In our last entry on the NIST Framework, we talked about the Detect Function, its importance, how to implement it, and how it flows into the Respond Function. Here, our topic is the NIST Cybersecurity Framework Respond Function. The ability to respond effectively to any instance of cybersecurity threat, or potential threats, is critical for Pennsylvania businesses to succeed and thrive.
While Pennsylvania is not unique in its cybersecurity needs, it does have a greater than usual cybersecurity burden than businesses in most areas for at least two reasons. The first reason is that Pennsylvania businesses are under a statistically high level of risk compared to businesses in other areas.
The reasons for this can only be speculated. It could be due to socio-economic forces or the positioning of the PA business community regarding the local banking structure. One thing placing PA businesses at particularly high risk is the elevated regulatory burden placed on them.
The laws protecting the data privacy of consumers while engaging in online purchases place a special burden on business owners. If a customer’s data is compromised while it moves through your servers, for example, it is very much like a person being injured while they are on your property.
Unfortunately, it is even more difficult to prove that you are not responsible for an adverse cyber event than it is to prove that a person injured himself and that you are not truly responsible. The Pennsylvania state government has taken strong steps to protect the consumer first, placing an especially high burden on vendors.
For these and other reasons, we take the NIST recommendations especially seriously in Pennsylvania. Of course, small businesses are even more vulnerable due to the relatively smaller resources at their disposal compared to large businesses.
While even massive, multinational corporations have been crippled by the preoccupations of data compromise, Pennsylvania Small Businesses are still much more vulnerable. This means proactive cybersecurity is of the utmost importance to PA SMBs.
What Is The “Respond” Function of NIST’s Cybersecurity Framework
The Respond Function is directly related to and flows from the Detect Function. The Detect Function is designed to set the Respond function into action, enabling organizations to mount a quick and effective response to adverse or unusual activity affecting their own data or that of the people they serve.
According to NIST the Respond Function is described as follows, “The Respond Function includes appropriate activities to take action regarding a detected cybersecurity incident. The Respond Function supports the ability to contain the impact of a potential cybersecurity incident.”
Following in place, chronologically, between the Detect and Identify functions, the Respond function only describes actions and equipment sufficient to respond to a yet unidentified threat or event. Because the Respond Function comes before the Identify Function, it will usually best be optimized for the deployment of an overwhelming data protection force.
Consider a 911 call for something dire, but little details are offered as an example. It could be a child kidnapping or an armed assault with many bystanders, but few to no details are given. The authorities don’t know how badly the victims have been harmed. They don’t know how many assailants there are or how well-armed or otherwise dangerous they might be. In such a case, you would expect a bevy of squad cars, well-armed officers, medical responders, and maybe even SWAT to be deployed. You may have noticed, moreover, that almost any time police are called, they initially show up in numbers that are excessive to the needs of the actual event.
Well, in the same way, the Respond Function should be optimized to respond with more resources than the actual event requires. When the time comes for you to set up, integrate, and customize the Respond Function for your organization, you are advised to do so with similar intentions in mind. After your cybersecurity assets have been in place for some time, you may scale them back to save time and resources. But a strong initial response is always recommended, nonetheless.
The Respond Function of the NIST Framework is part of a five-pillar strategy offering guidance to organizations of all kinds on how to organize and understand cyber threats and cyber defense. The function and objectives of Respond focus on incident management, analysis, and mitigation.
Key Outcomes Of The “Respond” Function
The NIST Framework sets down the outcomes that organizations can expect from the full and proper implementation of the Respond Function in five key examples. These examples cannot be fully or technically comprehensive.
But with experience, you will likely find that they cover almost all imaginable use cases for this component of the Framework. NIST lays out the provided outcome categories as follows:
- Execution Assurance – Ensuring Response Planning processes are executed during and after an incident
- Communications Management – Managing Communications during and after an event with stakeholders, law enforcement, and external stakeholders as appropriate
- Analysis – Analysis is conducted to ensure effective response and support recovery activities including forensic analysis, and determining the impact of incidents
- Activity Mitigation – Mitigation activities are performed to prevent the expansion of an event and to resolve the incident
- Improvement Implementation – The organization implements Improvements by incorporating lessons learned from current and previous detection/response activities
Because every business and organization is unique, you are likely to find that these outcomes miss something that you might need or expect from them. This should not be a matter of excessive concern. But it is something that you should be aware of. You are likely to need to pay close attention to your real-life needs and compare the provided outcomes to them. You should make it your goal to find areas of coverage that the provided outcomes do not cover. Indeed, even if you fail to find any such dependencies, that does not mean that they do not exist. Therefore, persistence in this endeavor is strongly recommended.
How “Respond” Aligns With The Other NIST Framework Functions
Looking through the outcomes, you may have noticed that the Detect Function is expected to cover a little bit of each of the other function’s capabilities as well.
For a start, Respond function activities are expected to be executed both before and after an incident. By responding before, we mean readiness, much in the same way that security guards and first responders are always ready for action. This readiness requires constant activity. So, in this way Respond is always active.
Secondly, communications are expected to be especially active during Response activity. In so doing, the other four functions are also simultaneously active. We will discuss this further in subsequent discussions of the five NIST functions.
Next, we find that the analysis features of the Respond Function are commensurate with those of Identify, Detect, and Recover. In the next phase, we see that the mitigation functions of Respond are commensurate with the activities associated with the Recover and Protect functions.
Finally, the aspects of Recover that are aligned with improvements are directly correlated with the Recover Function. Therefore, we may observe that the five functions are holographic. That is to say that each contains the essence of all (or at least most) of the others. Much like DNA, the whole Framework could be reconstructed from just one of its parts. While this point is academic, it illustrates just how incredibly robust the Framework is, demonstrating its value and the painstaking work that has gone into crafting it.
The Respond Function in Action
In a real-life cyber incident in Pennsylvania, we can expect the Respond Function to work in predictable ways. Consider, for example, an online customer, using a compromised email attachment, who interacts with your customer service department.
In this instance, the first thing that should raise an alarm is when an employee allows an unknown attachment from an untrusted source to be downloaded. Of course, this should never happen. Your team should be well-trained cross-organizationally to know that this is far from a best practice.
Still, assuming this has already taken place, the activity of the malware should be detectable almost immediately. You will see unusual activity in the form of hijacked files, ransom demands, or erroneous machine behavior, for example Once something fitting this description takes place, the Detect Function should be triggered and the Respond function should likewise swing into action simultaneously.
From there, measures should be taken to protect both compromised and non-compromised data and assets. Systems should be shut down, disconnected, and backed up (if they are not already backed up), and Identify processes should be immediately forthcoming. Of course, an incident like this can happen anywhere in the world. But for businesses in Pennsylvania, we have even more reason to worry.
This is because if the offending malware is, or is believed to have infected the customer while they were in contact with your digital assets, you may be held liable. For this reason, it is of the utmost importance that your Detect and Respond processes be in constant motion, always ready to leap into activity and defend critical data.
Incident Management: Best Practices For Small Businesses In Pennsylvania
No matter what the nature of the threat, anomalous event, or attack, the NIST Incident Response Guidelines give us clear recommendations to follow. They are:
- Planning & Preparedness – Of course, these should always be in place, subject to optimization processes, and active.
- Detection & Analysis – Detection processes, likewise should always be in action. Any and everything that is detected, whether it is significant or not, should be the subject of review and analysis. In so doing we not only remain vigilant, but we also gain the ability to streamline and optimize our processes for efficiency and effectiveness.
- Containment, Elimination, & Recovery – Once a true threat is detected, we want to contain it. That is to say, we want to cut off access by harmful actors and elements to additional data, devices, and access points. Once the threat is isolated, we want to remove or destroy it. Finally, we want to repair the access point used by the attacker to enter our system. We want to restore assets, recover costs, and repair systems.
- Debriefing & Review – Once this is done, it is time to understand what happened and conduct training. We want a full analysis of the threat, the vulnerability that was exploited, and the type and scope of the damage done.
- Discussion & Coordination – Once these things are understood, we want our team members to discuss their experience with the breech, review what they could have done differently, and share what they did well. Then we want to make these right actions repeatable across personnel and instances and eliminate the likelihood of repeating our mistakes.
- Incident Response Improvement – Finally, we want to take all of these lessons and use what we have learned to make our systems more resistant to attack and our people more alert to danger.
Ensuring Resilience and Preparedness In Your Cybersecurity Strategy
Here, we have seen several reasons and ways the Respond function should and can be taken seriously. We have learned that it contains all or most of NIST’s most critical functions, at least in part.
As you try to integrate and customize the NIST Framework for your Pennsylvania Small Business needs, we recommend using the Functions in the order and in the way NIST recommends. However, as you work to customize it to your needs, you may find the Respond Function taking precedence. If you have any questions, reach out to Graffen, we’re always happy to help!