Ever since we launched our customizable cybersecurity incident report template, I’ve been amazed by its volume of downloads.
I quickly realized that the increasing cyber threats from cyber criminals, malware, and ransomware are being taken seriously by organizations large and small and that there is a growing demand for guidance and information on cybersecurity incident response and reporting.
Mangools.com, a Slovakian company that provides advanced tools for monitoring online search engine activity, indicates that online searches for the phrases “cybersecurity incident report template” and “cybersecurity incident response” are increasing at a mind-blowing rate year over year.
Search volume for CYBER SECURITY INCIDENT REPORT TEMPLATE – mangools.com
Search volume for CYBER SECURITY INCIDENT RESPONSE – mangools.com
So, organizations are getting on board with cyber risk, and this is great news. I’ve been writing, tweeting, and giving talks about how to respond to cyber incidents for some time now—and companies are listening. Many are now taking action.
If you’re ready to get on board with properly minimizing the risk to your organization and data during or after a breach, but are not 100% sure of the process—this is the place to start. I’ll provide some procedure resources for handling the cyber incident response process, but let’s start by addressing 4 common questions.
- What is incident response?
Incident response is an organization’s reaction to halting and recovering from a cybersecurity incident, and the response plan must be in place before the incident occurs. Incident response is one of the major components to helping an organization become more resilient to cyber attacks.
You may already know a security incident as:
- An information security incident
- An IT security incident
- A network security incident
- A security breach
- A data breach
- A cyber attack
- A ransomware attack
- Or, “We’ve been hacked!”
They’re all pretty much cut from the same cloth, and the only good response is to meticulously follow a tailored cyber incident response plan (CIRP) that you have ready to go at a moment’s notice.
The goal of having an incident response plan is to ensure that your organization is fully prepared for, and ready to respond to any level of cybersecurity incident fast and effectively. And today, incidents are inevitable. All that varies is the breadth and depth.
Here’s Gartner’s definition of a CIRP: Also known as a “computer incident response plan,” this is formulated by an enterprise to respond to potentially catastrophic, computer-related incidents, such as viruses or hacker attacks. The CIRP should include steps to determine whether the incident originated from a malicious source — and, if so, to contain the threat and isolate the enterprise from the attacker.
- Is there a difference between incident response and incident handling?
Well, yes, although response and handling go hand in hand, and without both, you do not have a sound incident response process. Incident response refers to the technical aspects of incident analysis and containment, whereas incident handling refers to the human responsibilities: the communications, coordination, and cooperation required to see the process through.
- What is the incident response life cycle?
The life cycle of a cyber incident is defined by the stages a typical incident goes through, and it includes everything from preparing for an incident to analyzing the lessons you learned after experiencing one. I like this version of the incident response life cycle:
Preparation > Incident Discovery and Confirmation > Containment and Continuity > Eradication > Recovery > Lessons Learned
- What are the different types of information security incidents?
There are many types of cybersecurity incidents that can result in intrusions on your organization’s network or full-on data breaches, but I’m going to focus on the six to which I believe organizations are most vulnerable:
- Phishing attacks: you click on a link in an authentic-looking email and end up giving away sensitive information (like a password), or enabling ransomware or some other malware. Companies are super-vulnerable to phishing attacks because cybercriminals target the weakest links in most companies—its employees—and success rates are high! A more targeted type of phishing attack known as spearfishing occurs when the attacker invests time researching the victim in order to pull off an even more successful attack.
- Denial-of-service (DoS) attacks: the point of this attack is to shut down an individual machine or entire network so that it cannot respond to service requests. DoS attacks achieve this by inundating the target with traffic or sending it some information that triggers a crash.
- Man-in-the-middle (MitM) attacks: an outside entity intercepts and alters the communication between two parties who believe they are communicating with each other. By impersonating them both, the attacker manipulates both victims in an effort to gain access to data. The users are blissfully unaware that they are both talking to an attacker. Session hijacking, email hijacking, and Wi-Fi eavesdropping are all examples of MitM attacks.
- Drive-by attacks: a common method of spreading malware, criminal hackers seek out insecure websites and plant a malicious script into code on one of the pages. The script could install malware onto the computer of someone who visits the site or re-direct the victim to a different site controlled by the hackers.
- Password attacks: this sort of attack is aimed specifically at obtaining a user or an account’s password. Criminal hackers use a variety of techniques for getting their hands on passwords, such as password-cracking programs, dictionary attacks, password “sniffers”, or brute-force password guessing, often based on some personal knowledge of an individual (like the birthday, dog’s name, etc.) This is why strong passwords are so important.
- Malware and ransomware attacks: a broad term for any sort of malicious software that’s installed on your system without your consent can be considered malware. You are probably familiar with many types of malware—file infectors, worms, Trojans, ransomware, adware, spyware, logic bombs, and different types of viruses. Some are inadvertently installed when an employee installs freeware or other software, clicks on an ad, or visits an infected website. The possibilities are endless, therefore so are the chances of an employee falling victim to a malware attack.
Related Materials: Download our Free Guide – Ransomware on the Rise (Best practices to become more resilient so you can avoid being the next ransomware victim).
Industry-specific cybersecurity incident reporting
The incident response process described in the life cycle above is largely the same for all organizations, but the incident reporting procedure varies for certain industries. For example, if you’re in the healthcare industry you may need to observe the HIPAA incident reporting requirements.
These are some industry regulations that have very specific laws around incident reporting, and who they apply to:
HIPPA – if you create, receive, maintain or transmit electronically protected health information
FISMA/NIST – if you’re a Federal agency or government contractor
PCI DSS – if you accept, store, or transmit credit card data
NERC/CIP – if you’re an energy and utility company
SOX – if your organization is a public company (though in some cases private companies must also comply with SOX regulations)
NYCRR – if You’re a New York insurance company, bank, or other regulated financial services institution
If your organization must adhere to any of the above regulations, you must familiarize yourself with the incident reporting requirements that might uniquely apply to your industry. Links to helpful industry-specific information can be found in the incident response template.
The template also has:
- Customization instructions
- Assembling an incident response team, including IT, compliance, and communications representatives
- Threat classification
- A sample cyber Incident
- Phase of the incident, and the appropriate actions to take at each step (the template ensures you capture all the right information)
As an additional resource, our whitepaper provides a broader incident response strategy.
Incident response is a plan I hope you’ll never need
I talk about the incident response process often, but always with the hope that you’ll never need to report an incident. And as more organizations take steps to protect themselves, become more resilient and recover quickly, I look forward to seeing fewer victims of cybercrime.
In the past few years, Gartner’s number 1 security project is privileged account management (PAM) But like incident response, Cybersecurity has a technical AND a human aspect—employee cyber awareness training is critical to your organization’s security. cybercriminals view employees as the fast track into your company’s network, so security training should be introduced on day one of your new hire orientation process.
No cybersecurity solution is bulletproof
No solution you choose to protect your privileged access, nor any amount of employee training, will guarantee you bullet-proof cybersecurity. After all, the cybercriminal’s ongoing challenge is to stay a step ahead of you. But having a rock-solid incident response procedure in place can minimize the damage—even stop it before it gets a foothold—and save you money, time, and your reputation.
What should be included in a cyber incident report? ›
Helpful information could include who you are, who experienced the incident, what sort of incident occurred, how and when the incident was initially detected, what response actions have already been taken, and who has been notified.What are the 6 phases in a cyber incident response plan? ›
Many organisations use NIST's Computer Security Incident Handling Guide as the basis of their incident response plan. It contains six phases: preparation, identification, containment, eradication, recovery and lessons learned.How do you write a security incident report? ›
- Take notes. Details and observations make up the bulk of your security reports. ...
- Start with a summary. ...
- Detail the narrative. ...
- Follow the form. ...
- Proofread. ...
- Avoid emotional language. ...
- Avoid abbreviations and conjunctions. ...
- Be prompt.
- Threat Detection.
Man-in-the-middle (MitM) attack
In this attack, the attacker manipulates both victims to gain access to data. Examples of MitM attacks include session hijacking, email hijacking and Wi-Fi eavesdropping.
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), signed into law in March 2022, requires critical infrastructure companies to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA).What are the 5 6 major stages of incident response? ›
Incident response is typically broken down into six phases; preparation, identification, containment, eradication, recovery and lessons learned.Which one is most important aspect of incident response? ›
Detection. One of the most important steps in the incident response process is the detection phase. Detection (also called identification) is the phase in which events are analyzed in order to determine whether these events might comprise a security incident.How do you write an incident response plan? ›
- STEP 1: IDENTIFY AND PRIORITIZE ASSETS. ...
- STEP 2: IDENTIFY POTENTIAL RISKS. ...
- STEP 3: ESTABLISH PROCEDURES. ...
- STEP 4: SET UP A RESPONSE TEAM. ...
- STEP 5: SELL THE PLAN.
A Cybersecurity Incident Response Plan is a document that gives IT and cybersecurity professionals instructions on how to respond to a serious security incident, such as a data breach, data leak, ransomware attack, or loss of sensitive information.
What are the requirements for the successful incident response? ›
- Step 1: Preparation. ...
- Step 2: Identification. ...
- Step 3: Containment. ...
- Step 4: Eradication. ...
- Step 5: Recovery. ...
- Step 6: Lessons Learned.
The NIST incident response lifecycle breaks incident response down into four main phases: Preparation; Detection and Analysis; Containment, Eradication, and Recovery; and Post-Event Activity.What six points should be included in an incident report? ›
- The time and date the incident occurred. ...
- Where the incident occurred. ...
- A concise but complete description of the incident. ...
- A description of the damages that resulted. ...
- The names and contact information of all involved parties and witnesses. ...
- Pictures of the area and any property damage.
As a rule of thumb, a security report should include the “who,” “what,” “when,” “where,” “why” and “how” of an incident.What makes a good incident report? ›
Effective Incident Reports identify the facts and observations. They avoid inclusion of personal biases; they do not draw conclusions/predictions, or place blame. Effective Incident Reports use specific, descriptive language and identified the action(s) taken by staff as a result of the unusual incident.How many types of security incidents and responses are there? ›
Although security incidents are nothing new for businesses across industries, cybersecurity is quickly gaining traction as one of the top concerns for organizations in 2022.What are the 3 components of information security? ›
When we discuss data and information, we must consider the CIA triad. The CIA triad refers to an information security model made up of the three main components: confidentiality, integrity and availability.Which of the following are information security incidents choose all the correct answers? ›
Explanation: Disaster, eavesdropping and information leakage come under information security threats whereas not changing the default password of any system, hardware or any software comes under the category of vulnerabilities that the user may pose to its system.Why should you immediately report a cybersecurity incident? ›
Why is it Important to Report Security Incidents? There could be very serious ramifications for failing to so. There could be a significant loss of trust in the business, thus resulting in a loss of revenue. There could be legal implications, such as lawsuits and large fines.Why is IT important to report security incident immediately? ›
Reporting IT security incidents immediately gives us the best chance of identifying what occurred and remediating it before IT resources can be fully exploited. If you suspect or observe that an IT security incident has occurred, report it immediately.
Where should all cyber security incidents be reported? ›
- Contact us.
- Report a cybercrime or cyber security incident.
- Portal login.
- Australian Cyber. Security Hotline. 1300 CYBER1 (1300 292 371)
Cyber security incident reporting is a tool in an organisation's armoury and part of a layered defence system. Incident reporting provides the framework for effective incident management.What would be classed as a cyber incident? ›
The NCSC defines a cyber incident as a breach of a system's security policy in order to affect its integrity or availability and/or the unauthorised access or attempted access to a system or systems; in line with the Computer Misuse Act (1990).What are the five steps of incident response in order? ›
- Lessons Learned.
An occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.How do you respond to a data security incident? ›
- Step one: Don't panic. ...
- Step two: Start the timer. ...
- Step three: Find out what's happened. ...
- Step four: Try to contain the breach. ...
- Step five: Assess the risk. ...
- Step six: If necessary, act to protect those affected. ...
- Step seven: Submit your report (if needed)
Reporting IT security incidents immediately gives us the best chance of identifying what occurred and remediating it before IT resources can be fully exploited. If you suspect or observe that an IT security incident has occurred, report it immediately.What are the three types of security incidents? ›
Examples of security incidents include: Computer system breach. Unauthorized access to, or use of, systems, software, or data. Unauthorized changes to systems, software, or data.What is the difference between an incident and a breach? ›
A security incident refers to a violation of a company's security policy. On the other hand, a security breach is when an unauthorized actor gains access to data, applications, network, or devices which results in information being stolen or leaked.What is the difference between an event and an incident? ›
Events and Incidents Comparison Summary
an event is raised to indicate a happening on the network or in Entuity. an incident indicates the persistence of an event, and can be called, amended and closed by more than one type of event.
What are the 5 6 major stages of incident response? ›
Incident response is typically broken down into six phases; preparation, identification, containment, eradication, recovery and lessons learned.What are the 2 main frameworks for cyber security incident response? ›
These are called Incident Response Frameworks, and two of the most commonly used ones are called the NIST and SANS frameworks. Let's dive into what each of these offers.How do I create a cybersecurity incident response plan? ›
- Assemble Your Incident Response Team. ...
- Identify Vulnerabilities and Specify Critical Assets. ...
- Identify External Cybersecurity Experts and Data Backup Resources. ...
- Create a Detailed Response Plan Checklist. ...
- Design a Communications Strategy. ...
- Test and Regularly Update Your Response Plan.
Stolen passwords are one of the simplest and most common causes of data breaches. Far too many people rely on predictable phrases like 'Password1' and '123456', which means cyber criminals don't even need to break into a sweat to gain access to sensitive information.Which of the following is not an information security incident? ›
Occurrences such as incidental access by employees or other trusted persons where no harm is likely to result will usually not be considered information security incidents.What is the difference between a cybersecurity event and a cybersecurity incident? ›
Security incidents typically happen less often than cybersecurity events. A security incident always has consequences for the organization. If an event causes a data or privacy breach, it immediately gets classified as an incident. Incidents must get identified, recorded, and remediated.