7. Develop a cyber security incident response plan for an organisation (AC 2.4)

For this question I'll do two fictitious companies and their IRPs. A simple one and a more involved one. First scenario - A company called Martin's Fruit. It's a company that delivers fresh fruit and vegetables to customers in the area. It's a company of about 20 employees and about 600 regular customers. The company owner - Martin is very concerned with privacy of his customers. He was worried that the customer data like address, phone number, email etc, would fall into wrong hands and decide to hire a Cyber Solutions Inc. to ease his mind regarding any cyber attacks. This is the IRP.pdf Martin and everyone within the company has access to: Title: Cyber Security arrangements - Incident Response Plan Version: 1.0 Date: March 2025 Reviewed: March 2025 To be reviewed: March 2026 Classification: Public Key Contacts In the event of a suspected security breach, Step 1 If detected by Cyber Solutions Inc., the company will notify Martins Fruit immediately, initially by contacting the owner. Contact should be attempted in the following order: Owner - Martin Zadek - martinzadek@martinsfruit.com - 07901 640 879 Co-owner - Shelby Zadek - shelbyzadek@martinsfruit.com - 07902 001 025 Administrator - Joe Flumpa Joeflumpa@martinsfruit.com 07859 568 0413 In the event that no-one can be reached within thirty minutes, Cyber Solutions Inc is authorised to take whatever remedial action is required in its view to close down the breach and limit any damage. Step 2 If detected by Martins Fruit, the company will notify Cyber Solutions Inc. immediately, during business hours (08:00 - 18:00) by telephoning the Company's office on 020 4598 2087. If there is no response, or if the issue occurs out of hours of hours the following individual(s) should be contacted: Loui Vampa. 078987 528 465; Monte Christo, 07772 318 220 Key Information If staff have no access to the office systems, a service such as Google Docs should be established to allow data and documentation to be gathered, recorded and shared. Staff will be able to use personal devices and email to access these. Keeping a careful record of the incident response, decisions made, actions taken, data captured (or missing) is essential for post-incident reviews. This is especially true if evidence of our response is required by the regulatory body. Regulatory requirements If required, the owner - Martin Zadek will ensure that the breach is reported to the relevant regulatory authorities: Fraud and Cyber Crime. If the breach involved fraud or cybercrime, the National Fraud and Cyber Crime reporting centre should be notified via the Action Fraud website. GDRP. If it is a personal data breach under the General Data Protection Regulation the ICO (Information Commissioner's Office) must be notified. National Cyber Security Centre. If there is malicious cyber activity it can be reported( either for information or for action). ____________________________________________________________________________________________ Second scenario is a for an organisation called Cyber College (CC). A learning institution dedicated to teaching everything Cyber. They have over 1 600 staff members and about 15 000 students. Step 1: Upon discovering the incident, contact the Incident Response Team, these emergency contact details are 24/7 Pierre Morrel: 07592 366 985, 01335 032 356, incidentresponseteam@cybercollege.edu Lucien Debray: 07597 369 963, 01335 032 358, incidentresponseteam@cybercollege.edu Emmanuel Herbault: 07856 386 024, 01335 032 357, incidentresponseteam@cybercollege.edu The IR team will log these details: Your name and time of the call Your contact information The nature of the incident What equipment or persons were involved Location of equipment or persons involved How the incident was detected When the event was first noticed that supported the idea that the incident occurred. Step 2: The IR team member who receives the call or has discovered the incident will add the following information and relay it to the IR manager: Is the equipment affected business critical? The severity of the potential impact (refer to step '#) Name or type of system being targeted, along with operation system, IP address, and location IP address and any information about the origin of the attack. Step 3 The contacted IR team will discuss the incident and determine how serious the issue is. They need to consider: What type of incident is this? Virus, worm, intrusion, abuse, damage Can the incident be quickly contained? Id the incident inside the trusted network? Will the response alert the attacker and is it an issue? What systems are targeted? Is the incident still in progress? Step 4: After the discussion, refer to this chart to determine the severity of the incident. The incident will be a threat level, either: Low threat: Minimal, if any, impact, one or two non-sensitive/non-critical devices affected; fewer than 10 percent of non-critical staff affected Moderate threat: 20% of staff unable to work; possible breach of small amounts of non-critical sensitive data; Low risk to reputation; Small number of non-critical systems affected with known resolutions. High threat: 50% of staff unable to work; risk of breach or personal or sensitive data; non-critical systems affected, or critical systems affected with known resolution; some financial impact; potential serious reputational damage; potential regulatory involvement. Critical threat: Majority of staff unable to work; critical systems offline with no known resolutions; high risk to or definite breach of sensitive client or personal data; financial impact; severe reputational damage - likely to impact business long term Depending on the severity of the incident do the following: If Low threat: Create ticket and assign remediation If Moderate threat: Create ticket and assign remediation, notify IGO and IHT If High threat : Initiate full CSIRT, involve the IGO and IHT If Critical threat: Initiate full CSIRT, IGO and IHT. Consider activation of the Disaster Recovery Plan IGO = Information Governance Officer IHT = Incident Handling Team CSIRT = Cyber Security Incidence Response Plan Step 5: The Incident Response team will follow the appropriate procedure basing their response on the incident assessment: Virus response Spyware response Database or website DDoS response Property theft response System Abuse response Inactive Intrusion response Active Intrusion response System failure response Virus response If non of these response procedures are applicable to the current threat, please document what's being done and later establish a procedure for the incident. Step 6: Team members will use forensic methods to determine the cause of the incident. This may include analysing system logs, identifying gaps in logs, reviewing intrusion detection records, and interviewing witnesses and the incident victims to determine how the incident was caused. Only those authorised should be performing these interviews or examining evidence. Authorisation of personnel to conduct these interviews and examination depends on the severity of the incident. Step 7: Team member will recommend security measures to be implemented to prevent the same incident from happening in the future Step 8: Pending management approval, implement these changes Step 9: Restore affected systems to a clean state. Depending on the severity of the threat level, do any or more of the following: Re-install the affected system(s) from scratch and restore data from backups if necessary. Preserve evidence before doing this Make users change passwords if passwords may have been compromised Be sure the system is fully patched Be sure real-time anti-virus protection and IDS is running Be sure the system is logging the correct events and to the proper level. Step 10: What needs to be documented: How the incident was discovered The threat level of the incident The threat vector - social engineering, firewall, weak credentials, etc. IP addresses and other related information about the attacker What was the response plan What was done in response Whether the response was effective Step 11: Evidence preservation: Copies of logs, emails, and communication must be saved. Keep a list of witnesses. Evidence should be kept for as long as necessary to complete prosecution in case of an appeal. Step 12: Notify proper external agencies: National Fraud & Cyber Crime Reporting Centre: actionfraud.police.uk Information Commissioner's Office: ico.org.uk National Cyber Security Centre: report.ncsc.gov.uk Step 13: Assess damage and cost Estimate damage to the organisation and the cost of the containment efforts Step 14: Review response and update policies Use this incident to learn about vulnerabilities of your organisation and strengthen your defences. Take preventative steps so the intrusion can't happen again. Consider whether an additional policy could have prevented the intrusion Consider whether a procedure or policy was not followed which allowed the intrusion and if it could be changed to prevent an incident in the future. Was the incident response appropriate? How could it be improved? Was every appropriate party informed in a timely manner? Were the incident response procedures detailed and did they cover the entire situation? How can they be improved? Have changes been made to prevent a re-infection? Have all systems been patched, systems locked down, passwords changed, anti-virus updated, email policies set, etc? Have changes been made to prevent a new and similar infection? Should any security policies be updated? What lessons have been learned?