You are likely familiar with what to do and not do in the event of a fire, tornado, disaster recovery, business continuity and other crisis situations. Such preparation may be mandated with oversight. You may even conduct regular exercises to validate your readiness and improve your incident response. Those in the military frequently train to the extent that completion of a task is a matter of triggering muscle memory — an automatic reflex.

How developed is your cybersecurity muscle memory? Chances are you have an outline, script or idea of how to respond to a cybersecurity incident, but the efficacy of the response may be uncertain.

Refining Incident Response Strategies Over Time

Some organizations conduct threat simulation and incident response tabletop exercises; others may choose to participate in higher-tech threat simulation programs, such as those hosted at the IBM X-Force Command Center and Cyber Range.

When I worked for an investment banking firm in my younger days, I recall incidents in which financial and market data streams would fail. I remember how the phone would ring off the hook, how I was required to address each and every call instead of addressing the task at hand, and how I couldn’t help but think that if they just left me alone for a few minutes, I’d likely have the situation remedied by now. Besides letting off steam at my expense, in most cases, callers just sought assurance that the situation was being effectively addressed with the appropriate urgency, and possibly an uptime ETA.

Back then, I would have welcomed the ability for these lines of business to view a dashboard of my progress in addressing the situation. Most probably just wanted to know that I hadn’t left for a burger while the data feeds were down. In retrospect, the best approach would have been to keep a scripted runbook outlining situations through to their response and frequently validate it until it was committed to muscle memory. The framework would have allowed business actors to view a nearly real-time dashboard indicating the critical situation’s progress — just as you’d want to know when your electricity might be restored following a power outage.

What Makes an Effective Incident Response?

Take care to define your incident response runbook and exercise the full life cycle from incident identification through response. It should begin with an alert and triage, followed by determination of scope and who to engage and highly controlled communication, both internally and externally. Actors throughout the organization must clearly understand who is authorized to disseminate what information. A glossary of terms should be compiled, understood and practiced by all so that communication is articulated swiftly, consistently and intentionally. IT actors should not be alone in executing an effective incident response run book — financial, privacy, compliance, marketing and legal representatives should also be included in incident exercises.

Many incident response tools on the market provide out-of-the-box response structures that can be tailored and are able to execute practice drills. The run books used in drills or during real incidents should include alerts and notifications to various response members, with granular workflows tailored to different incident situations. The most effective response solutions integrate well with your security information and event management (SIEM) or next-generation advanced analytics frameworks. When an offense is realized, response orchestration can be easily executed, including parallel technical actions and nontechnical business operational steps.

How to Build Cybersecurity Muscle Memory

An optimal incident response solution allows various actors to view common dashboards, includes the collection of assets and artifacts pertaining to stages of investigation or remediation, timelines, actors completing tasks, and next stages to be performed. This workflow may be drilled and practiced until the preparation and execution becomes cybersecurity muscle memory.

The right solution that includes the full incident life cycle can replace a manual, after-the-fact effort to document the entire incident response for later evaluation, reuse or evidence. The Security Orchestration, Automation, and Response (SOAR) Platform then becomes a threat-to-response knowledge base that is referenceable by different actors. Actions, notations and artifacts pertinent to the situation can be assessed and improved upon. These are all essential parts of the asset, and easily referenceable should a similar situation occur.

When selecting a solution, consider compliance and regulatory factors. Any steps you can take to assist in providing your legal, compliance and business leaders with timely mandated information and the actual forms pertaining specifically to the incident, type of compromised information, and affected persons from various states or countries will help you achieve the fastest return on investment (ROI).

Organizations that already have a support ticketing system or framework in place may consider integrating the IRP solution. This can generate additional ROI, since the IRP solution may synchronize its response to a support ticketing tool, eliminating the need for all IRP individuals to be licensed on the ticketing platform. The bottom line is that if you’re still using a manual incident response process, you should consider investing in an IRP. There’s considerable value to be realized at every turn.

Learn about the IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

More from Incident Response

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…