August 29, 2018 By Michael Melore 3 min read

You are likely familiar with what to do and not do in the event of a fire, tornado, disaster recovery, business continuity and other crisis situations. Such preparation may be mandated with oversight. You may even conduct regular exercises to validate your readiness and improve your incident response. Those in the military frequently train to the extent that completion of a task is a matter of triggering muscle memory — an automatic reflex.

How developed is your cybersecurity muscle memory? Chances are you have an outline, script or idea of how to respond to a cybersecurity incident, but the efficacy of the response may be uncertain.

Refining Incident Response Strategies Over Time

Some organizations conduct threat simulation and incident response tabletop exercises; others may choose to participate in higher-tech threat simulation programs, such as those hosted at the IBM X-Force Command Center and Cyber Range.

When I worked for an investment banking firm in my younger days, I recall incidents in which financial and market data streams would fail. I remember how the phone would ring off the hook, how I was required to address each and every call instead of addressing the task at hand, and how I couldn’t help but think that if they just left me alone for a few minutes, I’d likely have the situation remedied by now. Besides letting off steam at my expense, in most cases, callers just sought assurance that the situation was being effectively addressed with the appropriate urgency, and possibly an uptime ETA.

Back then, I would have welcomed the ability for these lines of business to view a dashboard of my progress in addressing the situation. Most probably just wanted to know that I hadn’t left for a burger while the data feeds were down. In retrospect, the best approach would have been to keep a scripted runbook outlining situations through to their response and frequently validate it until it was committed to muscle memory. The framework would have allowed business actors to view a nearly real-time dashboard indicating the critical situation’s progress — just as you’d want to know when your electricity might be restored following a power outage.

What Makes an Effective Incident Response?

Take care to define your incident response runbook and exercise the full life cycle from incident identification through response. It should begin with an alert and triage, followed by determination of scope and who to engage and highly controlled communication, both internally and externally. Actors throughout the organization must clearly understand who is authorized to disseminate what information. A glossary of terms should be compiled, understood and practiced by all so that communication is articulated swiftly, consistently and intentionally. IT actors should not be alone in executing an effective incident response run book — financial, privacy, compliance, marketing and legal representatives should also be included in incident exercises.

Many incident response tools on the market provide out-of-the-box response structures that can be tailored and are able to execute practice drills. The run books used in drills or during real incidents should include alerts and notifications to various response members, with granular workflows tailored to different incident situations. The most effective response solutions integrate well with your security information and event management (SIEM) or next-generation advanced analytics frameworks. When an offense is realized, response orchestration can be easily executed, including parallel technical actions and nontechnical business operational steps.

How to Build Cybersecurity Muscle Memory

An optimal incident response solution allows various actors to view common dashboards, includes the collection of assets and artifacts pertaining to stages of investigation or remediation, timelines, actors completing tasks, and next stages to be performed. This workflow may be drilled and practiced until the preparation and execution becomes cybersecurity muscle memory.

The right solution that includes the full incident life cycle can replace a manual, after-the-fact effort to document the entire incident response for later evaluation, reuse or evidence. The Security Orchestration, Automation, and Response (SOAR) Platform then becomes a threat-to-response knowledge base that is referenceable by different actors. Actions, notations and artifacts pertinent to the situation can be assessed and improved upon. These are all essential parts of the asset, and easily referenceable should a similar situation occur.

When selecting a solution, consider compliance and regulatory factors. Any steps you can take to assist in providing your legal, compliance and business leaders with timely mandated information and the actual forms pertaining specifically to the incident, type of compromised information, and affected persons from various states or countries will help you achieve the fastest return on investment (ROI).

Organizations that already have a support ticketing system or framework in place may consider integrating the IRP solution. This can generate additional ROI, since the IRP solution may synchronize its response to a support ticketing tool, eliminating the need for all IRP individuals to be licensed on the ticketing platform. The bottom line is that if you’re still using a manual incident response process, you should consider investing in an IRP. There’s considerable value to be realized at every turn.

Learn about the IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

More from Incident Response

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication. Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future…

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today