In the general sense of information technology, incidents are events that cause service disruption or failures which can significantly compromise an organisation’s operations if not dealt with swiftly. To reduce the risk and limit the impact of incidents, most organisations have an incident management plan and incident response playbooks which guide their end-to-end recovery process.
Cyber security incidents such as suspicious system and network activity, denial-of-service (DoS) attacks, and loss or theft of sensitive information are yet another form of risk to operational stability, service quality, and system integrity but with the added consequential threats of reputational, financial, regulatory and even physical damage. Yet for some reason, cyber security incidents are generally handled vastly different to standard incidents, and often with much less procedural efficiency. During cyber security incidents, planning and adherence to the standard operating protocol are often cast aside while security operations teams scramble to contain threats and restore services in isolation from the rest of the service management team.
Why is it organisations approach cyber security incident management differently and why can’t ITIL incident management processes be applied in the realm of cyber security? The most common answer is that cyber security is different, so it needs a different process. This belief is based on ITIL not catering for security incidents, since it’s not explicitly documented in the manual and security incidents do not always require immediate restoration of service, especially where confidentiality and integrity are concerned. ITIL is all about keeping the lights on but keeping the lights on during a cyberattack might cause more harm than good.
Commonality Across Disciplines
There are definite synergies between standard and cyber security incident management processes and areas that allow for tighter integration, such as escalation procedures, stakeholder engagement, and communication requirements. Additionally, experienced incident response teams of any kind tend to have a common set of attributes, including an ability to remain calm under pressure, strong communication skills, and practical knowledge in using (or ignoring) playbooks, depending on the nature of the event.
The culture of your cyber security incident response team (CSIRT) needs to be aligned with the rest of the business to foster effective stakeholder relationships, cross-team collaboration, and ultimately efficient incident management. This is best achieved when the CSIRT is trained through tactical programs such as red teaming, live simulations, and tabletop exercises.
Integrated Security Incident Management
ITIL defines an incident as an ‘unplanned interruption to an IT service, or reduction in the quality of an IT service, or a failure of a Configuration Item that has not yet impacted an IT service’. The focus is on failure, and therefore incident management aims to restore normal operations as quickly as possible. Incidents are prioritised based on their actual or anticipated impact to the business, usually on a five-point scale, with five being minimal (informational) and one being the highest, often classified as a major incident requiring significant effort to manage.
When classifying security incidents, the nature of the attack is often used to determine its category: malware, phishing, ransomware, DoS attack, etc. However, a more important factor is the impact on the business, which should drive the priority to which you respond. Kinetic IT PROTECT+ uses a common set of tactics, techniques, and procedures that define attacker tradecraft across our detection systems. This list is maintained by MITRE and is known as the ATT&CK Framework, which can be considered a master index for incident categorisation and serves as an important normaliser when communicating with security analysts, risk managers, and executives.
Example:
A DoS attack may cause service degradation of the corporate website, categorised as a level three priority. Its impact is not too concerning or significant in the short term. However, these types of attacks can escalate, and if the DoS amplifies, the priority is increased to the point when it becomes a major incident.
This example is easy to understand as it fits neatly into the ITIL incident management process. Its service availability-related and is equivalent to losing power to the server room. The impact could have financial implications, especially if the website offers goods for sale; and it might impact your reputation, especially if you provide critical public services.
The main confusion arises when other kinds of attacks occur, such as ransomware infections, virus infestations, or an attacker actively roaming the network, hunting for confidential data. Some of these attacks relate to availability impacts, like ransomware, but it’s information rather than the systems that become unavailable. Nevertheless, incidents like these are often passed straight to the security operations teams to handle rather than putting them through the normal incident management process – simply because they are related to a security control failure (e.g. the attacker made it through your defences).
To eliminate confusion and improve an organisation’s ability to respond, we recommend cyber security incidents sit within an overall incident response plan that is managed by the incident response team. Supporting playbooks can further aide the incident response team and ensure they follow the most appropriate actions when security incidents are detected.
Handling Security Incidents
Cyber security incidents involving an intruder operating within your network is often mishandled when the sole responsibility or responding to the attack is passed to the security operations team. While the security operations team are a key stakeholder in the response, they may not have the appropriate skills to handle a major cyber incident like this. Furthermore, security incident handling may require more of an “observe and orient” style of response in the early phases of the breach, since you may be more interested in understanding the attacker’s goals than eradicating them from your systems. To determine the best course of action, you instead need an experienced team of subject matter experts, incident responders, legal experts, and blue team or offensive security experts (who understand TTPs). The incident response plan should document all required roles as well as accountabilities and expectations, and training should focus on scenarios which test all aspects of the response team and how they react under the most unusual of situations.
Organisations should realign their expectations of security operations teams so that security incident management is integrated into an ITIL-aligned incident management program. That way, significant breaches or attacks have the governance required to communicate and work with the business, no matter what the incident is. The main difference is that the cyber security incident manager coordinates the response in a way that is appropriate for a cyber incident, with tacit knowledge of the business and the support of the executives for making decisions that, to many, may seem counterintuitive.
Written by Tony Campbell
