From Plans to playbooks

 

 

Building on the experience gained over the past six year of running Cyber Response exercises, it is becoming clear that Cyber Incidents should  not be led by the ICT function. Cyber Incidents are in fact service disruptions. The Information Assurance trinity (Confidentiality, Integrity and Availability)

reflects the holistic approach to the security of information.

 

Cyber incidents come in different shapes and sizes. If one system is affected, then generally. The ICT function will be able to respond to it. However, if cyber incidents cover more than one system or a large service, it will in fact impact up

 

on the business. Once the business is impacted. This becomes a strategic issue and requires. Senior leadership intervention through a crisis management team. Traditionally. This has all been thought of in the enterprise, as business continuity planning. The coordination of business continuity planning is done through Business Continuity Management, which manifests itself through Enterprise level Contingency plans. A contingency plan is a plan which addresses a specific issue. 

 

Enterprise level business continuity plans are generally speaking, generic. However, a contingency plan is specific. For instance. A contingency plan could deal with the loss of a building, be that a headquarters, a town hall or a head office. Obviously. If such a building was lost or unavailable for a period of time, all of the process is services and systems that rely on that building for their delivery. would also potentially become unavailable. 

 

This becomes a serious problem. As we've moved on, through the information technology journey over the years. The proliferation of cloud based systems, and integrated hybrid systems, which are partly on premise and partly in the cloud, bring a different set of challenges. The loss of a building may not mean the loss of a service. However, contingency plans need to cater for the loss of services and specific systems. 

 

As the computer world has moved more towards the agile approach to software development and delivery of services, so too must agile be taken into account, in the way in which we respond to cyber incidents. We propose the best way of doing this is just like in agile, is through playbooks, often called runbooks. C-TAG have developed a cyber instant response primer which itself supports a number of playbooks. The other components which support Playbooks in their invocation and their ability to remediate a specific problem. Is the use of break glass policies.

 

Break Glass Policies

A break glass policy as the name describes. A Break Glass being the type of button that you have to set a fire alarm off when you break the glass.  A break glass policy will enable a certain set of preauthorised. Delegated actions, empowering individuals to carry out tasks, incur expenditure and to deploy resources, in an autonomous fashion to act in a very quick and timely manner. 

 

One of the key things moving forward for cyber incident response, is the availability and deployment of a crisis management team.  A Cyber Incident Coordination cell should be established  internally, which is different to the ICT team that may be resolving the actual problem. Cyber Incident coordination requires Situation Awareness, Strategic Decision Support, Intelligence Assessment and Analysis as well as Situational Awareness, to feed back t the Crisis Response Team.  

 

Working through playbooks, which are in fact delegated contingency plans enacted through break glass policies and reporting back into the crisis management team. A break glass policy may have a predetermined initial time span. With delegated authority, this could be 1224 or 48 hours. The point being that once the crisis response team (in ICT)  is stood up it reports it’s initial actions to the Crisis Management Team. The crisis response team and the crisis management team are both supported by the Cyber Coordination Cell. The Critis Management Team, will take back control, the role of the Break Glass Policy and it’s delegation having concluded.

 

But the break glass policy, once enacted, means that immediate tactical response can take place to deal with the situation through the predefined playbook. 

 

Golden Hour Guide 

There is also a Golden Hour Guide, which starts to describe how you would actually do this. For crisis Management teams, there are various approaches, including one called the “Four Boards Approach”. The four board approach gives a cadence to each of the meetings that the crisis management team holds, so they're very rigid, very structured time boxed. They have specific tasks, responsibilities and outcomes. In crisis management. You don't always determine or dictate how something will be carried out. The focus needs to be on outcomes and effects. This is the exact approach by the UK Government in how they run their COBR/A operations room. COBR/A will always talk about an effect that it wants to achieve. Rather than the actual method to get there.

References: 

https://guidance.ctag.org.uk

https://www.theguardian.com/government-computing-network/2011/jun/13/local-cio-council-information-assurance-strategy-mark-brett

https://guidance.ctag.org.uk/local-authority-cyber-resilience-planning-guide

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/192425/CONOPs_incl_revised_chapter_24_Apr-13.pdf

https://www.researchgate.net/profile/Mark-Brett/publication/342898805_Cyber_Incident_Response_-Working_Paper/links/5f0c7c9792851c38a519c080/Cyber-Incident-Response-Working-Paper.pdf

 

 

The Need for Cyber Collaboration

 

 

Organisations that are more cyber resilient are better able to cope with cyber attacks.

The benefits of collaboration 

Given the significant consequences of a cyber security breach, many organisations are calling for greater collaboration — the benefits of which include greater intelligence sharing, a cohesive response to threats and robust international infrastructure. Cyber-resilience is the ability to recover from cyber-attacks and cyber-attacks are on the rise.

Intelligence sharing

According to a study by the for IBM by the Ponemon Institute, organisations with high cyber-resilience were more likely to participate in some form of threat-sharing program (e.g., open source, commercial sources, threat intelligence platforms). Sharing intelligence allows organisations to identify likely threats in their industry and develop appropriate responses based on what similar organisations have tried. Intelligence sharing between public and private sectors as researched by RUSI, is vital because of the distinct perspectives each sector has. For example, government agencies can conduct cyber espionage operations and, therefore, have insight into adversary networks. In contrast, business providers often have greater understanding of cyber-attack victims. 

Increased cross-sector talk could vastly improve cybersecurity responses, and even prevent attacks before they occur. Microsoft’s new initiative, The Asia Pacific Public Sector Cyber Security Executive Council, aims to facilitate private-public partnerships, to share information and strengthen government cyber defences. The council plans to meet quarterly going forward. 

each sector has. For example, a public sector organisation may have a strong interest in knowing the activity of private sector organisations, whereas a private sector organisation may be concerned about the potential for misuse of their own data by the public sector.

The NIST Cybersecurity Strategy Framework was designed to be a framework that organisations can use to address cybersecurity issues and be compliant with the relevant laws. It is a step-by-step process that organisations can use to identify, assess, and respond to cybersecurity threats. 

 

 

Consistent threat response

Having a clear response to cybersecurity incidents helps to protect organisations against cyber threats — particularly for smaller organisations that may lack expertise and/or resources. IBM have often emphasised the importance of having an incident response process that is consistent, repeatable and measurable, and has worked with organisations across sectors to help develop resilient solutions. 

However, there is still remarkable variation in the cybersecurity industry because of the lack of professional regulation. The UK Cyber Security Council plans to correct this issue, bringing private and public sectors together to create regulatory standards in cybersecurity, similar to what already exists in industries such as accounting and finance. This hope is that this will create a set of standards that improves the quality of cyber defence strategies and the efficiency of incident responses.

Next steps in the process will include the establishment of a new regulatory body, the National Cyber Security Centre, and the development of a new UK Cyber Security Strategy.

In the absence of a regulatory body, it is left to individual organisations to create their own incident response processes. A UK government report found that the majority of UK organisations (69%) were not prepared for a cyber incident, and that only one in three (30%) had a well-developed plan in place. In fact, one in five (20%) had not yet started developing a plan. In order to create a consistent incident response process, organisations should look to examples of best practice, including those provided by the National Cyber Security Centre.

Responsibility and liability

Organisations need to have clear ownership of their cybersecurity strategy, and it is the responsibility of every individual to work to develop and maintain the organisation's cybersecurity strategy.

To demonstrate that the organisation has a strong and effective cybersecurity strategy, the organisation should implement and maintain a cybersecurity strategy in line with the requirements of the CISO. The CISO should be responsible for the organisation's overall cybersecurity strategy and should have the authority to manage and control the implementation of the strategy.

The CISO should have a strong and effective cybersecurity strategy, this is also relevant for SMEs and micro businesses.  in place and be responsible for the development and implementation of the strategy. The CISO should be the first line of defence and should ensure that the organisation has appropriate cybersecurity measures in place.

To demonstrate this, an organisation's cybersecurity strategy should be integrated into its strategy, organisational and IT policies, and processes.

All organisations should have a strategy that describes their cybersecurity stance and provides a basis for cybersecurity risk management. A strategy provides a way of aligning cybersecurity with the organisation's strategy, provides a clear picture of the organisation's current cybersecurity stance, and helps to ensure that the organisation's cybersecurity risk management practices are aligned with its strategy.

The organisation's strategy should be informed by the organisation's mission, vision, and values. The cybersecurity strategy should also align with the organisation's governance and legal frameworks.

To demonstrate ownership of cybersecurity strategy, organisations need to establish a clear vision and strategy, and demonstrate alignment across the business and the C-suite.

IT Security

IT Security is a critical component of any business’s cybersecurity strategy. IT Security is more than just network and endpoint security, it includes securing cloud services, data, mobile devices and more. An organisation's cybersecurity strategy should have a clearly defined IT Security strategy, including:

·      A clearly defined scope of IT Security.

·      A clearly defined risk assessment methodology and process.

·      A clearly defined strategy for the identification and prioritisation of vulnerabilities.

International collaboration

Many organisations operate internationally and therefore, so are the attacks. For example, while the impact of the SolarWinds attack was the most severe in the US, at least seven additional countries were impacted (including the UK, Belgium, Spain, Canada, Mexico, Israel and the UAE). However, the response from US allies was far from cohesive, and none matched the impact of the sanctions the US imposed on Russia for their suspected role in the attack.

It’s crucial that private-public partnerships are not only encouraged on a national scale, but globally. Participating in global forums, like FIRST, sharing intelligence and developed global frameworks will inevitably improve cyber-resilience. Finally, co-ordinated global responses may deter nation state attacks, and increase trust between co-operating countries.

Clearly, many are working hard to facilitate cross-sector collaboration. However, there is much further to go. Cybersecurity is no longer optional — protected digital environments are crucial for organisations of all kinds, so they must work together to secure a cyber-resilient future. The ability to cope with cyber-attacks is critical to organisations' survival. A resilient organisation is more likely to survive an attack than a less resilient one.