Preparing for an Incident

Thumbnail for article

Incidents are an inevitable part of any Cyber Security function, but how you respond to an incident will determine its impact on your organisation.

The NIST incident response framework focuses on four stages:

  • Preparation
  • Detection & Analysis
  • Containment, Eradication, and Recovery
  • Post-Incident Activity

All four stages are important, but in my opinion, the effort towards them should be weighted towards Preparation to achieve the best outcome.

The purpose of incident management is to nullify or reduce the negative impact on the organisation. Your ability to respond to an incident favourably depends entirely on your preparation.

By failing to prepare, you are preparing to fail.

Long before the pleasure of handling an incident, you need to get your ducks in a row. This is not a comprehensive list, but integrating the following six phases into your preparation will give you a leg up during “incident day.”

The Top 3

  • Right People - It always starts with people. You need a diverse group of individuals who proactively want to defend the organisation. Hire a few experienced people, and then hire based on raw ingredients and attitude.
  • Right Processes - Processes need to be in place for:
    • Incident handling: Clarity is important during an incident. This can be achieved by ensuring you have the right processes for you. Adapt an industry best practice, such as CSIRT, and mould it to your organisation.
    • Intelligence gathering: This can help you “know your enemy” and anticipate their moves. You should have a reliable intelligence feed and adapt your proactive and reactive capabilities accordingly. All your limited resources need to be spent in the best possible way, to do that, you need intel.
    • Communication models: This is one of the most important processes to get right. A broad group of practitioners, owners, and observers will need to be kept in the loop. Adapt your message for your audience, frame and communicate clearly, and communicate frequently.
  • Right Tools - They must be capable of handling the pending ask. Conversations about asset coverage, log visibility, and ineffective segregation are easier during peaceful times. Test that your tools are capable of enabling you on the day; don't blindly trust marketing.

The Most Important One

  • Practice - Practice, practice, practice, and practice some more. You’re looking to iron out any inefficiencies between your people, their processes, and the tools they’re using. Use these sessions to iterate quickly, perform post incident reviews and mature.

The aim is to develop muscle memory and have an elite-level response become second nature!

The Game Changers You Should Have

  • Broad Relationships - Don’t let the first time you’re speaking to a department exec be at 2 am during a breach. Relationships do make the world go round, and a warm, trusted relationship is an incredible asset to have by your side during an incident. Develop a stakeholder matrix and think about how your Cyber department is managing them.
  • Additional Support - Ensure you have the right backup for all occasions. Consider:
    • Insurance: Not in terms of risk transference, but support for the incident handling process itself. Often, you can include additional services where the insurer becomes liable for providing support against an SLA.
    • Legal:  Internal or external legal assistance could be required for understanding your liability, legal obligations or communicating or reporting depending on the scale of the incident or industry regulations.
    • Press Office:  Think about how you’re going to communicate with your external stakeholders. It’s better to have several templates drafted and agreed upon just in case.
    • Service Retainers: You might need more people, to rotate people, or uncommon skills for the incident. A retainer can give you those at short notice within the agreed SLA. No one should need a full-time ransomware negotiator, but you can hire an experienced one by the hour.

    • Industry Forums and Governing Bodies - Depending on your industry, there could be a wider network of individuals you can seek assistance from.

 

I hope the above helps, and good luck with “incident day.”

The final thing I would add is to practice some more, and then do it again.