Home / Resources / News and Trends / Newsletters / AtIsaca / 2020 / Volume 24 / Five Key Considerations for Developing a Cybersecurity Emergency Action Plan

Five Key Considerations for Developing a Cybersecurity Emergency Action Plan

John P. Pironti
Author: John P. Pironti, CISA, CRISC, CISM, CGEIT, CDPSE, CISSP, ISSAP, ISSMP, president of IP Architects LLC.
Date Published: 23 November 2020

Recently, the ever-expanding cybersecurity threat landscape, along with an increasing frequency of attacks, has highlighted the need for organizations to develop and implement emergency action plans as part of their business resilience programs. During modern-day cyberattacks, minutes and seconds can make a material difference in an organization’s ability to identify, contain and mitigate the impact of these attacks. The first employees to observe indicators of malicious activities and identify cyberattacks must be empowered to make decisions quickly and without concern for any possible negative outcomes of their actions, which would inevitably delay their decision-making.

The zero hour of any incident response activity is often the most stressful, but also the most important. The initial actions taken as part of an emergency action plan can set the stage for a number of key actions and activities to follow that will enable a successful incident response. An organization’s cybersecurity emergency action plans should be developed as part of crisis management planning, which, in turn, should be part of overall business resilience planning and capabilities. These plans should include checklists and scripted activities that are pre-approved and tested for their effectiveness and usefulness on a regular basis. The following are 5 key considerations for developing a cybersecurity emergency action plan:

  1. A “call first or act first” checklist—Any organization’s front-line security monitoring and incident response resources must be agreed upon in advance by leadership and stakeholders. The effectiveness and ability of cybersecurity incident response to counteract and minimize the material business impacts of cyberattacks can often be measured in minutes and seconds. It is important to develop “call first or act first” checklists that inform these resources of the conditions and scenarios where they should take immediate action and then notify appropriate stakeholders vs. when they should first contact these individuals to ask for permission to take action. In a “call first or act first” checklist, there should be conditional and scenario-based guidelines that allow first responders to take measured approaches to their activities to immediately contain and, if possible, mitigate a cyberattack. Once they have taken action, they can then contact organizational leadership and stakeholders to brief them on their actions and ask for guidance for next steps. For instance, in the case of an encryption-based ransomware attack that is quickly propagating throughout an organization’s network, a first responder should be empowered to immediately disconnect both infected and uninfected systems from networks to minimize expansion of the attack surface area.

    During an attack where immediate incident response actions could cause material impacts to key business processes and operational capabilities, such as disruption of time-sensitive transaction processing capabilities or health- and safety-oriented capabilities, it may be better for a first responder to make contact with a business process owner or business leader prior to taking action. This will allow the responder to present options and gain approval for immediate actions that can be taken prior to enacting them. It is important that the mitigating actions responders take do not cause more damage or increase vulnerability to an organization than the original attack that they are attempting to contain and mitigate.
  2. A “get out of bed” checklist and notification matrix—Many cyberattacks occur when an attacker perceives that an organization has minimal staff available to identify and respond to attacks. Organizations should develop criteria for how and when key business leaders, stakeholders and individuals with required skills will be contacted outside of their normal working hours to be informed of an attack or assist with incident response activities. These lists should be measured and gated depending on the severity of the attack and material business impacts. It is suggested that an organization use a gated model based on severity and impact with contact matrixes that ensure only individuals whose skills, knowledge or authority will be beneficial to response activities be engaged. This does not mean that other key stakeholders and leaders should not be contacted. With a measured approach, secondary individuals can be engaged during business hours.

    A key part of a “get out of bed” notification matrix is the identification of primary contacts and then multiple secondary contacts for the required skill set or decision authority. In off-hour contact scenarios, it is often the case that the primary individuals may not be immediately available. In these cases, the first responders should continue to attempt to contact the primary individuals, but also begin contacting secondary individuals, immediately and without hesitation. The secondary notifications will assure they are in a “warm state” and prepared to assist if necessary. This will also allow the first responders to leverage the secondary individuals to make contacts to stakeholders and support personnel while the first responders continue to take action.
  3. Emergency indicators and associated confidence levels—In a materially impacting cyberattack, there are often many emergency indicators that can be both beneficial and overwhelming. Advanced adversaries will often attempt to circumvent detection of their attack activities as long as possible, and when they do attack, they will often try to use disinformation techniques to confuse sensor networks and capabilities of an organization. It is important to identify key emergency indicators (sometimes called indicators of attack or compromise) with which an organization has high confidence in terms of both their accuracy and usefulness. These key indicators should allow an organization to quickly identify the severity and impact of the attack activity to take appropriate and measured emergency actions.
  4. Suggestions vs. decisions—In the initial stages of a cyberemergency response, it is often the case that first responders will need to evaluate many data points and either provide informed suggestions to individuals with decision-making authority or make decisions about how to act themselves. To limit confusion and friction during the response activity, it is important to educate and train first responders on conditions and scenarios where they are expected to make suggestions vs. those where they are expected to make authoritative decisions. Often the easiest way to identify this is to develop a responsibility matrix for individuals and the respective roles they will have during cyberincident response. Depending on the situation, the same individual in an organization may be required to play the role of advisor or authoritative decision maker.

    It is important to communicate the authority of these roles and individuals to the entire constituency of expected responders and stakeholders as part of the emergency action plan development and training activities. If an individual who is typically viewed as an advisor who provides suggestions to decision makers in normal business actions is asked to be a decision maker in an incident response activity, their authority must be recognized and acknowledged by all responders, stakeholders and constituents for their decisions to be effectively carried out with question. Otherwise, precious time can be wasted as these decisions are questioned and secondary approvals are requested.
  5. Response expectations and approved actions that have been coordinated with key stakeholders—Many organizations choose to outsource security monitoring and management capabilities and/or incident response support to third parties. In these cases, it is important to coordinate a cyberincident response approach and decision authority matrix to these organizations. If they are the first to identify the cyberattack, they should also be empowered to be the first to react. Too often organizations allow third parties only to act in a monitor and alert mode of operation, which can severely hinder time-sensitive incident response activities, especially during off-hour periods. The development of the cybersecurity emergency action plan should include third-party resources and establish conditions and scenarios where they should be empowered to take immediate action on behalf of the organization.

An effective and well-maintained cybersecurity emergency action plan can mean the difference between a minimally impacting event and a materially impacting incident when an organization is facing a cyberattack. It is important to empower first responders with the guidance and tools to be successful in the precious zero-hour period of any cyberevent. These plans also create the foundation and operating guidelines of the incident response activity, which all involved will be expected to follow. Organizations that have them, maintain them and exercise them on a regular basis will be in a stronger position to successfully navigate and minimize the business impacts of cyberattacks than those that do not and can take only a best effort approach to their activities.

John P. Pironti, CISA, CRISC, CISM, CGEIT, CISSP, ISSAP, ISSMP is the president of IP Architects LLC.