Practice Makes Perfect For Incident Response

Uploaded on 2024-11-22 in TECHNOLOGY--Resilience, FREE TO VIEW

When a cyber security incident is detected, recovery can be stressful, messy, expensive and time-consuming. One of the biggest surprises for anyone who has never been involved in an incident response before, is how many different stakeholders need to be involved and coordinated, and therefore how many considerations need to be accounted for in the decision-making process. 

Clearly, this means that good teamwork is critical to ensure recovery from an incident is effective and enduring. Especially in smaller organisations, it is tempting to think of incident response as a purely technical discipline.

It is easy to assume that the “incident response team” is the Security Operations Centre or helpdesk teams and their chain of command. After all they are the people with access to the logs, monitoring tools and technical controls and are responsible for raising the alarm when something unusual happens. 

These technical experts certainly need to be relied on to diagnose network intrusions, identify impacted systems and trace activities back through log files. Their input is crucial for understanding what systems have been impacted in an incident, how long an intrusion has been going on and what data and operational systems might be affected, for example.

Technical response teams continuously improve their capabilities. They ingest intelligence about threat actor tactics, improve the coverage of their tooling and tune their alerting. Their daily tasks - managing alerts and tickets - means that they tend to hold good understanding of their technology and capabilities. That is not to say technical teams consistently operate optimally – there are always ways in which they can improve their coverage, playbooks and processes – but overall, technical responders will be aware of their responsibilities when it comes to cyber security incidents. They generally know how they will go about doing what needs to be done when it comes to identifying incidents and short-term technical containment.

The Tip Of The Iceberg

But when a cyber security incident hits, the technical response is only the tip of the iceberg. There are numerous stakeholders who need to be involved in a cooperative, collaborative effort to contain the incident and recover. In the absence of good preparation and briefing, a cyber security incident may well be the first time these stakeholders have worked together to solve a complicated business issue. 

Many organisations - especially medium-sized enterprises – also have a tendency for technical teams to operate in a siloed fashion. All too often, we see that cyber security is not the primary concern for the other business stakeholders. 

A cyber security incident can impact the operation of any and all business functions. Systems might be disabled during the intrusion, or you may need to disable services or take whole chunks of the network offline to properly triage and limit damage. 

To understand whether certain technical response options are viable, the technical team must have input from business function owners about any impact certain responses may have on business operations. 

Input will be needed from finance teams about any potential financial consequences of actions. Legal teams need to understand and communicate about the impact on contractual and regulatory obligations.
When a cyber security incident hits, it is essential to understand when and how to communicate with external impacted parties. 

There are a host of questions to ask, including: 

  • If customer data is impacted, what is the customer communication strategy? 
  • Where personal data may be compromised, what is the process for informing the ICO? 
  • What contractual obligations are there to external parties in relation to incident reporting? 

Marketing and communications teams, along with legal representatives, need to be heavily involved in making these decisions.

In any pressured situation, being practiced and prepared removes a lot of the stress and makes people more effective. 

When dealing with an emergency as part of a team, everyone understanding their roles and responsibilities, knowing the people in the team and how they operate makes any response calmer and more efficient. The last thing anyone wants when a cyber security incident happens is for this to be the first time stakeholders have read the incident response plan to understand what is expected of them. Practice definitely is the only way to make perfect.

Time To Exercise

Tabletop exercises for cyber security incident response are invaluable. When run regularly, and across varying scenarios, they allow organisations to bring together technical response teams with key business stakeholders such as legal, marketing and communications personnel. 

A tabletop exercise is important in a very practical sense - it gives people experience in making impactful emergency decisions and helps them understand their incident responsibilities. 

Such exercises can also be an excellent opportunity for stakeholders who rarely interact to build connections and relationships outside of an emergency. When the worst does happen, those relationships help incident response teams to communicate more effectively. This not only saves time – but may well mean the difference between good containment and incomplete recovery.

Any organisation not already running tabletop simulations for cyber security incidents, should consider making them part of their processes. And when running tabletop simulations, it is important not to just focus on the technical aspects of containment and recovery. Make sure to identify and include as many of the required business stakeholders as possible. 

Gemma Moore is Director at Cyberis

Image: stuartmiles99

You Might Also Read: 

Outsourcing Production Risks Productivity:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Google Faces Order To Divest Chrome
Protecting Patient Privacy: Cybersecurity Priorities For Healthcare »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

ComSec LLC

ComSec LLC

ComSec perform threat assessments to identify vulnerabilities and help protect businesses against corporate espionage via electronic eavesdropping.

Interpol

Interpol

Interpol is the world’s largest international police organization. It is committed to the global fight against cybercrime, as well as tackling cyber-enabled crimes.

European Council on Foreign Relations (ECFR)

European Council on Foreign Relations (ECFR)

ECFR is a pan-European think-tank conducting research and promote informed debate on European foreign policy. Cyber security is becoming an intrinsic element of foreign policy debate.

Altius IT

Altius IT

Altius IT reviews your website for security vulnerabilities and provides a report identifying vulnerabilities and recommendations to make secure.

Sensible Vision

Sensible Vision

SensibleVision helps organizations transparently protect data and prevent costly security breaches by constantly verifying the identities of people who use computers or mobile devices.

Quaynote Communications

Quaynote Communications

Quaynote Communications is a specialist conference and communications company focused primarily on the maritime, yachting, aviation and security industries.

Cycura

Cycura

Cycura provide advanced, customized, and confidential cyber security services, cyber investigation services, and digital forensic services to governments, companies, and organizations.

CyCraft Technology Corp

CyCraft Technology Corp

CyCraft is an AI company that forges the future of cybersecurity resilience through autonomous systems and human-AI collaboration.

CryptoSec.info

CryptoSec.info

CryptoSec.info is a web resource focused on educating the beginners in the cryptocurrency space on how to properly secure their online assets from hackers and scammers.

JobStreet.com

JobStreet.com

JobStreet is one of Asia’s leading online employment marketplaces in Malaysia, Philippines, Singapore, Indonesia and Vietnam.

Gula Tech Adventures

Gula Tech Adventures

Gula Tech Adventures invests in companies and nonprofits that help close the gap in needed technology and workforce to defend the country in cyberspace.

D2 Network Associates (D2NA)

D2 Network Associates (D2NA)

D2NA help businesses deliver and achieve their goals, through innovative IT solutions, robust cyber security services and proactive IT managed services.

Think|Stack

Think|Stack

Think|Stack is a managed IT services company specializing in cloud and cybersecurity with human-centered design.

GoTo

GoTo

At GoTo we help people and businesses to connect and collaborate simply and securely – from anywhere. We’re the trusted partner for companies of all sizes.

CloudCoCo

CloudCoCo

CloudCoCo help UK businesses of all sizes and industries succeed by providing enterprise-grade technology at small-business prices.

Autobahn Security

Autobahn Security

Autobahn Security is a growing team of 80+ experts from 25+ nationalities, established in 5 countries. We’re working hard to make Autobahn Security the No. 1 solution for improved hacking-resilience.