Article

Incident Response Planning

Policies & Procedures

Imagine that one day the head of school receives an email from a colleague with an attachment or a link. The principal unwarily opens the attachment or clicks on the link and sees a message on the computer screen that informs her that the school’s files have been encrypted and she must pay a certain amount of bitcoins or the files will be deleted. The principal then tries to access the files, but they are all inaccessible. She quickly calls IT, and they check the school’s backups, but they are also encrypted. Everyone quickly realizes that the school has been hit by ransomware—a type of malicious software that encrypts the victim’s data and demands a ransom for its decryption.

What should the school do next? Who should the school call? How will the school recover the data? How will the school deal with the legal implications? These are some of the questions that the school will need to answer quickly and effectively in order to minimize the impact of the incident.

This realistic scenario demonstrates why it is prudent to prepare for a cyber incident before it occurs. As President John F. Kennedy once said, “The time to repair the roof is when the sun is shining.” In other words, it is best to create an incident response plan when the situation is favorable, rather than waiting for a crisis to occur and then scrambling to respond. 

This article provides an overview of the tasks that may be required by a cyber incident, and the objectives of each of the various workstreams.

The Incident Response Lifecycle

Overview

Before diving into the incident response planning process, it is helpful to understand the typical incident response lifecycle. Upon the school’s discovery of a cyber incident, a school typically reaches out to its internal team (i.e., IT, leadership, public relations) and then to its external partners (insurance, vendors, etc.) for assistance. It is preferable to call legal counsel early and often, to retain third part vendors subject to the attorney-client privilege and to guide the response. The school and its partners will need to contain the malware, recover, and remediate. Third-party forensics will determine what data (if any) was accessed or acquired. Data mining may be required to determine what individuals must be notified. Many of these workstreams will run in parallel, and require expert guidance to ensure the school recovers quickly and meets its legal and other obligations.

Discovery

Some common ways that schools discover they have fallen prey to a cyber incident include ransom messages demanding compensation, system unavailability, or alerts from security tools. But some attacks go unnoticed for an extended period of time. Therefore, schools should have a robust monitoring and detection system in place, as well as a culture of reporting and escalation.

Once an incident is detected, the school should leverage forensics vendors (retained through counsel) to try to determine the type of attack, how it happened, and what data or systems are affected. For example, if it is a ransomware attack, the school and its vendors should seek to ascertain whether it is a single or double extortion scheme (where the attackers not only encrypt the school’s data but also threaten to leak it), how much time the school has to respond, and whether paying the ransom is feasible or advisable.

Activation of Incident Response Plan

The school’s incident response plan should be readily accessible by all relevant parties, preferably in both electronic and hard copy formats, and stored in a secure location. The incident response plan should designate who has the authority and responsibility to oversee and coordinate the entire response process and include a list of internal and external contacts that the school needs to notify or consult in the event of an incident. The incident response plan should have a classification system that categorizes incidents based on their severity, impact, urgency, and complexity, which should help the school prioritize its actions and allocate its resources accordingly.

Vendor Engagement Timing

To save time and potentially achieve better results in its incident response, the school should pre-engage with external vendors such as legal counsel and forensic investigator that have relevant and proven experience in handling similar incidents. By having retainer agreements in place before an incident occurs, the school can avoid delays in contract negotiation and approval, as well as ensure that the school has access to qualified and experienced professionals who are familiar with the school. The school should check whether its cyber insurance policy covers or requires the use of certain vendors who are approved by its insurance carrier. This pre-approval will also reduce the chances of insurance mandating the school change vendors mid-incident.

Legal Workstreams

As mentioned, the school should retain legal counsel in advance of an incident so that they can help the school assess its legal obligations and risks, protect the school’s privilege and confidentiality, negotiate with third parties, prepare for litigation, develop and review the school’s incident response plan and policies, and conduct training and simulations. Moreover, legal counsel can work with the school’s insurance carrier to provide notice of claim, seek vendor approval, produce a budget, apprise the insurance carrier of any updates, and seek ransom payment approval.

Legal counsel should engage the forensic investigator who can conduct a forensic analysis to help investigate the incident and collect evidence. The forensic investigator can help the school determine the cause and scope of any breach, identify the attackers and their methods, recover or restore data or systems, and prevent or mitigate further damage. Further, legal counsel can analyze (or have another external vendor analyze) the compromised data identified by the forensic investigator to identify potential legal obligations or implications, such as notification requirements; field inquiries from individuals, regulators, and other entities; or defend the school against lawsuits related to the incident.

Threat Hunt and Forensics

The forensic vendor will also help the school identify and eliminate any malicious actors or activities that may still be present in the school’s network; look for indicators of compromise (IOCs); as well as to collect and analyze evidence that can help understand how the attack happened, what was compromised or exfiltrated, and how to prevent it from happening again. The goal is to contain and eradicate any threat sources, trace the attack path, assess the extent and severity of the damage, and restore the normal operations of the affected systems.

Ransom Negotiation and Possible Payment

Ransom negotiation and possible payment require careful planning and coordination, such as obtaining written approval from the school’s insurance carrier; ensuring legal compliance with the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) regulations that prohibit transactions with sanctioned entities; and engaging with professional negotiators who can communicate with the threat actor, facilitate the payment process using cryptocurrency or other means, verify decryption keys and tools provided by the threat actor, and check the integrity and functionality of the data.

Public Relations

Public relations helps in managing a ransomware incident, as it can affect the trust and reputation of the school. Public relations requires a clear and consistent communication strategy that aligns with the incident response plan, as well as a proactive and transparent approach that addresses the concerns and expectations of various audiences. It is important to use accurate and consistent terminology when communicating about cyber incidents or events, both internally and externally. Using terms like “breach”, “hack”, or “attack” can create unnecessary panic, confusion, or legal implications. Instead, the school should consider using neutral and factual terms like “incident” or “event” to describe any situation where the school’s security policies or controls may have been violated or compromised. This way, they can avoid spreading misinformation, damaging the school’s reputation, or exposing the school to liability. The goal is to craft appropriate messages that convey the facts, the actions taken by the school, the impact on the data and services, and the steps taken to prevent future incidents. Public relations also involves responding to external inquiries and providing notice to the media in a timely manner.

Document Review and Data Mining

Document review and data mining require identifying the scope of data that was accessed or acquired by the threat actor, programmatically or manually reviewing the data, extracting relevant information such as personal identifiable information (PII) or protected health information (PHI), producing a data file that can be used for further analysis or reporting, and making legal determinations based on applicable laws. The goal of this step is to comply with any applicable data breach notification laws or regulations, as well as to protect the privacy and security of the affected individuals.

Notification

One of the key roles of legal counsel is to determine who needs to be notified; about what must they be notified; and what type of notification is necessary (i.e., individual notices—email, phone, mail; substitute notices—website, social media; media notices—press release, interview; or regulatory notices—sending letter to regulator). Depending on the nature and scope of the breach, the school may have different obligations to provide credit monitoring services, identity theft protection, or other remedies to the affected individuals. The school should expect to receive post-notification inquiries from individuals, regulators, and the media.

To facilitate the notification process the school may desire to utilize vendor services. For instance, some vendors have access to the National Change of Address (NCOA) system, which reduces undeliverable mail by providing the vendor with the most current address information for individuals. Other vendors can assist the school to set up and operate a call center or credit monitoring services or provide reporting to the school or regulators on the status and outcomes of the notification process.

Post-Incident Improvements

The final step in the incident response lifecycle is to improve the school’s security posture in an effort to prevent future cyber incidents or breaches. This step involves identifying and fixing relevant vulnerabilities by leveraging intelligence gleaned from threat hunt activities; conducting a thorough post-mortem analysis; implementing additional security measures to enhance the school’s defense against future attacks; and updating or modifying the school’s incident response plan based on the school’s experience and feedback received throughout the incident response lifecycle.

Incident Response Planning

According to the Cybersecurity and Infrastructure Security Agency (CISA), an “Incident Response Plan is a written document, formally approved by the senior leadership team, that helps [an] organization before, during, and after a confirmed or suspected security incident”; clarifies the organization’s roles and responsibilities; provides guidance on key activities; and includes a list of key people who may be needed during a crisis. As a general approach, a school’s incident response plan should be flexible—as incidents may differ in their nature and severity—and use non-technical writing that is easy to understand and follow for all levels of staff.

A school should have a printed copy of its incident response plan that can be accessed in the event of a power outage or network failure and a backup copy stored in a safe location. The school should identify responsible contacts who will have a copy of the incident response plan at their homes or at other secure locations. A copy of the school’s cyber insurance policy should accompany the incident response plan.

As a practical matter, when creating an incident response plan, a school should review its cyber insurance policy to understand what it covers and what it excludes in the event of a cyber incident and how to file a claim and seek reimbursement for the school’s expenses. Moreover, as a practical matter and as mentioned previously, the school prior to any cyber incident should establish relationships with vendors that can assist the school with various aspects of the its incident response plan and negotiate service level agreements (SLAs) that specify the scope, quality, and cost of their services, as well as their availability and response time in case of an emergency. Be aware that the cyber insurance policy might affect the school’s vendor selection.

Elements of the Incident Response Plan

The school’s incident response plan should include (i) an overview/purpose section; (ii) a section that identifies the members and backup members of the incident response team and their respective roles; and (iii) a section that describes the school’s incident response procedures (i.e., procedures related to preparation, detection, escalation, prioritization, investigation and response, reporting and notification requirements, internal and external communication, post-incident review and documentation, follow-up with external organizations, and plan maintenance and tests).

NIST Special Publication 800-61 Revision 2

The National Institute of Standards and Technology (NIST), an agency of the United States Department of Commerce, has published NIST Special Publication 800-61 Revision 2 (the “NIST Guide”), which is a computer security incident handling guide that consists of recommendations for developing an incident response plan. The NIST Guide recommends that an incident response plan include the following elements:

  • Mission
  • Strategies and goals
  • Senior management approval
  • Organizational approach to incident response
  • How the incident response team will communicate with the rest of the organization and with other organizations
  • Metrics for measuring the incident response capability and its effectiveness
  • Roadmap for maturing the incident response capability
  • How the program fits into the overall organization

The school’s mission, strategies, and goals should help determine the structure of the school’s incident response capability. The NIST Guide recommends reviewing the incident response plan at least annually.

Other Documents that Supplement the Incident Response Plan

Other documents that should supplement a school’s incident response plan include playbooks for specific common incidents (i.e., denial of service attacks; phishing; and virus or malware outbreak); contact information sheets (including non-school emails); and pre-approved template emails and communications (for internal and external audiences) concerning requests for information from employees, school closure, and other operational communications (such as alerts or announcements).

Tabletop Exercises

Tabletop exercises are simulated cyber incidents that allow a school to practice its incident response plan in a safe and controlled environment. They can help the school identify gaps and weaknesses in its incident response plan, enhance its team’s skills and coordination, and increase the school’s confidence and readiness for a real cyber incident. Tabletop exercises should be run by or performed at the direction of experienced counsel to bolster arguments around privilege, promote confidentiality, and enhance realism. They should involve all relevant stakeholders from different functions and levels of the organization and should be conducted regularly (at least annually for a full-scale exercise) and vary in type (such as ransomware, insider threat, lost/stolen device, or business email compromise).

Conclusion

A well-designed incident response plan can help mitigate the impact of a cyber incident on a school, comply with legal and regulatory obligations, and restore trust and confidence in the school.