Practice Makes Perfect For Incident Response

Uploaded on 2024-11-22 in TECHNOLOGY--Resilience, FREE TO VIEW

When a cyber security incident is detected, recovery can be stressful, messy, expensive and time-consuming. One of the biggest surprises for anyone who has never been involved in an incident response before, is how many different stakeholders need to be involved and coordinated, and therefore how many considerations need to be accounted for in the decision-making process. 

Clearly, this means that good teamwork is critical to ensure recovery from an incident is effective and enduring. Especially in smaller organisations, it is tempting to think of incident response as a purely technical discipline.

It is easy to assume that the “incident response team” is the Security Operations Centre or helpdesk teams and their chain of command. After all they are the people with access to the logs, monitoring tools and technical controls and are responsible for raising the alarm when something unusual happens. 

These technical experts certainly need to be relied on to diagnose network intrusions, identify impacted systems and trace activities back through log files. Their input is crucial for understanding what systems have been impacted in an incident, how long an intrusion has been going on and what data and operational systems might be affected, for example.

Technical response teams continuously improve their capabilities. They ingest intelligence about threat actor tactics, improve the coverage of their tooling and tune their alerting. Their daily tasks - managing alerts and tickets - means that they tend to hold good understanding of their technology and capabilities. That is not to say technical teams consistently operate optimally – there are always ways in which they can improve their coverage, playbooks and processes – but overall, technical responders will be aware of their responsibilities when it comes to cyber security incidents. They generally know how they will go about doing what needs to be done when it comes to identifying incidents and short-term technical containment.

The Tip Of The Iceberg

But when a cyber security incident hits, the technical response is only the tip of the iceberg. There are numerous stakeholders who need to be involved in a cooperative, collaborative effort to contain the incident and recover. In the absence of good preparation and briefing, a cyber security incident may well be the first time these stakeholders have worked together to solve a complicated business issue. 

Many organisations - especially medium-sized enterprises – also have a tendency for technical teams to operate in a siloed fashion. All too often, we see that cyber security is not the primary concern for the other business stakeholders. 

A cyber security incident can impact the operation of any and all business functions. Systems might be disabled during the intrusion, or you may need to disable services or take whole chunks of the network offline to properly triage and limit damage. 

To understand whether certain technical response options are viable, the technical team must have input from business function owners about any impact certain responses may have on business operations. 

Input will be needed from finance teams about any potential financial consequences of actions. Legal teams need to understand and communicate about the impact on contractual and regulatory obligations.
When a cyber security incident hits, it is essential to understand when and how to communicate with external impacted parties. 

There are a host of questions to ask, including: 

  • If customer data is impacted, what is the customer communication strategy? 
  • Where personal data may be compromised, what is the process for informing the ICO? 
  • What contractual obligations are there to external parties in relation to incident reporting? 

Marketing and communications teams, along with legal representatives, need to be heavily involved in making these decisions.

In any pressured situation, being practiced and prepared removes a lot of the stress and makes people more effective. 

When dealing with an emergency as part of a team, everyone understanding their roles and responsibilities, knowing the people in the team and how they operate makes any response calmer and more efficient. The last thing anyone wants when a cyber security incident happens is for this to be the first time stakeholders have read the incident response plan to understand what is expected of them. Practice definitely is the only way to make perfect.

Time To Exercise

Tabletop exercises for cyber security incident response are invaluable. When run regularly, and across varying scenarios, they allow organisations to bring together technical response teams with key business stakeholders such as legal, marketing and communications personnel. 

A tabletop exercise is important in a very practical sense - it gives people experience in making impactful emergency decisions and helps them understand their incident responsibilities. 

Such exercises can also be an excellent opportunity for stakeholders who rarely interact to build connections and relationships outside of an emergency. When the worst does happen, those relationships help incident response teams to communicate more effectively. This not only saves time – but may well mean the difference between good containment and incomplete recovery.

Any organisation not already running tabletop simulations for cyber security incidents, should consider making them part of their processes. And when running tabletop simulations, it is important not to just focus on the technical aspects of containment and recovery. Make sure to identify and include as many of the required business stakeholders as possible. 

Gemma Moore is Director at Cyberis

Image: stuartmiles99

You Might Also Read: 

Outsourcing Production Risks Productivity:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Google Faces Order To Divest Chrome
Protecting Patient Privacy: Cybersecurity Priorities For Healthcare »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Athena Dynamics

Athena Dynamics

Athena Dynamics focuses on Cyber Security, especially in Critical Information Infra-structure Protection and Enterprise IT Operation Management products and Services.

Slovenian Digital Coalition

Slovenian Digital Coalition

Slovenian Digital Coalition is a coalition working in the field of smart cities, e-commerce, e-skills, e-inclusion, cyber security, internet and other areas related to developing the digital society.

6point6

6point6

6point6 is a technology consultancy with strong expertise in digital transformation, emerging technology and cyber security.

Evanston Technology Partners (ETP)

Evanston Technology Partners (ETP)

ETP provides services and solutions to enable and transform businesses in the areas of cybersecurity, data protection, and efficient operations practices.

Digital Magics

Digital Magics

Digital Magics is an incubator for innovative startups which offer content and services with high technological value. Areas of focus include IoT, Enterprise Software, AI, Industry 4.0 and Blockchain.

Cyentia Institute

Cyentia Institute

The Cyentia Institute is a research & data science firm with a mission to advance knowledge in the cybersecurity industry.

US Cyber Range

US Cyber Range

US Cyber Range is a scalable, cloud-hosted infrastructure providing students with virtual environments for realistic, hands-on cybersecurity labs and exercises.

AEWIN Technologies

AEWIN Technologies

AEWIN is professional in the fields of Network Appliance, Cyber Security, Server, Edge Computing and an ODM/OEM expert.

Crowe

Crowe

Crowe is a public accounting, consulting, and technology firm that combines deep industry and specialized expertise with innovation.

Seccuri

Seccuri

Seccuri is a unique global cybersecurity talent tech platform. Use our specialized AI algorithm to grow and improve the cybersecurity workforce.

Archon Secure

Archon Secure

Archon GoSilent Cube delivers a CSfC-certified, plug-and-play security solution for classified and unclassified communication when using the public Internet.

AWARE7

AWARE7

IT security for human and machine. With the help of our products and services, we work with you to increase the IT security level of your organization.

CyberUp

CyberUp

CyberUp is a nonprofit organization created to strengthen the cybersecurity workforce. We help employers reimagine how they grow and scale their cybersecurity workforce.

Star Lab

Star Lab

Star Lab specializes in the development and productization of embedded security technologies.

TeKnowledge

TeKnowledge

TeKnowledge enables governments and enterprises around the world to navigate the challenges with digital transformation today and tomorrow with elite cybersecurity protection and managed services.

EasySec Solutions

EasySec Solutions

EasySec Solutions provides a cyber-security platform, based on a combination of the zero trust model and the software-defined security management.