Incident Response Methodology

The Organization is a locally based small automated production company that facilitates printing labels required in cardboard packaging. The Company has recently understood the need for an incident response framework for reporting incidents (Shinde and Kulkarni 2021). The paper guides through the suitable incident response methodology to be selected. The key terminologies related to pre-incident response are described. Next, the procedures associated with detection are described along with critical components of security, types of attacks and key terms of attacks. Further, the processes of handling incidents are narrated along with the duties of the response teams. Finally, the paper explains the stages of responding to an incident.

The Company being automated are vulnerable to a wide range of attacks and issues that can hamper the effectiveness of business operations. Incident Response facilities are the sets of information security policies and guidelines describing best practices for identifying containment and eliminating security threats and issues. Incident responses are structured processes used by the Organization to deal with network security issues. The goal of incident response is to manage an incident effectively, limiting the damages, loss of time and cost, and collateral damages like hampering the reputation of the Company. The Organization needs a clear plan for incident response. Thus, the paper selects the National Institute of Standards and Technology incident response framework that has provided the company’s standards, guidelines, and recommendations.

The NIST framework for incident response is cyclical activities that help with continuous improvement, advancement and learning ways to protect the Organization from incidents adhering to the best practices (Calder 2018). The four vital stages of the framework include the preparation for the incident, detection or analysis of the incident, containment or eradication of the issue and recovery from the incident (Staves et al. 2022). The process needs the framework to identify the incident responding capabilities of the Company, the creation of guidelines and procedures and a response plan. The incident response process starts from preparation for a wide range of incidents and deriving methods to prevent incident occurrence. Next, the incidents are detected as occurrences and analyzed for selecting the best procedures. The Procedures are deployed to eradicate or contain the incident. The incidents are monitored necessarily and addressed over a long period.

Preparation is the foundation of efficient incident response. Investigators have no prior knowledge of the occurrence of the incident. Thus, controlling incidents are almost out of control. Preparation for response involves obtaining tools and procedures for incident response and taking actions for the networks and systems that are part of the Company. Preparation of the Organization for developing strategies to make the operations and incident response efficient and proactive (Carter, Drury and Amlot 2020). The Organization needs to implement network-based security procedures, train the employees, employ the intrusion detection system, create a perfect access control system, perform vulnerability assessment with time, and ensure regular backups.

Identify key Pre-Incident Response Preparation

The preparation process for the incidents starts with prioritizing the assets of the Company and capturing various baselines. A list of users, networks, databases, applications, and key assets is identified according to their impact on the Company’s operation (Wild et al. 2020). The asset values are quantified to accuracy. Traffic baselines and patterns are captured to derive what is normal for the Company. These patterns and baselines provide the foundation for spotting anomalies of potential incidents (Smith et al. 2021). The employees need to be connected, communicated, and collaborated with to understand security measures of the Company’s security measures, current security structure, reviewing industry trends, and key concerning areas. The actions are taken on the Company for giving direction and documentation of actions and delivery of regular updates. The team members are needed to give ample instruction, direction and guidance of their responsibilities and role in the Company.

The incident response framework gives the foundation for the Company’s incident detection procedures to be adopted. Incident detection is not a generalized term that signifies corporate data protection and cybersecurity. The detection method is a rigid method that watches out and detects new attacks to the network and system, forming preventive measures building teams and protocols for action in case vulnerability arises (Lin et al. 2020). The incident detection makes sure that the employees are aligned to the Company’s goal regarding network security. However, there has been an increased ignorance towards detecting security alerts as it often leads to fatigue and is counterproductive. The managers have stated that they face problems while deciding and analyzing incidents as critical or a lower risk does not require higher levels of attention to be solved. Thus, a feasible procedure is needed to detect incidents in the Company. The procedures for secure incident detection need identification levels of the criticality of the problem.

The process starts with contextualizing the problems according to their level of risk to the system to prioritize the possible alerts of critical tasks with urgency. There should be a grounded infrastructure for the hierarchy of risk present for developing risk management. The Company has to identify the false alarms while facing new alerts. The incidents that occur are reviewed and analyzed to collect facts about the respective incident detected. Real-time detection should be done by implementing technological solutions to automate the detection and prioritization of risks and send appropriate alerts to dedicated personnel (Thaika, Tasneeyapant and Cheamanunkul 2018). Tools are available in the market that enhances manual incident detection capabilities. The Company is resilient towards being up to date about the latest attacks to detect one when it occurs.

Procedures Associated with Detection

The Company has been operating locally, a small automation-based production line offering printing label service for cardboard packages. Being automation-based and having a wireless network for communication among employees throughout the Organization makes the Company vulnerable to attacks. The Company stores its whole database in a central server, making it susceptible to risks. The automated production network needs to be sealed at the beginning by the implementation of a production firewall along with a firewall for other automated operations in the system to create an infrastructure for a multi-layered defense mechanism for the Company safeguarding their critical production line.

The CCTV is connected to the server are needed to be updated with the best security measures and passwords for accessing video files. The WIFI network is needed to secure by moving it to a secure location. Subnets are needed to be created to isolate guests, admins and departments of employees. The WIFI needs to have a unique Service Set Identifier name and a strong password, and the network needs to be encrypted for further security (Tran, Le and Vo 2018). The database of the Company needs to have real-time monitoring facilities to detect security incidents (Chen 2020). The database is needed to be backed up regularly to secure the data. There should be enhanced user authentication in the database.     

Security considerations are important to be understood for improving the Company’s network security and risk management. Designing a strategy is important to secure the Company as it is mostly operated automatically. The attacks originate mainly from the point of sale (PoS) system, third-party vendors and unprotected data. The practices need to evolve with the recent technological trends of various cyberattack probabilities. Security measures are needed to protect the Company’s valuable data from unlawful distribution and theft. The most basic step needed in the Company is the implementation of multiple firewalls over the production line, network and database for keeping unwanted personnel to breach the Company.

The WIFI network should be able to police the traffic flow in the Company with effective measures for security. The WIFI must have WIFI protected access 2 (WPA2), a form of encryption used to secure the network with encryption keys for access (Kwon and Choi 2020). The database of the Company is needed to be secured by controlling user access and conducting regular backups to secure the data. The database can also be encrypted for further security of access. The hardware devices of the production line that helps in automation are needed to be hardened, and communication among the members must be secured (Gazzan and Alqahtani 2021). There should be the presence of real-time monitoring and management of risks. There should be an ecosystem of tools and measures to achieve end-to-end security to automated systems.

Network Security

Cyberattacks are common to companies that operate over the internet and are vulnerable to various cyberattack types, hampering organizational operations’ capabilities. The attacks have been developing with the recent technological advancements. Thus, the type of attacks needs to be understood to protect the Company. The attacks can range from

• The Company can face trouble with compromised credentials such as usernames and passwords that unauthorized personnel can access, leading to attacks.
• Credentials are often stolen, making the system vulnerable to access from the attacker.
• Malicious employees can harm the Company from the inside exploiting the vulnerabilities that affect the system (Miller et al.2021).
• Unencrypted data are vulnerable to attacks, leading to a lack of data confidentiality.
• Cyber-extortion is common with various attacks targeted to the Company leading to serious breaches (Roškot, Wanasika and Kroupova 2020).
• The relationship between the system and its users are needed to be regulated by securing the domain of communication.
• The software and hardware components are needed to be patched accordingly so that unpatched vulnerabilities of the Company are needed to be secured.  
• Security breaches can happen over the WIFI network with targeted attacks to compromise network security.
• The database can be breached with scripting attacks exploiting the vulnerabilities.

Cybersecurity attacks and threats are common in automated service-based companies. The key attacks that occur in the label printing company are:

• The intrusion of Network- The unauthorized access of the network must be mitigated to stop data theft, traffic flooding and uneven multi-routing.
• Ransomware: The Company’s system, network, or data are held hostage by unfair encryption for extortion of money from the victim (Reshmi 2021).
• Brute force attacks: The attacks that exert forceful attempts for gaining access to authorized accounts
• Attack from SQL injection: The database of the Company is vulnerable to attacks from SQL commands being injected for modification or deletion of data.
• Denial of Service Attacks- The denial of service attacks is designed to overwhelm the system’s resources where the system cannot conduct service requests. During Distributed denial of service attacks, the victim company fails to avail services to user access (Bhatia, Behal and Ahmed 2018).
• Phishing Attacks: The attacks are conducted to imitate being a trusted source to gain confidential information by combining technical tricks and social engineering. The attacks are conducted by sending unauthorized links and attachments that are communicated around the business
• Malware attacks: Malwares are suspicious software installed in automated systems without consent, leading to data infection by allowing transmission using file infectors, boot-record infectors, Trojans, and worms.
• A cross-site XXS scripting attack occurs when malicious data infects the network by executing malicious scripts.
• Eavesdropping attacks: The attack commonly intrudes on network security by gaining confidential information from active or passive eavesdropping.

The NIST incident framework has guidelines for the Company to handle various security incidents and effectively manage problems. The NIST framework provides a strategy for handling, containing and eradicating incidents before the incident can harm the Company by increasing damage. The incident containment and handling involve developing a remediation strategy requiring active decision making. The management strategies of incidents vary according to the level of priority of the risk (Akkuzu, Aziz and Liu 2018). The different strategies for containment of every incident with the criteria for protection are stated clearly for facilitating decision making.

The strategies are needed to be developed by determining the criteria for the incident handling, including:

• Chances of theft of Company’s resources and potential damage to operations
• Need of preservation of pieces of evidence found
• Availability of services from network connectivity to database access
• Effectiveness of the strategy to mitigate network attacks
• The duration of solving the issues.

The attackers can be sent to sandboxes, a type of containment to monitor the attacker’s activities and gather more evidence. The incidents as they occur need to be isolated once identified. The indicators of compromise are needed to be identified to understand the effectiveness of the isolation procedure (Sasahara et al. 2021). The backups are needed to be collected to understand whether the system could be contained or not. Forensic images are needed to be created to understand how the system is affected to facilitate better investigation

An incident response team consists of employees focused on responding to the organisation’s incidents, protecting it from cyber-attacks, system failures, and data breaches. The different roles in the responding team are a team leader, a lead investigating officer, communication liaison, legal representatives and risk analysts. The three main types of response teams are termed as Computer Security Incident Response Team (CSIRT), Security Operations Centre (SOC) and Computer Emergency Response Team (CERT). The CSIRT is the team that facilitates the prevention, detection and response of incidents for incident reporting (Rantos et al. 2020). The SOC covers a broader scope of security measures directed for incident response by monitoring and securing systems. CERT is involved with operations like the CSIRT and focuses mainly on partnership and collaboration with law enforcement, government industries and academies (Ballaranoa and Macinab 2019). The CERT develops threat intelligence and configures best practices for security responses.

Critical Components

An effective response team comprises a Team leader responsible for coordinating activities performed by the team by reporting them to the upper-level management. Communication liaisons manage the employees’ communication regarding the incidents stakeholders are being perfectly involved. The lead investigator is focused on investigating the incident, guiding efforts of other risk analysts facilitating in-depth evaluation. The business risk analysts and researchers support the primary investigator facilitating threat intelligence with context. The Company’s legal representative gives legal guidelines regarding interaction and compliance with law agencies and regulates standards for forensics. Selecting the right team with the correct personnel to manage various aspects of the incident is vital.

There are four stages of responding to an incident in the Company adhering to the NIST incident response framework: preparation, detection with analysis, containment and eradication, and post-incident activities. The stages of response start from preparation for the incident by preparing for the following incidents and identifying their importance, which is critical for the Company. There must be a baseline for monitoring pre-incident activities to determine what is needed to be investigated further. The type of the events is derived for further investigation with the creation of steps of response before the incident occur.

The next stage lies in Detection with Analysis, where detection controls data collection from the system and identifies pre-indicators and precursors that might affect the Company. The analysis facilitates the identification of a normal activity baseline correlating to recent incidents and checking how the incident is a deviation from the normal behaviour. The aim for containment and eradication is to mitigate the attacks by overwhelming resources or damaging operations. The strategy of containing incidents depends on the levels of damages that can occur from incidents, the need for critical services for the Company and the duration of incident containment. It is important to identify the attackers and validate services for containing incidents. The containment allows blocking communication between the Company and the attacker (Thompson 2018). The final step contains the documentation of post-incident activities for improving the overall process. The incident findings are recorded, and the policies and guidelines for the Company to avail incident response are regulated accordingly.   

Conclusion:

The local automated label printing shop that helps in cardboard packaging has recently determined to understand the need for an incident response infrastructure that can mitigate the company’s issues. The paper gives a clear view of the incident response methodology suitable for the Company and identifies the key pre-incident response. Next, the explanation is given on the procedures associated with detecting the incident and the aspects of network security, its critical component, attack type and attack terminologies. Further, the paper describes the procedures for handling incidents and the main duties of the response team. Finally, the stages for responding to an incident is described. 

References:

Akkuzu, G., Aziz, B. and Liu, H., 2018, July. Feature analysis on the containment time for cyber security incidents. In 2018 International Conference on Wavelet Analysis and Pattern Recognition (ICWAPR) (pp. 262-269). IEEE.

Ballaranoa, L. and Macinab, M., 2019. Transformation: volving from SOC to CERT. Next Generation CERTs, 54, p.82.

Bhatia, S., Behal, S. and Ahmed, I., 2018. Distributed denial of service attacks and defense mechanisms: current landscape and future directions. In Versatile Cybersecurity (pp. 55-97). Springer, Cham.

Calder, A., 2018. NIST Cybersecurity Framework: A pocket guide. IT Governance Publishing Ltd.

Carter, H., Drury, J. and Amlot, R., 2020. Recommendations for improving public engagement with pre-incident information materials for initial response to a chemical, biological, radiological or nuclear (CBRN) incident: a systematic review. International Journal of Disaster Risk Reduction, 51, p.101796.

Chen, W., 2020. Intelligent manufacturing production line data monitoring system for industrial internet of things. Computer communications, 151, pp.31-41.

Gazzan, M., Alqahtani, A. and Sheldon, F.T., 2021, January. Key Factors Influencing the Rise of Current Ransomware Attacks on Industrial Control Systems. In 2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC) (pp. 1417-1422). IEEE.

Kwon, S. and Choi, H.K., 2020. Evolution of Wi-Fi protected access: security challenges. IEEE Consumer Electronics Magazine, 10(1), pp.74-81.

Lin, Y., Li, L., Jing, H., Ran, B. and Sun, D., 2020. Automated traffic incident detection with a smaller dataset based on generative adversarial networks. Accident Analysis & Prevention, 144, p.105628.

Miller, T., Staves, A., Maesschalck, S., Sturdee, M. and Green, B., 2021. Looking back to look forward: Lessons learnt from cyber-attacks on Industrial Control Systems. International Journal of Critical Infrastructure Protection, 35, p.100464.

Rantos, K., Spyros, A., Papanikolaou, A., Kritsas, A., Ilioudis, C. and Katos, V., 2020. Interoperability challenges in the cybersecurity information sharing ecosystem. Computers, 9(1), p.18.

Reshmi, T.R., 2021. Information security breaches due to ransomware attacks-a systematic literature review. International Journal of Information Management Data Insights, 1(2), p.100013.

Roškot, M., Wanasika, I. and Kroupova, Z.K., 2020. Cybercrime in Europe: surprising results of an expensive lapse. Journal of Business Strategy.

Sasahara, H., Ishizaki, T., Imura, J.I. and Sandberg, H., 2021. Disconnection-Aware Attack Detection and Isolation With Separation-Based Detector Reconfiguration. IEEE Transactions on Control Systems Technology.

Shinde, N. and Kulkarni, P., 2021. Cyber incident response and planning: a flexible approach. Computer Fraud & Security, 2021(1), pp.14-19.

Smith, R., Janicke, H., He, Y., Ferra, F. and Albakri, A., 2021. The agile incident response for industrial control systems (AIR4ICS) framework. Computers & Security, 109, p.102398.

Staves, A., Anderson, T., Balderstone, H., Green, B., Gouglidis, A. and Hutchison, D., 2022. A cyber incident response and recovery framework to support operators of ICS and Critical National Infrastructure. International Journal of Critical Infrastructure Protection, p.100505.

Thaika, M., Tasneeyapant, S. and Cheamanunkul, S., 2018, July. A fast, scalable, unsupervised approach to real-time traffic incident detection. In 2018 15th International Joint Conference on Computer Science and Software Engineering (JCSSE) (pp. 1-6). IEEE.

Thompson, E.C., 2018. Cybersecurity incident response: How to contain, eradicate, and recover from incidents. Apress.

Tran, M.A.T., Le, T.N. and Vo, T.P., 2018, November. Smart-config wifi technology using ESP8266 for low-cost wireless sensor networks. In 2018 International Conference on Advanced Computing and Applications (ACOMP) (pp. 22-28). IEEE.

Wild, J., Greenberg, N., Moulds, M.L., Sharp, M.L., Fear, N., Harvey, S., Wessely, S. and Bryant, R.A., 2020. Pre-incident training to build resilience in first responders: recommendations on what to and what not to do. Psychiatry, 83(2), pp.128-142.