Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Cyber Security Incident Reporting Process and Template

Written by Joseph Carson

May 6th, 2021

Ever since we launched our customizable cyber security incident report template, I’ve been amazed by its volume of downloads.

I quickly realized that the increasing cyber threats from criminal hackers, malware, and ransomware being taken seriously by organizations large and small, and that there is a growing demand for guidance and information on cyber security incident response and reporting.

Mangools.com, a Slovakian company that provides advanced tools for monitoring online search engine activity, indicates that that online searches for the phrases “cyber security incident report template” and “cyber security incident response” are increasing at a mind-blowing rate year over year.

 

Cyber Security Incident Report Template Search Trend

Search volume for CYBER SECURITY INCIDENT REPORT TEMPLATE – mangools.com

 

Cyber Security Incident Response Search Trend

Search volume for CYBER SECURITY INCIDENT RESPONSE – mangools.com

So, organizations are getting on board with cyber risk, and this is great news. I’ve been writing, tweeting, and giving talks about how to respond to cyber incidents for some time now—and companies are listening. Many are now taking action.

If you’re ready to get on board with properly minimizing the risk to your organization and data during or after a breach, but are not 100% sure of the process—this is the place to start. I’ll provide some procedure resources for handling the cyber incident response process, but let’s start by addressing 4 common questions.

  1. What is incident response?

Incident response is an organization’s reaction to halting and recovering from a security incident, and the response plan must be in place before the incident occurs. Incident response is one of the major components to helping an organization become more resilient to cyber attacks.

You may already know a security incident as:

  • An information security incident
  • An IT security incident
  • A network security incident
  • A security breach
  • A data breach
  • A cyber attack
  • Or, “We’ve been hacked!”

They’re all pretty much cut from the same cloth, and the only good response is to meticulously follow a tailored cyber incident response plan (CIRP) that you have ready to go at a moment’s notice.

The goal of having an incident response plan is to ensure that your organization is fully prepared for, and ready to respond to any level of cyber security incident fast and effectively. And today, incidents are inevitable. All that varies is the breadth and depth.

Here’s Gartner’s definition of a CIRP: Also known as a “computer incident response plan,” this is formulated by an enterprise to respond to potentially catastrophic, computer-related incidents, such as viruses or hacker attacks. The CIRP should include steps to determine whether the incident originated from a malicious source — and, if so, to contain the threat and isolate the enterprise from the attacker.

  1. Is there a difference between incident response and incident handling?

Well, yes, although response and handling go hand in hand and without both you do not have a sound incident response process. Incident response refers to the technical aspects of incident analysis and containment, whereas incident handling refers to the human responsibilities: the communications, coordination, and cooperation required to see the process through.

  1. What is the incident response life cycle?

The life cycle of an incident is defined by the stages a typical incident goes through, and it includes everything from preparing for an incident to analyzing the lessons you learned after experiencing one. I like this version of the incident response life cycle:

Preparation > Incident Discovery and Confirmation > Containment and Continuity > Eradication > Recovery > Lessons Learned

  1. What are the different types of information security incident?

There are many types of cyber security incidents that can result in intrusions on your organization’s network or full-on data breaches, but I’m going to focus on the six to which I believe organizations are most vulnerable:

  • Phishing attacks: you click on a link in an authentic-looking email and end up giving away sensitive information (like a password), or enabling ransomware or some other malware. Companies are super-vulnerable to phishing attacks because criminal hackers target the weakest links in most companies—its employees—and success rates are high! A more targeted type of phishing attack known as spearfishing occurs when the attacker invests time researching the victim in order to pull off an even more successful attack.
  • Denial-of-service (DoS) attacks: the point of this attack is to shut down an individual machine or entire network so that it cannot respond to service requests. DoS attacks achieve this by inundating the target with traffic or sending it some information that triggers a crash.
  • Man-in-the-middle (MitM) attacks: an outside entity intercepts and alters the communication between two parties who believe they are communicating with each other. By impersonating them both, the attacker manipulates both victims in an effort to gain access to data. The users are blissfully unaware that they are both talking to an attacker. Session hijacking, email hijacking, and Wi-Fi eavesdropping are all examples of MitM attacks.
  • Drive-by attacks: a common method of spreading malware, criminal hackers seek out insecure websites and plant a malicious script into code on one of the pages. The script could install malware onto the computer of someone who visits the site, or re-direct the victim to a different site controlled by the hackers.
  • Password attacks: this sort of attack is aimed specifically at obtaining a user or an account’s password. Criminal hackers use a variety of techniques for getting their hands on passwords, such as password-cracking programs, dictionary attacks, password “sniffers”, or brute-force password guessing, often based on some personal knowledge of an individual (like the birthday, dog’s name, etc.) This is why strong passwords are so important.
  • Malware and ransomware attacks: a broad term for any sort of malicious software that’s installed on your system without your consent can be considered malware. You are probably familiar with many types of malware—file infectors, worms, Trojans, ransomware, adware, spyware, logic bombs, and different types of viruses. Some are inadvertently installed when an employee installs freeware or other software, clicks on an ad, or visits an infected website. The possibilities are endless, therefore so are the chances of an employee falling victim to a malware attack.

Industry-specific cyber security incident reporting

The incident response process described in the life cycle above is largely the same for all organizations, but the incident reporting procedure varies for certain industries. For example, if you’re in the healthcare industry you may need to observe the HIPAA incident reporting requirements.

These are some industry regulations that have very specific laws around incident reporting, and who they apply to:

HIPPA – if you create, receive, maintain or transmit electronic protected health information

FISMA/NIST – if you’re a federal agency or government contractor

PCI DSS – if you accept, store, or transmit credit card data

NERC/CIP – if you’re an energy and utilities company

SOX – if your organization is a public company (though in some cases private companies must also comply with SOX regulations)

NYCRR – if You’re a New York insurance company, bank, or other regulated financial services institution

If your organization must adhere to any of the above regulations, you must familiarize yourself with the incident reporting requirements that might uniquely apply to your industry. Links to helpful industry-specific information can be found in the incident report template.

The template also has:

  • Customization instructions
  • Assembling an incident response team, including IT, compliance, and communications representatives
  • Threat classification
  • A sample cyber Incident
  • Phase of incident, and the appropriate actions to take at each step (the template ensures you capture all the right information)

As an additional resource, our whitepaper provides a broader incident response strategy.

Incident response is a plan I hope you’ll never need

I talk about the incident response process often, but always with the hope you’ll never need to report an incident. And as more organizations take steps to protect themselves, become more resilient and recover quickly, I look forward to seeing fewer victims of cyber crime.

In the past few years, Gartner’s number 1 security project is privileged account management (PAM) But like incident response, cyber security has a technical AND a human aspect—employee cyber awareness training is critical to your organization’s security. Criminal hackers view employees as the fast track into your company’s network, so security training should be introduced on day one of your new hire orientation process.

No cyber security solution is bulletproof

No solution you choose to protect your privileged access, nor any amount of employee training, will guarantee you bullet-proof cyber security. After all, the criminal hacker’s ongoing challenge is to stay a step ahead of you. But having a rock-solid incident response procedure in place can minimize the damage—even stop it before it gets a foothold—and save you money, time, and your reputation.

Free Cyber Security Incident Response Plan Template

The faster you respond to a cyber incident, the less damage it will cause

 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS