Security Staff Acquisition & Development, Leadership

Developing the National Cyber Incident Response Plan

By Katherine Teitler

Teach your children

Last week in New Orleans, Louisiana MISTI held its second annual Threat Intelligence Summit. Event Chair, Tim Callahan, SVP & CISO at Aflac, kicked off the event by saying that threat intelligence “is our best defense against our adversaries,” noting that effective, successful security departments are “not hunkered down behind the perimeter” waiting to identify signs of cyber attacks that are few and far between. 

Indeed, effective, successful organizations are attempting to proactively identify threats and indicators of compromise before they present serious destruction to the victim organization. Even the most robust and mature threat intelligence programs, though, aren’t immune to a breach. As the saying goes: defenders need to protect everything in the organization’s purview while attackers need find just one small vulnerability to inflict harm. For this reason, every good threat intelligence program should be paired with an equally healthy incident response program.

You, who are on the road

Dr. Neil Jenkins, Chief of Policy and Planning at the Department of Homeland Security (DHS) National Protection and Programs Directorate (NPPD) addressed this fact in his keynote address. The DHS is the domestic lead for civilian cybersecurity, and the NPPD’s mission is to “protect cyber and critical infrastructure against growing cyber threats and terrorism.” The NPPD’s work, specifically, is focused on providing “a holistic risk management approach for the sixteen critical infrastructure sectors, with unique legal authorities supporting true private-public collaboration.” As a result of this work, Jenkins’s department identified an opportunity to build and offer a framework for a National Cyber Incident Response Plan. Jenkins’s talk (of the same title), shared the genesis of the National Cyber Incident Response Plan (NCIRP) and explained how DHS NPPD is moving beyond previous efforts to assist both private and public sector organizations after a cyber incident has been identified.

Jenkins began his keynote by iterating that the department’s goal is to “find the bad guys, understand what they’ve done, help [organizations] get rid of them, and then package up the learned threat intelligence in an anonymous fashion and share it” so that other organizations aren’t starting from scratch or fumbling around an expansive universe of information to find true intelligence and active threat data. In short, the NPPD is building an ecosystem of threat indicators that is actionable and valuable across a wide spectrum of organizations.

“Incidents,” Jenkins explained, “demand a more structured response.” Every (prepared) organization does, in fact, have its own incident response plan, and no other entity has developed a company-agnostic framework to assist organizations just starting out or those that want to improve upon plans already implemented. While no two companies are alike and each will have to tailor the framework to its specific requirements, all companies can benefit from a plan developed after looking into thousands of incidents across both public and private sectors and which takes into account the best of best practices learned during cyber incidents.

Must have a code that you can live by

The NCIRP, which is now in its final stages before public dissemination (estimated prior to January 20, 2017), operates under five guiding principles first laid out in the Presidential Policy Directive 41 (PPD-41), signed into effect on July 26, 2016:

  1. Shared responsibility between the government and network owner
  2. Risk-based response
  3. Respecting affected entities (i.e., protecting identity and providing confidentiality)
  4. Unity of effort
  5. Enabling restoration and recovery

The Directive further established a “Severity Schema” to help organizations standardize language used to describe incidents and thus formulate an appropriate response based on the real severity of the event.

Source: DHS NPPD

And so, become yourselves

Based on the PPD-41, the NCIRP, formalizes the PPD’s structure and process and provides a “whole community approach for mitigating, responding to, and recovering from a significant cyber incident that impacts critical infrastructure.” Importantly, said Jenkins, the NCIRP is not a tactical or operational plan; it is a strategic framework upon which affected entities can rely when developing incident handling procedures, regardless of company size, industry, geography, or any other defining feature.

Of course it would be easier if someone developed a plan that worked in 100% of cyber incident situations, but security pros know a one-size-fits-all approach to security is neither ever successful nor a real goal. What the NCIRP does, however, is:

  • Codifies a national coordination process for cyber incident response
  • Clarifies the roles and responsibilities of the Federal government, State and local governments, and the private sector
  • Reinforces the need for strong connections and public-private partnerships
  • Improves coordination, engagement, and working relationships
  • Aligns more closely to the National Preparedness System
  • Fosters stronger relationships between state fusion centers, risk managers, and chief information security officers

Because the past is just a goodbye

The DHS is here to help—whether an affected entity is public or private sector, critical infrastructure or Joe’s Pizza Shop—but the government is not and should not (and could not) be involved in every cyber incident. Concurrent lines of effort make it possible for organizations to leverage government’s help when needed and necessary, and when the government is not directly involved in incident handling, the NCIRP outlines a method of sharing threat information in a way that doesn’t pose a further threat to the providing organization.

Many security and threat intelligence practitioners are familiar with their industry’s ISAC or ISAO, and the NCIRP and resulting efforts coordinate an even more significant effort to anonymously share threat intelligence across sectors and benefit cybersecurity teams across the board.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.