Incident Response: Protecting Your Agency Before and After a Cyberattack

Posted by Bill Zielinski
on March 10, 2020

As cyberattacks increase in size and frequency, it is important for every agency to protect its network from incidents that can jeopardize the confidentiality, integrity, or availability of an information system. The Office of Management and Budget and the Department of Homeland Security determined that 74 percent of federal agencies participating in their 2018 assessment had cybersecurity programs that were either at risk or high risk.

While an agency can take proactive measures to prevent cyberattacks, an incident may still occur. When a cyberattack or other damaging incident occurs in an agency’s network, reactive measures such as incident response must be taken to preserve the integrity of the information system.

Incident response is the methodology an organization uses to respond to and manage a cyberattack. A data breach or cyberattack can wreak havoc and potentially affect employee security, intellectual property, and agency time and resources. Incident response protocol aims to reduce this damage and recover as quickly as possible.

Incident response protects organizations against four common types of incidents:

GSA’s Highly Adaptive Cybersecurity Services (HACS) Special Item Number (SIN) offers incident response services to help organizations with compromised systems. These services help to determine the extent of the incident, remove the adversary from systems, and restore networks to a more secure state.

HACS incident response services can also be used to proactively plan for future attacks. The benefits of preparing and maintaining an incident response plan helps agencies handle cybersecurity events and minimizes the impact of potential threats while strengthening an agency’s defenses against any future incidents.

Below is an example of an incident response plan:

Incident Response StepAction Taken
Preparation Create an asset list and system baseline.
Detection and AnalysisAnalyze events to determine whether they constitute an incident.
Containment, Eradication, and RecoveryPrevent further damage from an incident, and determine the cause of an incident so that the system can be returned to the previously known neutral state. Restore compromised system to operational status.
Post-Incident ActivityProvide final report of the incident identifying current procedures for efficacy and whether those procedures were followed properly.

Another benefit of the HACS SIN is that the vendors included under the incident response subcategory have passed a technical evaluation and can provide individualized incident response plans. If an agency already has an incident response plan, vendors can evaluate the plan and provide services that adapt to that individualized plan. Vendors use qualified resources to minimize the impact of cyber-attacks and avoid future incidents. Incident response services can also augment agency resources during a large scale incident.

For more information on incident response and how GSA’s HACS SIN can provide your agency with incident response services, please visit the HACS Homepage.

To learn more about the additional services the HACS SIN provides, watch our HACS Overview Video.

Please follow us on Twitter @GSA_ITC and LinkedIn to join our ongoing conversations about government IT.

To get updates for this blog, please sign up on the right-hand side of the page where it says Sign up for Blog Updates.

Continue Reading...