Incident response (IR) is a significant challenge because organizations are often shellshocked when faced with a cyberattack. IR teams may have the right skills to react to and resolve security events, but a lack of preparation can exacerbate the problem at hand. To carry our their missions quickly and completely, IR teams need unfettered access to network resources. But they also need to do a better job of communicating with and advising business leaders and other nontechnical stakeholders in the event of a breach.
Preparing for Disruption
Cyberattacks always come as a surprise. They could be discovered by a rank-and-file employee who receives a notification that his or her system is locked, along with a demand for a ransom payment. Or perhaps the security team detects a breach and takes action to halt the attack.
In either case, normal operations are likely to be interrupted. It’s bad enough that regular business functions are affected, but many employees have heard about similar attacks in which company data has been encrypted and subsequently never recovered. The additional anxiety about all their work being lost can put an entire company in panic mode.
Incident response teams need to get ahead of the next possible attack by letting employees know what to expect and what to do when they are faced with an interruption. The specifics of this information will be different for every company, but it should cover the basics of what happened and what could happen next.
Assembling Incident Response Experts
An IR team typically includes an IR manager, security analysts and threat researchers. But because intrusion incidents can affect a wide segment of the enterprise, additional people and departments need to be advised regularly and included in IR activities. The level of inclusion will vary based on the particular incident and the functions affected, so the IR team must work in a cross-functional mode that varies as conditions change.
The IR team should start by requesting participation from specific business units, including upper management, public relations, human resources, risk management and general counsel. Each department needs to have basic information about what kinds of incidents could affect the company and what their roles might be.
Standard disaster recovery protocols, including contact details and alternate assignees, need to be available, and every contact must receive updates. By the time an incident arises, it’s too late to assemble a team and bring it up to speed. Each business unit should have a clear understanding of its role prior to a security event, and the IR team should announce the incident with sufficient detail so that employees can react appropriately.
Staying Ahead of Unpredictable Threats
Preparation makes responding to incidents more manageable. But like any other disaster recovery effort, unanticipated issues are likely to make the job of the IR team more laborious and time-consuming. The IR team should have full network visibility at the same level as the security team. Otherwise, hidden segments are just as likely as any other to become active distributors of attacks.
The IR team should also have access to packet-based network forensics, the training necessary to put that information to use and the storage space to collect suspicious packets. Analysts don’t have time to look through every potentially problematic packet when they are simply trying to recover from an attack. After the system has been reinstated, however, the team can investigate those saved packets for clues as to cause of the most recent incident. This will also help make predictions about attacks that may be lurking on the network but have yet to execute.
Cyberattacks are inevitable, but a properly prepared incident response team can minimize their effects. It’s also key to getting operations back to normal to help the organization avoid significant downtime, data loss and the reputational damage that comes with it.
Listen to the podcast: Get Smarter About Disaster Response — 5 Resolutions for 2018
Freelance Writer and Former CIO