m o c . 5 b u h t i g Cyber Security Incident Response Guide Version 1 Cyber Security Incident Response Guide Published by: CREST Tel: 0845 686-5542 Email: admin@crest-approved.org Web: http://www.crest-approved.org/ Principal Author Jason Creasey, Managing Director, Jerakano Limited DTP notes m o c . 5 Principal reviewer Ian Glover, President, CREST b u h t i g For ease of reference, the following DTP devices have been used throughout the Guide. Acknowledgements CREST would like to extend its special thanks to those CREST member organisations and third parties who took part in interviews, participated in the workshop and completed questionnaires. Warning This Guide has been produced with care and to the best of our ability. However, CREST accepts no responsibility for any problems or incidents arising from its use. A Good Tip ! A Timely Warning An insightful Project Finding Quotes are presented in a box like this. © Copyright 2013. All rights reserved. CREST (GB). 2 Cyber Security Incident Response Guide Key findings The top ten findings from research conducted about responding to cyber security incidents, undertaken with a range of different organisations (and the companies assisting them in the process), are highlighted below. 1  yber security incidents, particularly C serious cyber security attacks, such as advanced persistent threats (APTs), are now headline news. They bring serious damage to organisations of all types – and to government and international bodies. Ways to respond to these attacks in a fast, effective and comprehensive manner are actively being developed at the very highest level in corporate organisations, government bodies and international communities such as the World Economic Forum, where cyber security attacks are seen as a major threat. m o c . 5 CYBER SECURITY INCIDENT b u 2 T here is no common understanding of what a cyber security incident is, with a wide variety of interpretations. With no agreed definition– and many organisations adopting different views in practice – it is very difficult for organisations to plan effectively and understand the type of cyber security incident response capability they require or the level of support they need. 3 T he original government definition of cyber security incidents as being state-sponsored attacks on critical national infrastructure or defence capabilities is still valid. However, industry – fuelled by the media – has adopted the term wholesale and the term cyber security incident is often used to describe traditional information (or IT) security incidents. This perception is important, but has not been fully explored – and the term cyber is both engaging and here to stay. 4 5 h t i g T he main difference between different types of cyber security incident appears to lie in the source of the incident (eg a minor criminal compared to a major organised crime syndicate), rather than the type of incident (eg hacking, malware or social engineering). At one end of the spectrum come basic cyber security incidents, such as minor crime, localised disruption and theft. At the other end we can see major organised crime, widespread disruption, critical damage to national infrastructure and even warfare. Furthermore, the nature of attacks is changing from public displays of capability to targeted attacks designed to be covert.  rganisations vary considerably in terms of the level of maturity in their cyber security incident response O capability, but also in the way in which they need to respond. Whilst good practice exists – and is being improved – the lack of both a common understanding and a detailed set of response guidance is limiting organisational capabilities and approaches, as well as restricting important knowledge sharing activities. 3 Cyber Security Incident Response Guide 6 F ew organisations really understand their ‘state of readiness’ to respond to a cyber security incident, particularly a serious cyber security attack, and are typically not well prepared in terms of: • P eople (eg assigning an incident response team or individual; providing sufficient technical skills; enabling decisions to be taken quickly; and gaining access to critical third parties) •  Process (knowing what to do, how to do it and when to do it), eg identify cyber security incident; investigate situation; take appropriate action (eg contain incident and eradicate cause); and recover critical systems, data and connectiv