media.americascreditunions.org/articles/123454-the-importance-of-incident-response
2024-01-incident-response

The importance of incident response

These plans serve as critical frameworks to respond to and recover from security incidents.

January 31, 2024

In the ever-changing financial services landscape, credit unions face an array of cybersecurity threats. From data breaches to more sophisticated cyberattacks, the risks aren’t just operational, but also carry severe reputational and financial implications.

That’s why it’s critical for credit unions to establish, maintain, and test their incident response plan (IRP). These plans aren’t merely regulatory formalities; they’re critical frameworks that enable credit unions to respond to and recover from security incidents rapidly and effectively.

Often, a thorough and tested IRP can be the differentiating factor between a timely handled incident and full-on data breach. An IRP provides a structured methodology for responding to various types of cyber incidents while minimizing the potential damage and disruption to the business.

In an age where data is a valuable asset, protecting member information is paramount for credit unions.

To build an effective and battle-tested IRP, you must establish a framework that includes six critical elements:

1. Preparation

The most important aspect of incident response is how you prepare. During this phase, the first step is acquiring management support because if you don’t have that, nothing else will be effective.

Another area of focus during this phase is developing a communication plan that assigns key personnel to their roles for incident response and documenting contact information.

Lastly, it’s important to conduct research on common incidents that your industry faces. This allows you to make the proper preparations that may include implementing and configuring best practice preventative measures, such as intrusion detection/prevention or endpoint detection and response solutions.

2. Detection

It’s great to have the new, shiny security solutions, but if you can’t detect an incident in a timely manner, what does it matter? Countless breaches occur where malware and malicious entities gained access to systems, accounts, and data that were undetected for a while.

Because achieving proper detection capabilities is complex and unique to each business, here are some key areas of focus to start a strong foundation:

Logging. Most systems—network equipment, workstations, servers, notebooks, tablets, and Internet of Things devices—have logging capabilities. These logs usually provide details on errors, access, and other important information that could lead to detection of an incident.

At a minimum, logging should be enabled on each system. To further improve on this, implementing a system information and event manager and a centralized logging solution will ensure that the logs are securely stored away from the device and correlate information between devices to determine potential incidents.

Personnel. It’s critical that personnel are assigned responsibility for detecting incidents. As previously mentioned, logging is core to detecting incidents, but if you haven’t assigned personnel to review them, then you have no visibility.

Outside of regularly reviewing logs, personnel should be trained regularly to increase the overall security awareness of the business. These security awareness trainings should be specific to the industry and common threats it faces.

Incident categories and ratings. From the preparation phase, you should be equipped with the necessary information to define different incident categories and common examples within each. It’s also critical to add a prioritization structure for each incident category.

3. Containment

With the work done in the previous two phases, the credit union should be aware of the common incident it faces and its prioritization for each type. That information will assist you in developing playbooks for the various incident types to include procedures for containing the incident type.

For example: If a workstation becomes infected with a virus, a common next step is removing it from the network to prevent infection of others, but not powering it down to retain information in cache and random access memory.

It’s also common for forensic analysis to be conducted during this time, so it’s important to either establish a forensics analyst internally or contract with a third party to provide those capabilities.

4. Eradication

Once an incident is contained, the next critical step is eradication. This phase focuses on eliminating the threat from the credit union’s affected system(s) and ensuring that it can’t recur.

Like the work done in the containment phase, it’s important to document eradication guidance for common incidents the credit union faces. When systems become infected, personnel need to be equipped with the tools and knowledge necessary to remove malicious files or programs from systems.

5. Recovery

The recovery phase is a crucial component of the IRP, focusing on restoring and returning affected systems and services to normal operation while ensuring no remnants of the threat remain. This is the phase where the IRP may start relying on the disaster recovery plan (DRP), because specific restoration and recovery procedures are typically detailed in the DRP.

One of the most impactful ways to support recovery after an incident or event is making sure that a tested backup plan is in place before incidents occur. This backup plan should, at a minimum, be tested at least quarterly, be separated from the systems it backs up, and provide a history in alignment with the credit union’s expectations.

6. Post-incident assessment

This phase is crucial for credit unions as it involves a comprehensive review and analysis of the entire incident—from detection to recovery. The objective of this assessment is to evaluate the effectiveness of the response, identify any shortcomings in the current structure, and recommend improvements for future readiness.

The three main areas of focus for this phase are:

1. Debriefing. The credit union should conduct a detailed debriefing that covers various aspects of the incident. This includes assessing the overall impact on the credit union, including financial, operational, and reputational aspects.

It’s important to involve all key stakeholders in this discussion to gain a holistic view of the incident and response.

2. Root-cause analysis. To prevent future incidents, it’s important to identify the root cause of the incident. This involves a thorough investigation of how the incident occurred and what vulnerabilities were exploited.

By understanding the underlying issues, credit unions can take targeted steps to strengthen their defenses.

3. Lessons learned. This involves identifying what worked well and what didn’t, thereby offering insights into potential improvements in the IRP and other related procedures. It’s also an opportunity to review and update existing procedures and playbooks and research new solutions.

The establishment and maintenance of a comprehensive IRP is indispensable for credit unions navigating the complex and ever-evolving terrain of cybersecurity threats. Each phase of the IRP plays a vital role in not only addressing and mitigating immediate cybersecurity incidents but also in fortifying the credit union’s overall security posture against future threats.

While this article provides general guidance for incident response, you should conduct detailed research on the threats your credit union faces and develop procedures around that information.

KEVIN IVY is director of security services at TraceSecurity, a CUNA Strategic Services alliance provider.