Incident response (IR) is a significant challenge because organizations are often shellshocked when faced with a cyberattack. IR teams may have the right skills to react to and resolve security events, but a lack of preparation can exacerbate the problem at hand. To carry our their missions quickly and completely, IR teams need unfettered access to network resources. But they also need to do a better job of communicating with and advising business leaders and other nontechnical stakeholders in the event of a breach.

Preparing for Disruption

Cyberattacks always come as a surprise. They could be discovered by a rank-and-file employee who receives a notification that his or her system is locked, along with a demand for a ransom payment. Or perhaps the security team detects a breach and takes action to halt the attack.

In either case, normal operations are likely to be interrupted. It’s bad enough that regular business functions are affected, but many employees have heard about similar attacks in which company data has been encrypted and subsequently never recovered. The additional anxiety about all their work being lost can put an entire company in panic mode.

Incident response teams need to get ahead of the next possible attack by letting employees know what to expect and what to do when they are faced with an interruption. The specifics of this information will be different for every company, but it should cover the basics of what happened and what could happen next.

Assembling Incident Response Experts

An IR team typically includes an IR manager, security analysts and threat researchers. But because intrusion incidents can affect a wide segment of the enterprise, additional people and departments need to be advised regularly and included in IR activities. The level of inclusion will vary based on the particular incident and the functions affected, so the IR team must work in a cross-functional mode that varies as conditions change.

The IR team should start by requesting participation from specific business units, including upper management, public relations, human resources, risk management and general counsel. Each department needs to have basic information about what kinds of incidents could affect the company and what their roles might be.

Standard disaster recovery protocols, including contact details and alternate assignees, need to be available, and every contact must receive updates. By the time an incident arises, it’s too late to assemble a team and bring it up to speed. Each business unit should have a clear understanding of its role prior to a security event, and the IR team should announce the incident with sufficient detail so that employees can react appropriately.

Staying Ahead of Unpredictable Threats

Preparation makes responding to incidents more manageable. But like any other disaster recovery effort, unanticipated issues are likely to make the job of the IR team more laborious and time-consuming. The IR team should have full network visibility at the same level as the security team. Otherwise, hidden segments are just as likely as any other to become active distributors of attacks.

The IR team should also have access to packet-based network forensics, the training necessary to put that information to use and the storage space to collect suspicious packets. Analysts don’t have time to look through every potentially problematic packet when they are simply trying to recover from an attack. After the system has been reinstated, however, the team can investigate those saved packets for clues as to cause of the most recent incident. This will also help make predictions about attacks that may be lurking on the network but have yet to execute.

Cyberattacks are inevitable, but a properly prepared incident response team can minimize their effects. It’s also key to getting operations back to normal to help the organization avoid significant downtime, data loss and the reputational damage that comes with it.

Listen to the podcast: Get Smarter About Disaster Response — 5 Resolutions for 2018

More from Incident Response

3 recommendations for adopting generative AI for cyber defense

3 min read - In the past eighteen months, generative AI (gen AI) has gone from being the source of jaw-dropping demos to a top strategic priority in nearly every industry. A majority of CEOs report feeling under pressure to invest in gen AI. Product teams are now scrambling to build gen AI into their solutions and services. The EU and US are beginning to put new regulatory frameworks in place to manage AI risks.Amid all this commotion, hackers and other cybercriminals are hardly…

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today