You are likely familiar with what to do and not do in the event of a fire, tornado, disaster recovery, business continuity and other crisis situations. Such preparation may be mandated with oversight. You may even conduct regular exercises to validate your readiness and improve your incident response. Those in the military frequently train to the extent that completion of a task is a matter of triggering muscle memory — an automatic reflex.

How developed is your cybersecurity muscle memory? Chances are you have an outline, script or idea of how to respond to a cybersecurity incident, but the efficacy of the response may be uncertain.

Refining Incident Response Strategies Over Time

Some organizations conduct threat simulation and incident response tabletop exercises; others may choose to participate in higher-tech threat simulation programs, such as those hosted at the IBM X-Force Command Center and Cyber Range.

When I worked for an investment banking firm in my younger days, I recall incidents in which financial and market data streams would fail. I remember how the phone would ring off the hook, how I was required to address each and every call instead of addressing the task at hand, and how I couldn’t help but think that if they just left me alone for a few minutes, I’d likely have the situation remedied by now. Besides letting off steam at my expense, in most cases, callers just sought assurance that the situation was being effectively addressed with the appropriate urgency, and possibly an uptime ETA.

Back then, I would have welcomed the ability for these lines of business to view a dashboard of my progress in addressing the situation. Most probably just wanted to know that I hadn’t left for a burger while the data feeds were down. In retrospect, the best approach would have been to keep a scripted runbook outlining situations through to their response and frequently validate it until it was committed to muscle memory. The framework would have allowed business actors to view a nearly real-time dashboard indicating the critical situation’s progress — just as you’d want to know when your electricity might be restored following a power outage.

What Makes an Effective Incident Response?

Take care to define your incident response runbook and exercise the full life cycle from incident identification through response. It should begin with an alert and triage, followed by determination of scope and who to engage and highly controlled communication, both internally and externally. Actors throughout the organization must clearly understand who is authorized to disseminate what information. A glossary of terms should be compiled, understood and practiced by all so that communication is articulated swiftly, consistently and intentionally. IT actors should not be alone in executing an effective incident response run book — financial, privacy, compliance, marketing and legal representatives should also be included in incident exercises.

Many incident response tools on the market provide out-of-the-box response structures that can be tailored and are able to execute practice drills. The run books used in drills or during real incidents should include alerts and notifications to various response members, with granular workflows tailored to different incident situations. The most effective response solutions integrate well with your security information and event management (SIEM) or next-generation advanced analytics frameworks. When an offense is realized, response orchestration can be easily executed, including parallel technical actions and nontechnical business operational steps.

How to Build Cybersecurity Muscle Memory

An optimal incident response solution allows various actors to view common dashboards, includes the collection of assets and artifacts pertaining to stages of investigation or remediation, timelines, actors completing tasks, and next stages to be performed. This workflow may be drilled and practiced until the preparation and execution becomes cybersecurity muscle memory.

The right solution that includes the full incident life cycle can replace a manual, after-the-fact effort to document the entire incident response for later evaluation, reuse or evidence. The Security Orchestration, Automation, and Response (SOAR) Platform then becomes a threat-to-response knowledge base that is referenceable by different actors. Actions, notations and artifacts pertinent to the situation can be assessed and improved upon. These are all essential parts of the asset, and easily referenceable should a similar situation occur.

When selecting a solution, consider compliance and regulatory factors. Any steps you can take to assist in providing your legal, compliance and business leaders with timely mandated information and the actual forms pertaining specifically to the incident, type of compromised information, and affected persons from various states or countries will help you achieve the fastest return on investment (ROI).

Organizations that already have a support ticketing system or framework in place may consider integrating the IRP solution. This can generate additional ROI, since the IRP solution may synchronize its response to a support ticketing tool, eliminating the need for all IRP individuals to be licensed on the ticketing platform. The bottom line is that if you’re still using a manual incident response process, you should consider investing in an IRP. There’s considerable value to be realized at every turn.

Learn about the IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

More from Incident Response

How to Start a Career in Cyber Incident Response

Cyber incident response is one of cybersecurity's most interesting and rewarding careers. It’s an in-demand role, and it pays well. But how do you get started? First, let’s start with the basics. What is Cyber Incident Response? Cyber incident response is the preparation for and practice of identifying, containing and ending cyber attacks. A computer security incident response team (CSIRT) within an organization — ideally including the chief information security officer, security operations center staff, executives and representatives from the…

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…