A weekend in Incident Response #8: How to Prepare for the Updated US-CERT Cybersecurity Notification Guidelines
The United States Computer Emergency Readiness Team (CERT) has announced that it will implement new cybersecurity notification guidelines, which are going to have a significant impact on how government agencies and organizations from the private sector deal with cyber incidents.
As the US-CERT states, the new guidelines will impose new requirements regarding notifications on cybersecurity incidents, that must be complied with by all Federal Departments and agencies; state, local, tribal, and territorial government agencies; along with private-sector organizations, and Information Sharing and Analysis Organizations. The cybersecurity notification guidelines will include a specific procedure involving how, when, and who the covered entities will be required to notify after they detect an incident within their organizations.
Identifying Incidents Through a Seven-Step Process
According to the guidelines, in order for an agency to be able to notify the CERT of an incident properly, it will have to complete a process consisting of seven steps. For starters, the agency must identify the current level of impact an incident has on its services or functions. Then, identification of the type of information lost, compromised, or corrupted, is required. This step should be followed by an estimation of the scope of time and resources that an agency will have to spend in order to recover from the incident.
Next, agencies should identify when the activity was first detected, after which they will be required to identify how many systems, records, and users have been impacted. The final two steps are the identification of the location of the network the activity was observed in, and identification of the point of contact information for additional follow-up.
After completing the above-named steps, agencies will have to submit the notification to the US-CERT, with a specific set of information that is required to be included in the notification, such as:
- Information on the attack vector(s) that lead to the incident
- Indicators of compromise
- Information related to any mitigation activities that the agency has taken in response to the incident
Incident Response Platforms
In order to be able to comply with the new requirements regarding cybersecurity incident notifications, organizations are advised to employ a cybersecurity platform that provides a comprehensive and automated incident and forensic case management.
A platform that provides you with a set of playbooks specifically tailored to many potential cyber threats. Your organization can save a great deal of time and resources by using a tool that can create automated incident reports and send them to your cybersecurity team, a process which would be in compliance with the new US-CERT guidelines.
Considering that the cybersecurity incident notification process under the new cybersecurity notification guidelines is extensive and can be challenging for some organizations that do not have the resources or the knowledge necessary to complete it, acquiring a platform that can do all the required steps for you is the best solution for all entities covered by the guidelines. This is where a platform containing prioritized workflows designed to help your business respond to current threats and prepare your cyber defense systems for future threats, which are bound to occur eventually, can come in handy. Finally, considering the upcoming US-CERT guidelines, every private-sector organization and government agency could use a platform that can track digital evidence and entire investigative processes, as some of the key steps that should be performed when notifying authorities of an incident.