Practice Makes Perfect For Incident Response

Uploaded on 2024-11-22 in TECHNOLOGY--Resilience, FREE TO VIEW

When a cyber security incident is detected, recovery can be stressful, messy, expensive and time-consuming. One of the biggest surprises for anyone who has never been involved in an incident response before, is how many different stakeholders need to be involved and coordinated, and therefore how many considerations need to be accounted for in the decision-making process. 

Clearly, this means that good teamwork is critical to ensure recovery from an incident is effective and enduring. Especially in smaller organisations, it is tempting to think of incident response as a purely technical discipline.

It is easy to assume that the “incident response team” is the Security Operations Centre or helpdesk teams and their chain of command. After all they are the people with access to the logs, monitoring tools and technical controls and are responsible for raising the alarm when something unusual happens. 

These technical experts certainly need to be relied on to diagnose network intrusions, identify impacted systems and trace activities back through log files. Their input is crucial for understanding what systems have been impacted in an incident, how long an intrusion has been going on and what data and operational systems might be affected, for example.

Technical response teams continuously improve their capabilities. They ingest intelligence about threat actor tactics, improve the coverage of their tooling and tune their alerting. Their daily tasks - managing alerts and tickets - means that they tend to hold good understanding of their technology and capabilities. That is not to say technical teams consistently operate optimally – there are always ways in which they can improve their coverage, playbooks and processes – but overall, technical responders will be aware of their responsibilities when it comes to cyber security incidents. They generally know how they will go about doing what needs to be done when it comes to identifying incidents and short-term technical containment.

The Tip Of The Iceberg

But when a cyber security incident hits, the technical response is only the tip of the iceberg. There are numerous stakeholders who need to be involved in a cooperative, collaborative effort to contain the incident and recover. In the absence of good preparation and briefing, a cyber security incident may well be the first time these stakeholders have worked together to solve a complicated business issue. 

Many organisations - especially medium-sized enterprises – also have a tendency for technical teams to operate in a siloed fashion. All too often, we see that cyber security is not the primary concern for the other business stakeholders. 

A cyber security incident can impact the operation of any and all business functions. Systems might be disabled during the intrusion, or you may need to disable services or take whole chunks of the network offline to properly triage and limit damage. 

To understand whether certain technical response options are viable, the technical team must have input from business function owners about any impact certain responses may have on business operations. 

Input will be needed from finance teams about any potential financial consequences of actions. Legal teams need to understand and communicate about the impact on contractual and regulatory obligations.
When a cyber security incident hits, it is essential to understand when and how to communicate with external impacted parties. 

There are a host of questions to ask, including: 

  • If customer data is impacted, what is the customer communication strategy? 
  • Where personal data may be compromised, what is the process for informing the ICO? 
  • What contractual obligations are there to external parties in relation to incident reporting? 

Marketing and communications teams, along with legal representatives, need to be heavily involved in making these decisions.

In any pressured situation, being practiced and prepared removes a lot of the stress and makes people more effective. 

When dealing with an emergency as part of a team, everyone understanding their roles and responsibilities, knowing the people in the team and how they operate makes any response calmer and more efficient. The last thing anyone wants when a cyber security incident happens is for this to be the first time stakeholders have read the incident response plan to understand what is expected of them. Practice definitely is the only way to make perfect.

Time To Exercise

Tabletop exercises for cyber security incident response are invaluable. When run regularly, and across varying scenarios, they allow organisations to bring together technical response teams with key business stakeholders such as legal, marketing and communications personnel. 

A tabletop exercise is important in a very practical sense - it gives people experience in making impactful emergency decisions and helps them understand their incident responsibilities. 

Such exercises can also be an excellent opportunity for stakeholders who rarely interact to build connections and relationships outside of an emergency. When the worst does happen, those relationships help incident response teams to communicate more effectively. This not only saves time – but may well mean the difference between good containment and incomplete recovery.

Any organisation not already running tabletop simulations for cyber security incidents, should consider making them part of their processes. And when running tabletop simulations, it is important not to just focus on the technical aspects of containment and recovery. Make sure to identify and include as many of the required business stakeholders as possible. 

Gemma Moore is Director at Cyberis

Image: stuartmiles99

You Might Also Read: 

Outsourcing Production Risks Productivity:

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Google Faces Order To Divest Chrome
Protecting Patient Privacy: Cybersecurity Priorities For Healthcare »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Infosecurity Europe

Infosecurity Europe

Infosecurity Europe is Europe’s number one information security conference and exhibition.

Identiv

Identiv

Identiv is a global security technology company that establishes trust in the connected world, including premises, information and everyday items.

Energy Sec

Energy Sec

EnergySec is a United States 501(c)(3) non-profit corporation formed to support energy sector organizations with the security of their critical technology infrastructures.

Cloudbric

Cloudbric

Cloudbric is a cloud-based web security service, offering award-winning WAF, DDoS protection, and SSL, all in a full-service package.

IT Security House

IT Security House

IT Security House is a leading European supplier of Cyber Security Intelligence and eCrime services.

Electric Imp

Electric Imp

Electric Imp offers an innovative and powerful Internet of Things platform that securely connects devices with advanced cloud computing resources.

WeSecureApp (WSA)

WeSecureApp (WSA)

WeSecureApp is specialized in providing Cyber Security Solutions to safeguard your applications and networks.

Saudi Federation for Cyber Security and Programming (SAFCSP)

Saudi Federation for Cyber Security and Programming (SAFCSP)

SAFCSP is a national institution under the umbrella of the Saudi Arabian Olympic Committee, which seeks to build national and professional capabilities in the fields of cyber security and programming.

IDnow

IDnow

IDnow is the world’s fastest, most flexible and most secure identity verification platform, delivering instant verification of the identity documents used by 7 billion people.

Entel CyberSecure

Entel CyberSecure

Entel CyberSecure is a portfolio of Cybersecurity solutions and services for the protection, defense, risk management and regulatory compliance of ICT Systems for corporations and Government.

iProov

iProov

iProov delivers authentication and verification simply and securely, based on a genuine one-time biometric.

Infosec Train

Infosec Train

Infosec Train provide professional training, certifications & professional services related to all spheres of Information Technology and Cyber Security.

Cyber Resilience Centre for Wales (WCRC)

Cyber Resilience Centre for Wales (WCRC)

The Cyber Resilience Centre for Wales (WCRC) is part of the national roll out of Cyber Resilience Centres in the UK which began in 2019.

Lancera

Lancera

Lancera provides growth accelerating Software Development, Web Presence and Cybersecurity Solutions with a focus on customer happiness.

Rankiteo

Rankiteo

At Rankiteo, we are pioneers in cybersecurity risk management. Our mission is to empower organizations with the tools they need to assess, enhance, and safeguard their digital landscapes.

Seezo

Seezo

Seezo leverages Gen AI to make world-class AppSec accessible to every engineering team.