Incident response (IR) is a significant challenge because organizations are often shellshocked when faced with a cyberattack. IR teams may have the right skills to react to and resolve security events, but a lack of preparation can exacerbate the problem at hand. To carry our their missions quickly and completely, IR teams need unfettered access to network resources. But they also need to do a better job of communicating with and advising business leaders and other nontechnical stakeholders in the event of a breach.

Preparing for Disruption

Cyberattacks always come as a surprise. They could be discovered by a rank-and-file employee who receives a notification that his or her system is locked, along with a demand for a ransom payment. Or perhaps the security team detects a breach and takes action to halt the attack.

In either case, normal operations are likely to be interrupted. It’s bad enough that regular business functions are affected, but many employees have heard about similar attacks in which company data has been encrypted and subsequently never recovered. The additional anxiety about all their work being lost can put an entire company in panic mode.

Incident response teams need to get ahead of the next possible attack by letting employees know what to expect and what to do when they are faced with an interruption. The specifics of this information will be different for every company, but it should cover the basics of what happened and what could happen next.

Assembling Incident Response Experts

An IR team typically includes an IR manager, security analysts and threat researchers. But because intrusion incidents can affect a wide segment of the enterprise, additional people and departments need to be advised regularly and included in IR activities. The level of inclusion will vary based on the particular incident and the functions affected, so the IR team must work in a cross-functional mode that varies as conditions change.

The IR team should start by requesting participation from specific business units, including upper management, public relations, human resources, risk management and general counsel. Each department needs to have basic information about what kinds of incidents could affect the company and what their roles might be.

Standard disaster recovery protocols, including contact details and alternate assignees, need to be available, and every contact must receive updates. By the time an incident arises, it’s too late to assemble a team and bring it up to speed. Each business unit should have a clear understanding of its role prior to a security event, and the IR team should announce the incident with sufficient detail so that employees can react appropriately.

Staying Ahead of Unpredictable Threats

Preparation makes responding to incidents more manageable. But like any other disaster recovery effort, unanticipated issues are likely to make the job of the IR team more laborious and time-consuming. The IR team should have full network visibility at the same level as the security team. Otherwise, hidden segments are just as likely as any other to become active distributors of attacks.

The IR team should also have access to packet-based network forensics, the training necessary to put that information to use and the storage space to collect suspicious packets. Analysts don’t have time to look through every potentially problematic packet when they are simply trying to recover from an attack. After the system has been reinstated, however, the team can investigate those saved packets for clues as to cause of the most recent incident. This will also help make predictions about attacks that may be lurking on the network but have yet to execute.

Cyberattacks are inevitable, but a properly prepared incident response team can minimize their effects. It’s also key to getting operations back to normal to help the organization avoid significant downtime, data loss and the reputational damage that comes with it.

Listen to the podcast: Get Smarter About Disaster Response — 5 Resolutions for 2018

More from Incident Response

How I got started: Incident responder

3 min read - As a cybersecurity incident responder, life can go from chill to chaos in seconds. What is it about being an incident responder that makes people want to step up for this crucial cybersecurity role?With our How I Got Started series, we learn from experts in their field and find out how they got started and what advice they have for anyone looking to get into the field.In this Q&A, we spoke with IBM’s own Dave Bales, co-lead X-Force Incident Command…

How Paris Olympic authorities battled cyberattacks, and won gold

3 min read - The Olympic Games Paris 2024 was by most accounts a highly successful Olympics. Some 10,000 athletes from 204 nations competed in 329 events over 16 days. But before and during the event, authorities battled Olympic-size cybersecurity threats coming from multiple directions.In preparation for expected attacks, authorities took several proactive measures to ensure the security of the event.Cyber vigilance programThe Paris 2024 Olympics implemented advanced threat intelligence, real-time threat monitoring and incident response expertise. This program aimed to prepare Olympic-facing organizations…

How CIRCIA is changing crisis communication

3 min read - Read the previous article in this series, PR vs cybersecurity teams: Handling disagreements in a crisis. When the Colonial Pipeline attack happened a few years ago, widespread panic and long lines at the gas pump were the result — partly due to a lack of reliable information. The attack raised the alarm about serious threats to critical infrastructure and what could happen in the aftermath. In response to this and other high-profile cyberattacks, Congress passed the Cyber Incident Reporting for Critical…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today