Practice Makes Perfect For Incident Response

Uploaded on 2024-11-22 in TECHNOLOGY--Resilience, FREE TO VIEW

When a cyber security incident is detected, recovery can be stressful, messy, expensive and time-consuming. One of the biggest surprises for anyone who has never been involved in an incident response before, is how many different stakeholders need to be involved and coordinated, and therefore how many considerations need to be accounted for in the decision-making process. 

Clearly, this means that good teamwork is critical to ensure recovery from an incident is effective and enduring. Especially in smaller organisations, it is tempting to think of incident response as a purely technical discipline.

It is easy to assume that the “incident response team” is the Security Operations Centre or helpdesk teams and their chain of command. After all they are the people with access to the logs, monitoring tools and technical controls and are responsible for raising the alarm when something unusual happens. 

These technical experts certainly need to be relied on to diagnose network intrusions, identify impacted systems and trace activities back through log files. Their input is crucial for understanding what systems have been impacted in an incident, how long an intrusion has been going on and what data and operational systems might be affected, for example.

Technical response teams continuously improve their capabilities. They ingest intelligence about threat actor tactics, improve the coverage of their tooling and tune their alerting. Their daily tasks - managing alerts and tickets - means that they tend to hold good understanding of their technology and capabilities. That is not to say technical teams consistently operate optimally – there are always ways in which they can improve their coverage, playbooks and processes – but overall, technical responders will be aware of their responsibilities when it comes to cyber security incidents. They generally know how they will go about doing what needs to be done when it comes to identifying incidents and short-term technical containment.

The Tip Of The Iceberg

But when a cyber security incident hits, the technical response is only the tip of the iceberg. There are numerous stakeholders who need to be involved in a cooperative, collaborative effort to contain the incident and recover. In the absence of good preparation and briefing, a cyber security incident may well be the first time these stakeholders have worked together to solve a complicated business issue. 

Many organisations - especially medium-sized enterprises – also have a tendency for technical teams to operate in a siloed fashion. All too often, we see that cyber security is not the primary concern for the other business stakeholders. 

A cyber security incident can impact the operation of any and all business functions. Systems might be disabled during the intrusion, or you may need to disable services or take whole chunks of the network offline to properly triage and limit damage. 

To understand whether certain technical response options are viable, the technical team must have input from business function owners about any impact certain responses may have on business operations. 

Input will be needed from finance teams about any potential financial consequences of actions. Legal teams need to understand and communicate about the impact on contractual and regulatory obligations.
When a cyber security incident hits, it is essential to understand when and how to communicate with external impacted parties. 

There are a host of questions to ask, including: 

  • If customer data is impacted, what is the customer communication strategy? 
  • Where personal data may be compromised, what is the process for informing the ICO? 
  • What contractual obligations are there to external parties in relation to incident reporting? 

Marketing and communications teams, along with legal representatives, need to be heavily involved in making these decisions.

In any pressured situation, being practiced and prepared removes a lot of the stress and makes people more effective. 

When dealing with an emergency as part of a team, everyone understanding their roles and responsibilities, knowing the people in the team and how they operate makes any response calmer and more efficient. The last thing anyone wants when a cyber security incident happens is for this to be the first time stakeholders have read the incident response plan to understand what is expected of them. Practice definitely is the only way to make perfect.

Time To Exercise

Tabletop exercises for cyber security incident response are invaluable. When run regularly, and across varying scenarios, they allow organisations to bring together technical response teams with key business stakeholders such as legal, marketing and communications personnel. 

A tabletop exercise is important in a very practical sense - it gives people experience in making impactful emergency decisions and helps them understand their incident responsibilities. 

Such exercises can also be an excellent opportunity for stakeholders who rarely interact to build connections and relationships outside of an emergency. When the worst does happen, those relationships help incident response teams to communicate more effectively. This not only saves time – but may well mean the difference between good containment and incomplete recovery.

Any organisation not already running tabletop simulations for cyber security incidents, should consider making them part of their processes. And when running tabletop simulations, it is important not to just focus on the technical aspects of containment and recovery. Make sure to identify and include as many of the required business stakeholders as possible. 

Gemma Moore is Director at Cyberis

Image: stuartmiles99

You Might Also Read: 

Outsourcing Production Risks Productivity:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Google Faces Order To Divest Chrome

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Veracode

Veracode

Veracode delivers the most widely used cloud-based platform for securing web, mobile, legacy and third-party enterprise applications.

Censornet

Censornet

Censornet's autonomous, integrated cloud security gives mid-market organisations the confidence and control of enterprise-grade cyber protection.

AuthenTrend

AuthenTrend

AuthenTrend provide biometric authentication products to achieve high security with extreme ease-of-use for the user.

Data Recovery Services (DRS)

Data Recovery Services (DRS)

DRS provides data recovery services from media including hard disk drives, RAID, solid state disks SSD, memory sticks, USB drives, SD cards, tapes and mobile phones.

e2e-assure

e2e-assure

e2e Protective Monitoring and Security Operations Centre (SOC) Service is a complete cyber defence service to protect your critical assets from cyber attacks and GDPR breaches.

Secure Decisions

Secure Decisions

Secure Decisions focus on research and product development related to national security including information assurance, computer network defense, cyber security education, and application security.

Sabasai

Sabasai

Sabasai specialises in all aspects of insider threat management from training and education to building security frameworks and insider threat programs to on-site risk & vulnerability assessments.

RATEL (SRB-CERT)

RATEL (SRB-CERT)

RATEL has been appointed as the National Center for the Prevention of Security Risks in ICT systems of the Republic of Serbia (SRB-CERT).

ThreadStone Cyber Security

ThreadStone Cyber Security

ThreadStone Cyber Security offer reliable, practical and affordable cyber security solutions for both large and smaller organizations that we develop and deliver ourselves from Europe.

Enterprise Ethereum Alliance (EEA)

Enterprise Ethereum Alliance (EEA)

EEA is a member-led industry organization whose objective is to drive the use of Ethereum blockchain technology as an open-standard to empower ALL enterprises.

THEC-Incubator

THEC-Incubator

THEC-Incubator program is designed for international and ambitious tech startups in the Netherlands. Areas of focus include Blockchain and Cyber Security.

Upfort

Upfort

Upfort (formerly Paladin Cyber) unifies award-winning security and robust cyber insurance to deliver comprehensive cyber risk solutions.

Software Diversified Services (SDS)

Software Diversified Services (SDS)

SDS provides the highest quality mainframe software and award-winning, expert service with an emphasis on security, encryption, monitoring, and data compression.

inWebo

inWebo

inWebo is the specialist in multi-factor strong authentication (MFA). We guarantee the security of data and identities in a digital world with increasingly important economic and political stakes.

Datapac

Datapac

Datapac is one of Ireland’s largest and most successful ICT solutions and services providers. We have been at the forefront of technology innovation in Ireland for the past three decades.

Arista Middle East

Arista Middle East

Arista Middle East is part of Global Arista Technologies specializing in OT Cybersecurity.