You are likely familiar with what to do and not do in the event of a fire, tornado, disaster recovery, business continuity and other crisis situations. Such preparation may be mandated with oversight. You may even conduct regular exercises to validate your readiness and improve your incident response. Those in the military frequently train to the extent that completion of a task is a matter of triggering muscle memory — an automatic reflex.

How developed is your cybersecurity muscle memory? Chances are you have an outline, script or idea of how to respond to a cybersecurity incident, but the efficacy of the response may be uncertain.

Refining Incident Response Strategies Over Time

Some organizations conduct threat simulation and incident response tabletop exercises; others may choose to participate in higher-tech threat simulation programs, such as those hosted at the IBM X-Force Command Center and Cyber Range.

When I worked for an investment banking firm in my younger days, I recall incidents in which financial and market data streams would fail. I remember how the phone would ring off the hook, how I was required to address each and every call instead of addressing the task at hand, and how I couldn’t help but think that if they just left me alone for a few minutes, I’d likely have the situation remedied by now. Besides letting off steam at my expense, in most cases, callers just sought assurance that the situation was being effectively addressed with the appropriate urgency, and possibly an uptime ETA.

Back then, I would have welcomed the ability for these lines of business to view a dashboard of my progress in addressing the situation. Most probably just wanted to know that I hadn’t left for a burger while the data feeds were down. In retrospect, the best approach would have been to keep a scripted runbook outlining situations through to their response and frequently validate it until it was committed to muscle memory. The framework would have allowed business actors to view a nearly real-time dashboard indicating the critical situation’s progress — just as you’d want to know when your electricity might be restored following a power outage.

What Makes an Effective Incident Response?

Take care to define your incident response runbook and exercise the full life cycle from incident identification through response. It should begin with an alert and triage, followed by determination of scope and who to engage and highly controlled communication, both internally and externally. Actors throughout the organization must clearly understand who is authorized to disseminate what information. A glossary of terms should be compiled, understood and practiced by all so that communication is articulated swiftly, consistently and intentionally. IT actors should not be alone in executing an effective incident response run book — financial, privacy, compliance, marketing and legal representatives should also be included in incident exercises.

Many incident response tools on the market provide out-of-the-box response structures that can be tailored and are able to execute practice drills. The run books used in drills or during real incidents should include alerts and notifications to various response members, with granular workflows tailored to different incident situations. The most effective response solutions integrate well with your security information and event management (SIEM) or next-generation advanced analytics frameworks. When an offense is realized, response orchestration can be easily executed, including parallel technical actions and nontechnical business operational steps.

How to Build Cybersecurity Muscle Memory

An optimal incident response solution allows various actors to view common dashboards, includes the collection of assets and artifacts pertaining to stages of investigation or remediation, timelines, actors completing tasks, and next stages to be performed. This workflow may be drilled and practiced until the preparation and execution becomes cybersecurity muscle memory.

The right solution that includes the full incident life cycle can replace a manual, after-the-fact effort to document the entire incident response for later evaluation, reuse or evidence. The Security Orchestration, Automation, and Response (SOAR) Platform then becomes a threat-to-response knowledge base that is referenceable by different actors. Actions, notations and artifacts pertinent to the situation can be assessed and improved upon. These are all essential parts of the asset, and easily referenceable should a similar situation occur.

When selecting a solution, consider compliance and regulatory factors. Any steps you can take to assist in providing your legal, compliance and business leaders with timely mandated information and the actual forms pertaining specifically to the incident, type of compromised information, and affected persons from various states or countries will help you achieve the fastest return on investment (ROI).

Organizations that already have a support ticketing system or framework in place may consider integrating the IRP solution. This can generate additional ROI, since the IRP solution may synchronize its response to a support ticketing tool, eliminating the need for all IRP individuals to be licensed on the ticketing platform. The bottom line is that if you’re still using a manual incident response process, you should consider investing in an IRP. There’s considerable value to be realized at every turn.

Learn about the IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

More from Incident Response

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Breaking Down a Cyberattack, One Kill Chain Step at a Time

In today’s wildly unpredictable threat landscape, the modern enterprise should be familiar with the cyber kill chain concept. A cyber kill chain describes the various stages of a cyberattack pertaining to network security. Lockheed Martin developed the cyber kill chain framework to help organizations identify and prevent cyber intrusions. The steps in a kill chain trace the typical stages of an attack from early reconnaissance to completion. Analysts use the framework to detect and prevent advanced persistent threats (APT). Organizations…

Defining the Cobalt Strike Reflective Loader

The Challenge with Using Cobalt Strike for Advanced Red Team Exercises While next-generation AI and machine-learning components of security solutions continue to enhance behavioral-based detection capabilities, at their core many still rely on signature-based detections. Cobalt Strike being a popular red team Command and Control (C2) framework used by both threat actors and red teams since its debut, continues to be heavily signatured by security solutions. To continue Cobalt Strikes operational usage in the past, we on the IBM X-Force…

What is a Red Teamer? All You Need to Know

A red teamer is a cybersecurity professional that works to help companies improve IT security frameworks by attacking and undermining those same frameworks, often without notice. The term “red teaming” is often used interchangeably with penetration testing. While the terms are similar, however, there are key distinctions. First and foremost is the lack of notice from red teams. Pen testing may be scheduled in advance to assess the ability of specific security measures to handle a simulated attack; red team…