Cybersecurity Incident Management and Response Guide

min read

Ensuring that your entire team understands what actions to take can make an important difference in how—and how quickly—your institution emerges from an incident.

clipboard with a checklist
Credit: Diyajyoti / Shutterstock.com © 2024

Incident management and response are crucial elements of any cybersecurity program. Every incident provides lessons and opportunities for improvement, and higher education leaders should never assume that similar incidents won't happen again. This guide covers what to do before, during, and after an incident to ensure your institution is resilient through effective response, recovery, and continuous improvement.

Before an Incident

  1. Develop an Incident Response Plan: Develop a detailed incident response plan that outlines the procedures for detecting, reporting, and responding to security incidents. This plan should include steps to contain the incident, investigate the root cause, and restore normal operations.
  2. Establish an Incident Response Team: Establish a team of trained professionals who can respond quickly and effectively to security incidents. This should include individuals from various departments, such as IT, security, legal, and communications. FEMA offers free courses and certification exams through its Emergency Management Institute Emergency Management Institute: National Incident Management System (NIMS), where your team can find preparedness training and certifications and also obtain ongoing professional CEU's.
  3. Conduct Regular Incident Response Training: Regularly train members of the incident response team and other relevant staff on incident response procedures so they are prepared to respond quickly and effectively.
  4. Practice Incident Response Scenarios: Conduct regular incident response exercises and tabletop simulations to test the incident response plan and identify areas for improvement.
  5. Establish Templates and Tools: Ensure you have the appropriate templates and tools for communication and reporting. Consider "out of band" communications so that you have alternate ways to communicate with key stakeholders and your institution if your primary mechanisms are not available or are compromised.
  6. Establish Partnerships with Relevant Stakeholders and External Parties: Incident response is not a solo exercise—it takes engagement, coordination, and cooperation with many stakeholders and external parties. Make sure you have established relationships and know how to contact stakeholders across the campus. Partners in campus safety and emergency/crisis management are essential and likely have tools and processes that you can leverage. Also ensure you know how to engage with relevant law enforcement, regulatory bodies, and insurance carriers. Knowing upfront who these people and organizations are and how to engage with them will make things easier during an incident.

During an Incident

Now that an incident has occurred, ensure all participants are following the steps that have been outlined in your plan. By following these steps, the institution can minimize the impact of an incident, restore normal operations as quickly as possible, and improve its overall security posture.

  1. Incident Identification and Reporting
    • All incidents should be reported immediately to the IT department or the incident response team identified in your incident response plan. Reporting responsibilities and "notification chains" should be shared widely within potential response teams, posted in visible locations, and updated for correct mobile phone numbers and contact info at least annually. 
    • Incidents can be reported by email, phone, or any other well-understood and easily accessible system. There should be multiple points of contact and redundancies to avoid a single point of failure. 
    • Any employee who identifies an incident should document the details of the incident, including the date, time, location, and any other relevant information.
  2. Incident Triage
    • The incident response team evaluates the incident to determine the scope and severity of the incident.
    • The team will classify the incident based on the severity and the potential impact to the institution.
    • The team will determine the appropriate level of response based on the classification of the incident.
  3. Incident Containment
    • The incident response team will take immediate action to contain the incident and prevent further damage.
    • The team will disconnect affected systems from the network, shut down affected systems, disable accounts, or take other appropriate actions to limit the spread of the incident.
    • The team needs to have both the technical ability and the appropriate privilege/permissions to take whatever action is deemed necessary, including possibly shutting down the entire system, breaking off internet connectivity, or other extreme response.
  4. Incident Analysis
    • The team will collect and preserve evidence related to the incident for further analysis and investigation.
    • The team will determine the scope and impact of the incident, including any data that may have been compromised or stolen/exported/downloaded.
  5. Incident Response
    • The incident response team will develop a response plan based on the severity and impact of the incident.
    • The team will communicate with internal stakeholders, including senior management, IT staff, end users, and external entities including law enforcement, insurance carriers, and any third-party firms or providers engaged around security. The team will share details about the incident and the steps being taken to resolve it.
  6. Incident Recovery

    The incident response team will work to recover from the incident and restore normal operations. This involves restoring affected systems and data and minimizing the impact on the institution.

    In addition to following the "During an Incident" steps listed above, other important actions include:

    • Ensure the threat has been eradicated from all systems and gradually restore the affected systems from their backups. 
    • Look to patch critical systems and vulnerabilities, ideally using a risk-scoring system to enable addressing the highest-value patches to implement. 
    • Try to identify any gaps in your security posture to see if there is budget and capacity to evaluate and later implement any security tools that might have helped prevent the attack, understanding that the solution isn't always more tools and that security teams can be overwhelmed by having more tools and more warnings and risk indicators than they can respond to.

Templates and Checklists

Cybersecurity and Infrastructure Security Agency:

Environmental Protection Agency:

Federal Emergency Management Agency (FEMA)

National Institute of Standards and Technology

Office of Information Security and Health Sector Cybersecurity Coordination Center:

After an Incident

The following actions should occur as soon as possible after the incident response phase.Footnote1 These activities may occur in tandem with incident recovery actions.

  • Perform an "after action" review with participants in the incident response plan to identify root causes and opportunities to improve the overall security posture of the institution, prevent recurrence, enhance detection, and improve future response actions.
    • Make this mandatory after a major incident and perhaps also for less severe incidents, with the goal of improving security as a whole and incident handling in particular. 
    • Involve people from across the organization as necessary, and make a particular effort to invite people whose support will be needed during future incidents.
    • During the review, discuss and define next steps around the following:
      • What happened and when
      • How well the response team performed
      • Whether documented procedures were followed
      • Whether those procedures were adequate
      • What information was missing when it was needed
      • What actions slowed recovery
      • What could be done differently
      • What can be done to prevent future incidents
      • What precursors or indicators can be looked for in the future
  • Share precursors or indications of compromise through trusted channels like REN-ISAC, CLAC, and EDUCAUSE forums. This can help other institutions prevent and detect similar incidents.
  • Implement any necessary changes to policies, procedures, or technical controls to prevent similar incidents from occurring in the future.

Final Considerations

Every incident provides lessons and opportunities for improvement. As part of improving your security culture, share a summary of indicators or information about the incident with the entire institutional community (unless legal, privacy, security, or other legitimate concerns would be compromised by that sharing). Whenever possible, you might want to share a summary of indicators with external parties such as REN-ISAC. Also, be sure to avoid any blame or shame during your after-action discussions.

Threat actors will try to exploit what they know worked previously. Higher education leaders should not assume that similar incidents won't happen again.

Note

  1. See also Charlie Sander, "After a Cyber Attack: Dos and Don'ts for Higher Education IT Staff," Campus Technology, May 10, 2023. Jump back to footnote 1 in the text.

Christine Whalley is Chief Information Security Officer at Amherst College.

Matt Kenslea is Business Development Director for Networking and Security–Higher Education at Lumen Technologies.

Asha Ramachandra is Director of IT Strategy at California State University, Channel Islands.

Steve Fletcher is Cybersecurity Analyst at the University of Illinois at Urbana-Champaign.

© 2024 Christine Whalley, Matt Kenslea, Asha Ramachandra, Steve Fletcher. The content of this work is licensed under a Creative Commons BY 4.0 International License.