According to the Identity Theft Resource Center (ITRC) annual data breach report in 2023, cyber attacks have approached new highs, with a record number of 3,205 data breaches increasing 72% over the previous recorded high of 1,860 breaches in 2021.
Securing the supply chain for the Defense Industry has been a priority to ensure that organizations who supply the Federal Government have security for systems that process, store, or transmit” Controlled Unclassified Data” (CUI).
Cybersecurity Maturity Model Certification (CMMC) has been the US Federal Government’s approach to securing the supply chain supporting the federal government for a number of years, which expands upon the NIST 800-171, Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations and the Defense Acquisition Regulations System’s (DFARS) 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.
With all the data breaches occurring, a focus on the ability to respond to cyber incidents is critical to ensure that the risk of data breaches is minimized. Also, in the event of a data breach occurring, being able to effectively report on the outcomes of the data breach is key to meeting the requirements of the new regulatory frameworks.
CMMC has 3 core requirements for managing cyber incidents within the standard:
3.6.1 Incident Handling
Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
3.6.2 Incident Reporting
Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
3.6.3 Incident Response Testing
Test the organizational incident response capability.
These requirements echo the incident handling and reporting requirements of other regulatory regimes, such as the SOCI Act in Australia, Article 55 of the European Union’s GDPR, PIPEDA in Canada, Persona data Protection Act in Singapore, and others.
The CMMC security requirements are principle-based so it’s important to refer to the Discussion section of the requirements, and the related NIST 800-171 requirements for more detail about what capability needs to be implemented.
Incident handling is considered in design considerations of processes and systems
When deploying a new system into the organization’s environment, part of that deployment should include preparation of the incident handling aspects for the system. For example, response playbooks specific to the system need to be generated and these can be put into your case management platform to ensure incident response capability is integrated into operations for the new system.
The system architecture should be documented and integrations developed with security operations systems (SIEM, etc) to ingest logs to support forensic analysis during an incident.
Contact details, and roles and responsibilities for stakeholders such as system owners, business owners, vendor contacts should be documented, and escalation points considered and included for playbooks.
Recommendation: Ensure incident handling is handed over to BAU teams as part of project completion and product acceptance.
Capture of key incident related information
Maintaining records related to incidents, including their status and key evidence is necessary for management of incidents, and identifying incident trends.
In addition, the capture of technical data from multiple sources is necessary for successful incident handling, such as “audit monitoring, network monitoring, physical access monitoring, user and administrative reports, and reported supply chain events”.
Both are necessary for incident response.
While the SIEM has typically been used for capturing audit and network event information from which alerts can be generated and then triaged as incidents, with such a broad range of methods to generate incident information, a loosely-coupled architecture of the SIEM and case management, and other detection systems is useful.
For example, SaaS systems which may not integrate with SIEM, might integrate alerts directly into Case Management systems via email or webhooks. Operational Technology systems such as Building Management Systems can generate alerts
User and administrator reports of security incidents and reported supply chain events can occur via email or ITSM ticketing, depending on whether a cyber attack is recognized as such, or mistaken for a computing bug or issue. Where a cyber attack is not obvious to the end user, such as intermittent computer behavior, it may be reported to Service Desk as an IT incident, before being triaged as a cyber incident.
Integrating case management platforms with both ITSM and email for cyber incidents is critical for user generated reports, and to correlate against system generated telemetry for incident handling.
A case management platform that is segregated from the internal IT operating environment, in particular authentication systems and the ITSM itself, is also useful to prevent a data breach compromising the incident handling system.
Recommendations:
Implement a dedicated case management system for incident handling.
Segregate incident handling systems from other systems and dependencies.
Collaboration a critical success factor incident handling
The early stages of incidents can often involve only 1 or 2 people. The further that an incident progresses into a data breach, the number of people involved can increase considerably, sometimes in the 10s of people depending on the severity of the breach. CMMC mentions “mission/business owners, system owners, authorizing officials, human resources offices, physical and personnel security offices, legal departments, operations personnel, procurement offices, and the risk executive”.
The ability to collaborate is challenging. Platform proliferation to support collaboration amongst different user groups during an incident is a key cause of friction and information loss during incidents.
This can include, for example, evidence gathering and retention on ticketing platforms, decision making and coordination on messaging apps, and out of band communications via videoconferencing or phone calls.
Having a platform to manage cyber-incidents that can have relevant information to each group in a timely and frictionless way can remove barriers to coordination and collaboration.
Recommendation:
Ensure key organizational groups can collaborate effectively on incident handling.
Tailor incident response training to roles
The Security Operations Center alone cannot identify and mitigate all incidents affecting the organization. Incident response requires a whole of organization contribution to reduce the impacts of threats. Incident handling training therefore must not be limited to just security teams. During large incidents, business leadership roles and other technology teams will be involved and they need security incident response training as well.
This can be accomplished by training personnel on how to recognize and report an incident, such as phishing attacks for all roles.
Further training should be developed for roles supporting incident responders, such as system administrators and engineers on secure backup and recovery, helpdesk, and non-technical staff such as human resources, executives, and public relations personnel.
Simulation exercises (tabletop, cyber range, red team) provide an excellent opportunity to provide contextually rich training for each of the roles involved.
Where possible, use current incident response plans and production playbooks so that training is up to date and relevant to the environment.
Recommendation:
Develop and implement incident training based on roles within the organization.
Incident reporting for regulatory needs and constant improvement
Incident reporting within the organization is critical to understanding the threat environment and risk exposure, and monitoring the organization’s operational capacity to respond to cyber attacks. Incident reporting is also important to meet regulatory requirements for data breaches
In order to achieve both of these, a record of the incidents that have occurred, their characterisation, and the effectiveness of the response to the incidents. Operational monitoring and incident response activities need to collect sufficient information to generate metrics that represent both risk exposure and operational capacity.
Timeliness of the reporting depends on the availability and quality of the incident data.
Recommendation:
Ensure sufficient data capture to generate reporting on risk exposure and operational capacity.
Incident response testing to validate incident response processes
The use of tabletop exercises, walkthroughs, and simulations can serve to improve incident response within the organisation, and identify any gaps in the incident response plan and associated playbooks.
To obtain further validation of security controls and tie in the plan and playbooks with those controls, Purple team or Attack simulation tools can be used to test protection and detection controls, and Red team testing can validate operational effectiveness of protection, detection and response controls.
The challenge is to operationalise the lessons learned from the exercises so that day to day incident handling is up to date with the latest doctrine identified in the testing, and any deficiencies remediated.
A case management platform with built in incident response plan and playbooks can ensure that, during incident testing, the order of operations is followed and the effects of following the playbooks understood.
Recommendation:
Operationalise lessons learned from incident response testing.
References:
https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
https://dodcio.defense.gov/CMMC/Model/