans at all times. The two tools
are part of a larger defense mechanism that an organization develops to ensure the
security or recovery of its core assets during a security incidence. Incident
response entails putting up a competent team and structuring highly effective
response plans that can be activated when required. Therefore, it involves
planning on how to ensure the defense or survival of the organization before the
actual attacks begin.

What is Cyber Resilience?

Cyber resilience is a new approach to security that recognizes the threat of
persistent, changing attacks. Having a resilient cyber security strategy which
enables to respond to inevitable breaches is a key then than hoping that their data
will never be compromised. Cyber resilience is a crucial counterpart to cyber
security. As mentioned earlier there are no short cuts in cyber security so it’s
important to adopt a long-term strategy. Below are the steps on how you can
develop a long-term Cyber resilience strategy:

5
Figure 2: Cyber Resilience Strategy steps

1. Baseline assessment: The step where you will need to align your
organization’s business requirements, to your operational content, and
determine how you can build a successful strategy.

6
 2. Identify resources and controls: In this step you need to identify your
resources and controls to ensure that your operational objectives are fully
aligned with the strategy.
3. Create a plan: Agree on an initial plan of action which includes working
with 3rd party partners.
4. Execute the plan
5. Report: Have an outcome of the strategy in short term (30 days) midterm
(60 days) and long term (180 days). (You can change the outcome days
based on your needs)
6. Manage: This plan needs to be continued updated and managed
accordingly.

Assessing security safeguards

Incidence response is modeled around the existing defense mechanisms that the
organization has. Thus, during the development of an incident response plan, the
organization has to assess all other defenses to work out a way they will work
with the incident response team. Commonly, network security tools, enterprise
and host-based antivirus systems, end point detection and response systems,
intrusion detection systems, cloud connections and user awareness training are

7
considered, thus evaluated, when setting up an incident response plan. (Figure 2)
The assessment of these tools provides room for the organization to find
weaknesses in the safeguards and make changes to ensure better security.

Figure 3: Assessing your security safeguards.

Aiding investigations and legal prosecutions

In the incident response process, the third phase is the investigation stage where
the incident response team collects and examines evidence relating to the security
incident. The evidence is retrieved from an assortment of sources such as logs,
users, and security tools and may help identify the attacker or reveal the trails to
other complacent parties. Eventually, the evidence can be used in the prosecution
of suspects in court. Therefore, from a legal perspective, incident response is
important as it may help the organization win legal battles against suspected
attackers, malicious employees, or unscrupulous third parties.
8
Figure 4: For collection evidence, tools like IREC can be used

Bringing the organization together during crises

In most organizations, employees are grouped into functional units, hence they
only concentrate on tasks pertinent to their departments. Incidence response teams
are composed of personnel from different departments who work towards
preventing extensive damage and ensuring the recovery of the organization during
security incidents. During security events such as attacks, each team member
brings competencies from their respective departments. For instance,
communication personnel will disseminate information as appropriate to all
stakeholders during an attack, while an IT support specialist will be involved in
9
stopping the execution of the attack. The collaboration of many departments in
the incident response process improves cohesion and cooperation in the
organization even after the security incident has been dealt with.

Improving the overall security stature of the organization

Conventionally, organizations relied on cybersecurity tools to ensure the security
of their organizations. Hence, only the IT department was tasked with
cybersecurity-related functions. However, as the frequency, complexity, and
intensity of attacks have grown, organizations have had to adopt more effective
security measures to prevent, combat, and manage attacks. Incidence response is
one of the relatively new ways to improve the security stature of the organization.
When all else fails and an attack permeates to the organization, the incident
response team can be tasked with eliminating the source and recovering the
organization. Thus, security is no longer hedged on security software but also on a
highly effective team that will resolve security threats when they occur.

Below are six best practices you can use to improve your organizations security
posture. We will dig in to details throughout different chapters in this book
(Figure 5)
1. Conduct a cybersecurity risk assessment. ...
2. Prioritize risk. ...
3. Track security metrics. ...
4. Implement automated cybersecurity solutions. ...
5. Educate your employees. ...
6. Create an incident response plan

10
Figure 5: six best practices you can use to improve your organizations security
posture

Ensuring the integration of security initiatives

Organizations might have several security initiatives that work independently. For
instance, many organizations have IT security policies, employee training
programs, security awareness programs, IT auditing, change management plans,
and penetration testing as part of their security framework. However, most of
these initiatives are not integrated. For instance, penetration testing exercises
might not be connected to employee training programs. Incident response has a
unifying effect on the existing security measures to bolster the defense capability
of the organization. Therefore, during incident response planning, all these tools
will be identified and refined to work together in securing the organization. For
example, during the planning process, related initiatives such as employee

11
training and security awareness programs can be combined. Similarly, IT auditing
and penetration testing could be made to complement each other where pen testers
identify weaknesses first and IT auditors focus more on the problematic areas
when examining the organization's IT assets.

Incident Response Evolution

Compared just with the last decade security land has evolved. The threats are
more sophisticated. Not just organizations but also more and more devises are
keep getting connected to the internet. While all these changes are happening,
attacks have also got through evolution. Script Kiddies were the main culprits and
their motivation was “mischief” But today we see that the criminals are getting
more and more organized and their “fraud and theft” capabilities are getting
increased. Besides the script kiddies and organized criminal, nation states and
activities causing serios financial damages as well as negative brand reputation.
(Figure 6)

12
Figure 6: Evolution of Attacks

Verizon Data Breach Record 2019, which is based on a detailed analysis of

41,686 security incidents, including 2,013 confirmed data breaches below are the
statistics of who is behind cyber-attacks:
69% involved outsiders
34% involved internal actors
2% involved partners
5% featured multiple parties
39% of breaches involved organized criminal groups
23% involved nation-state or state-affiliated actors

What we look at the threat actors’ actions we see:

13
52% of breaches involved hacking
33% included social attacks
28% involved malware
21% of breaches involved human error
15% involved misuse by authorized users
4% of breaches involved physical actions

The report also highlighted that those victims were:

16% public sector entities
15% healthcare organizations
10% financial organizations
43% small businesses

As you can see from the above figures, the increase on technology has resulted in
an enforced structured change in incidence response in conjunction with the
evolution of the threat landscape.
To be able to deal with these complex attacks which effects organizations in any
size it’s important to develop incident response teams, which we will cover next
chapter (chapter 3: How to organize an Incident Response Team)

It’s important to highlight that you should know that threat landscape that will
continue to evolve; but the basics of incident response will develop around the
same framework which is : identify, contain, eradicate and recover from
incidents.

14
The main differentiating factor will be how you develop your incident response;
do you have the capacity to perform IR internally, or do you need outsource of IR
partially or fully?? Let’s leave the answer to this question in chapter 3.

As you learned it by now it is no longer a question of whether you will experience

an incident, but rather when. You need to communicate this to senior management
because incident response requires approval from every business unit.

TIPS
- As discussed in Chapter 1, Be ready
- Build a proper detection and reporting capabilities
- Education / awareness should be one of your core priorities.
- Keep always an eye on Data Breach Reports from Verizon, Microsoft, Kaspersky
as well different vendors. If you don’t want to go through all those individual
web sites, you can check my blog where I keep all those reports under one blog
post every year. https://www.ErdalOzkaya.com

15
 Figure 7: Threat reports under one link, updated regularly.

Conclusion
Incidences are on the increase and it has become quite apparent that if they are not
contained properly, they can easily escalate into issues that can damage an
organization. A reliable solution is to prepare adequately on how to address
security incidents when they happen. Incident response enables organizations to
take essential steps to address the ever-present threat of cyber threats. This
16
chapter has gone through the importance of incident response. As explained,
incident response helps the organization to handle incidents effectively by
providing a guide to be used to contain and mitigate the effects of security events.
Further, it helps protect the company brand by handling any eventualities that
might ruin the reputation of the company. Additionally, incident response can
prevent future breaches by ensuring the implementation of permanent fixes to
common security incident sources. Moreover, it helps the organization to prepare
for attacks by boosting its cyber resilience. Furthermore, incident response
contributes to the improvement of the security stature of the organization by
providing a reliable means of eliminating threats and recovering the organization.
Likewise, it also ensures the integration of an organization's security initiatives.
Lastly, it can aid in investigations and court prosecutions by collecting evidence
that can be used to build a case against suspects of attacks.
Therefore, incidence response is a necessity in organizations today. Poor handling
of incidents can lead to the escalations of manageable security events into
catastrophes. As recent reports from security incidents have shown, incident
response helps organizations to minimize losses, mitigate attackers, and even
prevent future security incidents. To achieve the best outcomes in incident
response, the organization should ensure that it acts with speed immediately after
a security event is detected. However, before executing the mitigative actions, the
nature and extent of the security incident have to be determined. In the short term,
the organization ought to focus on deploying resources to combatting the active
threat and returning the organization to normalcy. This should be done in parallel
with seeking assistance from law enforcement and third parties to assist with the
tracking of the cause. In the long term, the incident response activities can be
focused on identifying the cause of the threat to find permanent fixes, improving
17
the security tools used to ensure better detection and prevention, prosecuting the
culpable parties, and addressing reputational damage.
Despite the reliance on conventional cybersecurity approaches that are heavily
reliant on security tools, new threats can be best mitigated by people and
processes. Hence, incident response, which combines the efforts of security tools
with people and processes, will often lead to more effective solutions.
Organizations must, however, continually evaluate their incident response plans
and teams to ensure that their effectiveness improves over time. Nonetheless, the
importance of incident response in modern IT environments cannot be discounted.

18
Further Reading
The following are resources that can be used to gain more knowledge on this chapter:
1. https://www.forbes.com/sites/sergeiklebnikov/2019/11/06/companies-
with-security-fails-dont-see-their-stocks-drop-as-much-according-to-
report/#29da9aed62e0
2. https://www.infosecurity-magazine.com/news/companies-stock-value-
dropped-1/
3. https://www.hitachi-systems-security.com/blog/benefits-incident-
response-plan/
4. https://w ww.channelpronetwork.com/article/importance-incident-
response-planning
5. https://www.darkreading.com/edge/theedge/why-every-organization-
needs-an-incident-response-plan/b/d-id/1335395
6. https://www.infosecurity-magazine.com/opinions/the-importance-of-a-
cyber-incident/
7. https://searchsecurity.techtarget.com/definition/incident-response

19