5 Characteristics of an Effective Incident Response Team: Lessons From the Front Line

March 21, 2019
|
co-authored by Ahmed Saleh
|
4 min read

How you respond to a data breach matters.

In today’s world, most companies have documented policies and technologies that can help prepare them for grappling with a cyber intruder, but in many cases those tactics are insufficient — focusing more on answering questions about the incident itself and less about an integrated response that protects reputation, the business and, most importantly, clients.

A breach can be damaging, and the inability to respond effectively can add even more self-inflicted damage. The good news is, while you can’t control whether or not you’re a target of a breach, you can control how — and how well — you respond.

Leading organizations that analyze business trends have taken note of the importance of an integrated response. Earlier this week, Forrester released “The Forrester Wave™: Cybersecurity Incident Response Services, Q1 2019.” This report encourages customers to look for providers that can ensure timely preparation and breach response. Some characteristics highlighted in the report include vendors that have cyber range capabilities to train employees in the event of an attack and provide thorough deliverables to help beyond postmortem of the incident.

Forrester evaluated 15 incident response (IR) service providers and weighed them across 11 criteria. These vendors were identified, evaluated, researched, analyzed and scored. The Forrester Wave™ report shows how each provider measures up and helps security and risk professionals make the right choice. IBM was named a leader in the report and according to Forrester Research, “IBM is a strong choice for training and incident preparation services” and “attaches X-Force threat intelligence analysts to its IR teams to ensure full situational awareness across the investigation.”

Download the report

The IBM X-Force Incident Response and Intelligence Services (IRIS) team was created in 2016 and launched alongside the X-Force Command Cyber Range in Cambridge, Massachusetts. We knew that pairing a strong IR team with an immersive range experience that tests skills to survive the inevitable would greatly increase the success our clients experience in the event of a breach.

5 Characteristics of an Elite IR Team

As leaders of the X-Force IRIS team, we’ve been on the front line of hundreds of security breaches and built a team of elite practitioners that help clients recover quickly and effectively in the wake of an attack. Here are the top five characteristics of a world-class response team, based on our experience.

1. It Starts With People

One of the things we often say is, “IR is a team sport.” And with any team, it’s important to make sure each player has a unique set of skills that, when combined with the rest, compose a formidable force against your opponent.

The right team with the right skills means you solve problems faster, build more creative solutions to challenges, and have diverse insight and perspective on situations that allows you to view the problem from a variety of angles. That’s important, because often the attackers have assembled teams of skilled individuals that represent different experiences and perspectives themselves, so constructing an internal team in a similar manner enables you to quickly identify tactics and anticipate the next move.

2. Great Technology, Dynamic Analysis

When you’re technology agnostic, you can go beyond the tools available in your backyard and better ensure you’re getting the right capabilities to achieve your objective. We’ve learned that when we’re not tied to a specific technology or limited to one analytical methodology, we can rapidly evolve our approach to swiftly detect an attacker’s ever-shifting activity.

3. Embedded Threat Intelligence Capabilities

For every case we open, we embed an intelligence analyst who stays involved from start to finish. They bring a consistent intel perspective to each case, augmenting their own skills by leveraging unique insights from the larger intelligence team. Their combined insight gives us exceptional views into an adversary’s actions, tools and methodologies. Understanding these aspects allows faster, more accurate mitigation actions.

4. Comprehensive Remediation

There are two important focus areas for remediation: tactical and strategic. The tactical emphasizes removing an attacker and their access from the victim environment, and the strategic centers on ensuring that same type of attack is not successful again. They both matter, because getting an intruder out quickly and making sure you’re not vulnerable to the same kind of exploitation keeps you safer.

But there’s an element that goes beyond the tactical and the strategic: rebuilding an environment that’s been destroyed as the result of an attack. Rebuilding an environment requires a set of precision skills and, often, a great deal of human resources to ensure it’s done quickly, accurately, and in a way that enables you to continue to operate while rebuilding and recovery take place.

We built the X-Force IRIS team with a set of practitioners that, together, represent thousands of hours of experience rebuilding devastated environments from the ground up. That means when a client has been ravaged by an attack, it can rely on us to not only help it remediate, but keep its business running while we rebuild anew.

5. Train Like You Fight, Fight Like You Train

Even the best IR plan is insufficient if you don’t practice it. We encourage clients to run battle drills on their IR plans (and even put our own to the test). While tabletop exercises can be informative, by far the best way to train for a cyber breach is through an immersive, instructor-led range experience.

We combine our IR expertise with the X-Force Command Cyber Range. Here, we immerse clients in a highly gamified scenario that tests not only their IR plan, but also their human abilities to respond and adapt in a crisis. This helps uncover gaps in existing processes and silos in an organization and develop ways to respond to a breach in an integrated fashion that can’t be replicated in any other way.

Competitive Collaboration

Leaders named in the Forrester Wave™ — such as FireEye, CrowdStrike and Deloitte — are proving that effective incident response is worth the investment. And as competitors, we have the opportunity to share information and create a more robust collective defense for our clients when possible. We are enthusiastic about opportunities like this that allow us to share and build knowledge, because when cybersecurity is implemented correctly, it enables transformation and business growth regardless of the competitive landscape.

The X-Force IRIS team’s investigative and analytical methodology will continue to adapt to meet future IR challenges. By combining cutting-edge methodology with new technologies across disjointed security layers, we envision that our clients will get the context they need to eliminate the noise and identify the most critical threats so they can get can back to what matters most: their core business.

Wendi Whitmore
Global Lead for X-Force IRIS, IBM

Wendi Whitmore is a technical leader with 15 years of diverse experience in incident response, proactive and strategic information security services, intelli...
read more