How you respond to a data breach matters.

In today’s world, most companies have documented policies and technologies that can help prepare them for grappling with a cyber intruder, but in many cases those tactics are insufficient — focusing more on answering questions about the incident itself and less about an integrated response that protects reputation, the business and, most importantly, clients.

A breach can be damaging, and the inability to respond effectively can add even more self-inflicted damage. The good news is, while you can’t control whether or not you’re a target of a breach, you can control how — and how well — you respond.

Leading organizations that analyze business trends have taken note of the importance of an integrated response. Earlier this week, Forrester released “The Forrester Wave™: Cybersecurity Incident Response Services, Q1 2019.” This report encourages customers to look for providers that can ensure timely preparation and breach response. Some characteristics highlighted in the report include vendors that have cyber range capabilities to train employees in the event of an attack and provide thorough deliverables to help beyond postmortem of the incident.

Forrester evaluated 15 incident response (IR) service providers and weighed them across 11 criteria. These vendors were identified, evaluated, researched, analyzed and scored. The Forrester Wave™ report shows how each provider measures up and helps security and risk professionals make the right choice. IBM was named a leader in the report and according to Forrester Research, “IBM is a strong choice for training and incident preparation services” and “attaches X-Force threat intelligence analysts to its IR teams to ensure full situational awareness across the investigation.”

Download the report

The IBM X-Force Incident Response and Intelligence Services (IRIS) team was created in 2016 and launched alongside the X-Force Command Cyber Range in Cambridge, Massachusetts. We knew that pairing a strong IR team with an immersive range experience that tests skills to survive the inevitable would greatly increase the success our clients experience in the event of a breach.

5 Characteristics of an Elite IR Team

As leaders of the X-Force IRIS team, we’ve been on the front line of hundreds of security breaches and built a team of elite practitioners that help clients recover quickly and effectively in the wake of an attack. Here are the top five characteristics of a world-class response team, based on our experience.

1. It Starts With People

One of the things we often say is, “IR is a team sport.” And with any team, it’s important to make sure each player has a unique set of skills that, when combined with the rest, compose a formidable force against your opponent.

The right team with the right skills means you solve problems faster, build more creative solutions to challenges, and have diverse insight and perspective on situations that allows you to view the problem from a variety of angles. That’s important, because often the attackers have assembled teams of skilled individuals that represent different experiences and perspectives themselves, so constructing an internal team in a similar manner enables you to quickly identify tactics and anticipate the next move.

2. Great Technology, Dynamic Analysis

When you’re technology agnostic, you can go beyond the tools available in your backyard and better ensure you’re getting the right capabilities to achieve your objective. We’ve learned that when we’re not tied to a specific technology or limited to one analytical methodology, we can rapidly evolve our approach to swiftly detect an attacker’s ever-shifting activity.

3. Embedded Threat Intelligence Capabilities

For every case we open, we embed an intelligence analyst who stays involved from start to finish. They bring a consistent intel perspective to each case, augmenting their own skills by leveraging unique insights from the larger intelligence team. Their combined insight gives us exceptional views into an adversary’s actions, tools and methodologies. Understanding these aspects allows faster, more accurate mitigation actions.

4. Comprehensive Remediation

There are two important focus areas for remediation: tactical and strategic. The tactical emphasizes removing an attacker and their access from the victim environment, and the strategic centers on ensuring that same type of attack is not successful again. They both matter, because getting an intruder out quickly and making sure you’re not vulnerable to the same kind of exploitation keeps you safer.

But there’s an element that goes beyond the tactical and the strategic: rebuilding an environment that’s been destroyed as the result of an attack. Rebuilding an environment requires a set of precision skills and, often, a great deal of human resources to ensure it’s done quickly, accurately, and in a way that enables you to continue to operate while rebuilding and recovery take place.

We built the X-Force IRIS team with a set of practitioners that, together, represent thousands of hours of experience rebuilding devastated environments from the ground up. That means when a client has been ravaged by an attack, it can rely on us to not only help it remediate, but keep its business running while we rebuild anew.

5. Train Like You Fight, Fight Like You Train

Even the best IR plan is insufficient if you don’t practice it. We encourage clients to run battle drills on their IR plans (and even put our own to the test). While tabletop exercises can be informative, by far the best way to train for a cyber breach is through an immersive, instructor-led range experience.

We combine our IR expertise with the X-Force Command Cyber Range. Here, we immerse clients in a highly gamified scenario that tests not only their IR plan, but also their human abilities to respond and adapt in a crisis. This helps uncover gaps in existing processes and silos in an organization and develop ways to respond to a breach in an integrated fashion that can’t be replicated in any other way.

Competitive Collaboration

Leaders named in the Forrester Wave™ — such as FireEye, CrowdStrike and Deloitte — are proving that effective incident response is worth the investment. And as competitors, we have the opportunity to share information and create a more robust collective defense for our clients when possible. We are enthusiastic about opportunities like this that allow us to share and build knowledge, because when cybersecurity is implemented correctly, it enables transformation and business growth regardless of the competitive landscape.

The X-Force IRIS team’s investigative and analytical methodology will continue to adapt to meet future IR challenges. By combining cutting-edge methodology with new technologies across disjointed security layers, we envision that our clients will get the context they need to eliminate the noise and identify the most critical threats so they can get can back to what matters most: their core business.

More from Incident Response

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

People, Process and Technology: The Incident Response Trifecta

Let's say you are the CISO or IT security lead of your organization, and your incident response program needs an uplift. After making a compelling business case to management for investment, your budget has been approved and expanded. With your newfound wealth, you focus on acquiring technology that will improve your monitoring, detection and analysis of data traffic. Has the incident program really improved by the technology acquisition, or is the uplift merely cosmetic? If no other changes have been…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…