New cyberattacks are discovered every single day. Organizations should not be considering if they will be attacked, but rather when they will be attacked and what proactive measures must be taken to ensure the company will survive.
In the last two large-scale attacks we saw this year – SolarWinds and Log4j – attackers identified pervasive vulnerabilities and used them to attack organizations around the world. When ransomware first made headlines, it was thought that schools and hospitals would be spared from the for-profit attacks or that small businesses would not be likely targets. Today, advanced technology helps threat actors take advantage of more varied organizations, and there are so many hungry attackers that the “etiquette” of early cyber attacks has been lost.
All organizations must have a formal Incident Response (IR) plan to guide remediation and recovery following a breach. At the core of that plan should be a designated and informed Incident Response Team.
Recruit A Cyber Security Incident Response Team
Ideally, your team is made up of knowledgeable, reliable members, but incident response isn’t a natural instinct. Once your team is chosen, they’ll need to learn the incident response plan, rehearse it as a group, and take accountability for their role. As thorough and detailed as your plan may be, successful execution depends on the preparedness of your incident response team.
As much as you’d like to be able to hire an outside firm to take the wheel during a breach, proper cyber security incident response requires team members to be intimately familiar with the company’s most important operations and requirements.
What is an incident response team?
Incident response teams often include an IT manager or a representative from the company’s managed service provider (MSP). Primarily, security analysts execute technical work, incident handlers guide response efforts and department heads pass along information. For larger companies, it is common to include their internal security team or legal counsel. Organizations who outsource these resources may want to contact them to have an expert present.
Qualities of good incident response team members include knowledge of the area for which they are responsible. For example, it is much more effective to include the IT manager than an IT intern because they will likely better understand the department’s needs and operations. Secondly, these team members should have enough exposure to Incident Response scenarios to be cool under pressure. Conducting quarterly or bi-annual incident response exercises can help familiarize your team with the decisions they’ll need to make in the event of a real incident. Building an excellent incident response team requires training, development, and preparation.
Why do you need a cyber security incident response team?
It is important to predetermine and assign roles corresponding to your incident response plan. If recovery tasks are vague or unassigned, they’ll be left incomplete, or they’ll take up more resources than necessary. A mature incident response plan outlines which resource completes which tasks and includes some type of reporting or communication bridge to track the response efforts in real-time.
Prune that group to include only the most effective individuals. IR Planning meetings will have better attendance and a more significant impact on team members when they are in a smaller group. Being highly selective also allows you to choose members that are experienced and reliable enough for the responsibility. Creating and rehearsing the plan as a group allows more certainty that the team will follow the documented processes. Furthermore, all team members have a knowledgeable group of resources to consult if they ever need support in their cyber security incident response roles and responsibilities.
Build confidence in your incident response team by learning which threats are out there and practicing responses to various hypothetical scenarios in a closed environment. Maintaining an informed cybersecurity team helps combat nerves and confusion in the likely event of an incident.
Schedule & Participate In A Cyber Security Incident Response Tabletop Exercise
A formal incident response plan must be tested before it’s put into action. The best way to test the efficacy of an incident response plan is to conduct an incident response tabletop exercise, which brings the entire team together to work through every step of a realistic, hypothetical incident. The exercise is led by a security expert who guides the team through the initial incident discovery, escalation criteria, and eventually closure, making sure not to skip over any considerations, such as press releases, mandatory reporting, legal involvement, and so on.
ProCircular’s Governance, Risk, and Compliance (GRC) consultants have the knowledge and experience necessary to assess your team’s cyber security incident response preparedness through an entire incident scenario. The exercise is not designed to test the capabilities of any person but rather to determine the efficacy of the organization’s real incident response plan.
What is an incident response tabletop exercise?
During a tabletop exercise, every individual included in the incident response plan is brought into a room to enact the plan against a hypothetical threat. They’ll start by receiving a helpdesk ticket from an end-user noticing suspicious activity on their machine. From there, they’ll declare an incident, loop-in necessary team members, keep C-suite and stakeholders abreast of the situation, and complete the necessary steps to remediate the incident and resume normal business operations.
Our incident response planning and tabletop package helps prepare your staff with hypothetical scenarios including, but are not limited to, ransomware cases, end-user account takeover, and denial of service attacks (DDoS) that would hinder or stop business from being conducted.
Why do you need to do an incident response tabletop exercise?
The incident response Tabletop Exercise does more than reveal the most effective parts of an incident response plan. It also reveals the greatest weaknesses. A weakness could be a gap in the plan, like neglecting to notify affected clients or stakeholders. Otherwise, a weakness could be an assumption, like the overly cautious expectation that a company will reimage any machine that is acting strangely. That may be a secure plan but it’s not realistic in practice. An experienced cyber security incident response consultant will be able to easily identify and help seal these gaps to fortify an existing incident response plan.
Once the plan is formalized and a capable team has been established, conduct regular incident response tabletop exercises to help team members develop “muscle memory” and reduce the stress of the recovery process. It is important for all team members to understand how their role fits into the greater incident response process.
Formalize Your Cyber Security Incident Response Plan
Your processes are only as good as the people who follow them. Regularly workshopping and rehearsing an incident response plan keeps it fresh in the minds of the resources that will be involved. Teams often have the instinct to exclude C-suite members or external legal counsel from rehearsals and only include them if it’s the real deal. However, their roles are just as important as anyone else’s, and they need to become familiar with their role and how it fits within the greater incident response plan.
What is a cyber security incident response plan?
A cyber security incident response (IR) plan is the documented process for identifying, escalating, and remediating a cyber incident. Incident response plans outline processes, roles, and responsibilities for everyone involved in the recovery process.
These plans should be documented, tested, and pruned to include only the most critical recovery requirements. The goal is to create processes that can be easily, consistently, and fully executed by a proactively assigned and trained individual. When facing the stress of a real incident, any extra or unnecessary information gets in the way and creates the opportunity for parts of the process to be disregarded or ignored.
With that in mind, any incident response plan requires awareness and buy-in from all of the resources involved. Developing a plan, creating a team, and exercising recovery skills are not post-breach activities. Primary recovery steps need to be ingrained to the extent that they can be executed efficiently by assigned resources. If it cannot, then it will not serve the organization in the event of an incident.
What should you include in a cyber security incident response plan?
An incident response plan should include the following:
- Who’s responsible for what
- Chain of communication
- When to involve a certain team member of a department
- Criteria for what is considered an incident
- Internal, stakeholder, and external communication strategy and timing
Other considerations may be specific to an industry or organization. If a hospital loses confidentiality of personal health information (PHI), they must report it to HIPAA, the regulator of privacy in healthcare. If a manufacturing company loses the availability of their client information, they may have to communicate the issue and temporary instructions to their factory staff.
Without a documented, rehearsed, and expertly reviewed incident response plan, it is practically impossible to cover all the considerations that need to be made during a real cyber security incident response scenario.
Need Help Developing Your Cyber Security Incident Response Plan? Contact ProCircular!
ProCircular’s experienced incident response consultants are ready to help you develop a comprehensive, tailored incident response plan. A cybersecurity expert is helpful during plan design and practice, but they can also be influential in creating awareness and buy-in by reducing the headache and confusion of creating an incident response plan from scratch.