Practice Makes Perfect For Incident Response

Uploaded on 2024-11-22 in TECHNOLOGY--Resilience, FREE TO VIEW

When a cyber security incident is detected, recovery can be stressful, messy, expensive and time-consuming. One of the biggest surprises for anyone who has never been involved in an incident response before, is how many different stakeholders need to be involved and coordinated, and therefore how many considerations need to be accounted for in the decision-making process. 

Clearly, this means that good teamwork is critical to ensure recovery from an incident is effective and enduring. Especially in smaller organisations, it is tempting to think of incident response as a purely technical discipline.

It is easy to assume that the “incident response team” is the Security Operations Centre or helpdesk teams and their chain of command. After all they are the people with access to the logs, monitoring tools and technical controls and are responsible for raising the alarm when something unusual happens. 

These technical experts certainly need to be relied on to diagnose network intrusions, identify impacted systems and trace activities back through log files. Their input is crucial for understanding what systems have been impacted in an incident, how long an intrusion has been going on and what data and operational systems might be affected, for example.

Technical response teams continuously improve their capabilities. They ingest intelligence about threat actor tactics, improve the coverage of their tooling and tune their alerting. Their daily tasks - managing alerts and tickets - means that they tend to hold good understanding of their technology and capabilities. That is not to say technical teams consistently operate optimally – there are always ways in which they can improve their coverage, playbooks and processes – but overall, technical responders will be aware of their responsibilities when it comes to cyber security incidents. They generally know how they will go about doing what needs to be done when it comes to identifying incidents and short-term technical containment.

The Tip Of The Iceberg

But when a cyber security incident hits, the technical response is only the tip of the iceberg. There are numerous stakeholders who need to be involved in a cooperative, collaborative effort to contain the incident and recover. In the absence of good preparation and briefing, a cyber security incident may well be the first time these stakeholders have worked together to solve a complicated business issue. 

Many organisations - especially medium-sized enterprises – also have a tendency for technical teams to operate in a siloed fashion. All too often, we see that cyber security is not the primary concern for the other business stakeholders. 

A cyber security incident can impact the operation of any and all business functions. Systems might be disabled during the intrusion, or you may need to disable services or take whole chunks of the network offline to properly triage and limit damage. 

To understand whether certain technical response options are viable, the technical team must have input from business function owners about any impact certain responses may have on business operations. 

Input will be needed from finance teams about any potential financial consequences of actions. Legal teams need to understand and communicate about the impact on contractual and regulatory obligations.
When a cyber security incident hits, it is essential to understand when and how to communicate with external impacted parties. 

There are a host of questions to ask, including: 

  • If customer data is impacted, what is the customer communication strategy? 
  • Where personal data may be compromised, what is the process for informing the ICO? 
  • What contractual obligations are there to external parties in relation to incident reporting? 

Marketing and communications teams, along with legal representatives, need to be heavily involved in making these decisions.

In any pressured situation, being practiced and prepared removes a lot of the stress and makes people more effective. 

When dealing with an emergency as part of a team, everyone understanding their roles and responsibilities, knowing the people in the team and how they operate makes any response calmer and more efficient. The last thing anyone wants when a cyber security incident happens is for this to be the first time stakeholders have read the incident response plan to understand what is expected of them. Practice definitely is the only way to make perfect.

Time To Exercise

Tabletop exercises for cyber security incident response are invaluable. When run regularly, and across varying scenarios, they allow organisations to bring together technical response teams with key business stakeholders such as legal, marketing and communications personnel. 

A tabletop exercise is important in a very practical sense - it gives people experience in making impactful emergency decisions and helps them understand their incident responsibilities. 

Such exercises can also be an excellent opportunity for stakeholders who rarely interact to build connections and relationships outside of an emergency. When the worst does happen, those relationships help incident response teams to communicate more effectively. This not only saves time – but may well mean the difference between good containment and incomplete recovery.

Any organisation not already running tabletop simulations for cyber security incidents, should consider making them part of their processes. And when running tabletop simulations, it is important not to just focus on the technical aspects of containment and recovery. Make sure to identify and include as many of the required business stakeholders as possible. 

Gemma Moore is Director at Cyberis

Image: stuartmiles99

You Might Also Read: 

Outsourcing Production Risks Productivity:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Google Faces Order To Divest Chrome
Protecting Patient Privacy: Cybersecurity Priorities For Healthcare »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Veridify Security

Veridify Security

Veridify Security (formerly SecureRF), develops and licenses quantum-resistant, public-key security tools for the low-resource processors powering the Internet of Things.

Censornet

Censornet

Censornet's autonomous, integrated cloud security gives mid-market organisations the confidence and control of enterprise-grade cyber protection.

Cigniti Technologies

Cigniti Technologies

Cigniti Technologies provides Independent Software Testing (IST) Services including software security testing.

Norton

Norton

NortonLifeLock is dedicated to helping secure the devices, identities, online privacy, and home and family needs of approximately 50 million consumers.

Solana Networks

Solana Networks

Solana Networks is a specialist in IT networking and security.

Titanium Industrial Security

Titanium Industrial Security

Titanium Industrial Security specializes in advising and accompanying companies on cybersecurity in Connected Industry (Industry 4.0 / Smart Factory / IIoT).

GraVoc

GraVoc

GraVoc is a technology-consulting firm committed to solving business problems for customers through the development, implementation, & support of technology-based solutions.

iFluids Engineering

iFluids Engineering

iFluids Engineering is a leading engineering consulting and risk management firm providing a full range of services including Cyber Security for Industrial Control Systems.

Sompo International

Sompo International

Sompo International is a global specialty provider of property and casualty insurance and reinsurance services including Cyber & Network Risk.

Westminster Insight - Cyber Security Conference

Westminster Insight - Cyber Security Conference

Join colleagues this December for Westminster Insight’s Cyber Security Conference, as you’ll assess how new technologies such as AI can secure your organisation against future threats.

ProofID

ProofID

ProofID is a specialist provider of Identity Access Management (IAM) solutions. We focus on the solving the complex needs of the modern enterprise.

Virtual Technologies Group (VTG)

Virtual Technologies Group (VTG)

Virtual Technologies Group is a single source, IT product and services provider for SMBs and IT departments, delivering reliable, cost-efficient service, maintenance and support solutions.

RB42

RB42

RB42 (formerly Nexa Technologies) provide cyber defense solutions (ComUnity, secure and encrypted messaging, detection of interception tools, etc) and cyber defense consultancy service.

Memcyco

Memcyco

Memcyco is a provider of cutting-edge digital trust technologies to empower brands in combating online brand impersonation fraud, and preventing fraud damages to businesses and their clients.

Bluerydge

Bluerydge

Bluerydge specialises in cyber security and technology, focusing on the delivery of innovative sovereign solutions through trusted, cleared and experienced professionals.

Noma Security

Noma Security

Noma Security's mission is Application Security for the Entire Data & AI Lifecycle.