You are likely familiar with what to do and not do in the event of a fire, tornado, disaster recovery, business continuity and other crisis situations. Such preparation may be mandated with oversight. You may even conduct regular exercises to validate your readiness and improve your incident response. Those in the military frequently train to the extent that completion of a task is a matter of triggering muscle memory — an automatic reflex.
How developed is your cybersecurity muscle memory? Chances are you have an outline, script or idea of how to respond to a cybersecurity incident, but the efficacy of the response may be uncertain.
Refining Incident Response Strategies Over Time
Some organizations conduct threat simulation and incident response tabletop exercises; others may choose to participate in higher-tech threat simulation programs, such as those hosted at the IBM X-Force Command Center and Cyber Range.
When I worked for an investment banking firm in my younger days, I recall incidents in which financial and market data streams would fail. I remember how the phone would ring off the hook, how I was required to address each and every call instead of addressing the task at hand, and how I couldn’t help but think that if they just left me alone for a few minutes, I’d likely have the situation remedied by now. Besides letting off steam at my expense, in most cases, callers just sought assurance that the situation was being effectively addressed with the appropriate urgency, and possibly an uptime ETA.
Back then, I would have welcomed the ability for these lines of business to view a dashboard of my progress in addressing the situation. Most probably just wanted to know that I hadn’t left for a burger while the data feeds were down. In retrospect, the best approach would have been to keep a scripted runbook outlining situations through to their response and frequently validate it until it was committed to muscle memory. The framework would have allowed business actors to view a nearly real-time dashboard indicating the critical situation’s progress — just as you’d want to know when your electricity might be restored following a power outage.
What Makes an Effective Incident Response?
Take care to define your incident response runbook and exercise the full life cycle from incident identification through response. It should begin with an alert and triage, followed by determination of scope and who to engage and highly controlled communication, both internally and externally. Actors throughout the organization must clearly understand who is authorized to disseminate what information. A glossary of terms should be compiled, understood and practiced by all so that communication is articulated swiftly, consistently and intentionally. IT actors should not be alone in executing an effective incident response run book — financial, privacy, compliance, marketing and legal representatives should also be included in incident exercises.
Many incident response tools on the market provide out-of-the-box response structures that can be tailored and are able to execute practice drills. The run books used in drills or during real incidents should include alerts and notifications to various response members, with granular workflows tailored to different incident situations. The most effective response solutions integrate well with your security information and event management (SIEM) or next-generation advanced analytics frameworks. When an offense is realized, response orchestration can be easily executed, including parallel technical actions and nontechnical business operational steps.
How to Build Cybersecurity Muscle Memory
An optimal incident response solution allows various actors to view common dashboards, includes the collection of assets and artifacts pertaining to stages of investigation or remediation, timelines, actors completing tasks, and next stages to be performed. This workflow may be drilled and practiced until the preparation and execution becomes cybersecurity muscle memory.
The right solution that includes the full incident life cycle can replace a manual, after-the-fact effort to document the entire incident response for later evaluation, reuse or evidence. The Security Orchestration, Automation, and Response (SOAR) Platform then becomes a threat-to-response knowledge base that is referenceable by different actors. Actions, notations and artifacts pertinent to the situation can be assessed and improved upon. These are all essential parts of the asset, and easily referenceable should a similar situation occur.
When selecting a solution, consider compliance and regulatory factors. Any steps you can take to assist in providing your legal, compliance and business leaders with timely mandated information and the actual forms pertaining specifically to the incident, type of compromised information, and affected persons from various states or countries will help you achieve the fastest return on investment (ROI).
Organizations that already have a support ticketing system or framework in place may consider integrating the IRP solution. This can generate additional ROI, since the IRP solution may synchronize its response to a support ticketing tool, eliminating the need for all IRP individuals to be licensed on the ticketing platform. The bottom line is that if you’re still using a manual incident response process, you should consider investing in an IRP. There’s considerable value to be realized at every turn.