Lifecycle of “Incident Response” and Building an Effective Plan
The confusion of the term “cyber incident response”
Every year we see the definition of incident response change. It’s been an honor for CyberSponse to start, create and build this new category we have today. It’s also been an adventure to see the market embrace the vision but also humbling to learn that having a vision doesn’t mean the market is ripe. Incident Response has been a passion for CyberSponse since it’s founders were watching their fathers build, run and execute life-saving incident response plans. These plans did not save the “end point” or corporation, they saved a child, a family, a home or even people from a plane crash (seriously).
The reason why incident response is so important is that you are prepared for both the unknown and known. The more you execute a process, the less panic and confusion will hinder your success when dealing with a situation. The genius of building out the www.IncidentResponse.com community and what is in store for 2017 is very exciting. IR17 will be the future of incident response.
Let’s get a summary of the history of Security Incident Response and the overall mindset of various teams we have come across over the years. I’ve seen the market change a lot over the past 5 years and thought that we could provide a summary for our followers.
- 2012 – What is that? Don’t need it.
- 2013 – Oh, that’s when you are compromised or breached, not an issue for us.
- 2014 – Not important right now, we solely focus on prevention (uh oh).
- 2015 – We know what it is, but Threat Intelligence is more important right now.
- 2016 – We’re now putting our focus on Endpoint and Forensics.
- 2017 – What are Playbooks?
Building an incident response plan
Putting an incident response plan together is not a quick or easy task. All businesses are different, and our recommendation is to follow these steps:
- You need to first embrace and create an incident response team, available 24/7, to manage, direct and facility any cybersecurity or business continuity incident.
- Train your team. If they don’t know what incident response is, there is a ton of resources online to do this. Hold weekly sessions to whiteboard plans, ideas, talk about technology, what is changing and so on. Additionally, get your team used to the idea that threat/alerts/incidents cost the company money, and why a consistent and effective response is required.
- Obtain at least one board member on the incident response team including your CISO. Use the data at your fingertips to explain the exposure, risk and capital losses for a security incident.
- Carry out a thorough analysis and identify critical assets, key terrains and areas to most protect within the business. What sort of information security incident or alert should trigger a team response? Which assets or systems, if down, would cause serious issues for the organization? What assets contain data that you should monitor more closely? Understanding your landscape is critical to building an effective incident response plan.
- Start out with a simple incident response plan for your SOC, IR team for when a critical asset has alerts or show signs of compromise or attack. Run simulations of this simple plan and talk about it. Then, tell your team why an effective and consistent response is important and get their feedback. Communication is the key to all problems.
- Now that you have a simple plan around a key asset and a certain type of threat, build specific incident response processes for other types of threat events. Define each of these plans around different types of threat events or attack types and take it one step at a time. Setup weekly meetings to build out a plan on a whiteboard, document, build a visual in Visio, save it, print it and build out your IR plan book.
- Once your IR plans or ADMIN BOOK is completed, it’s time to test some of the plans. Simulations are the best way to do this. Tabletop exercises help know what to do when something happens, who to call, how to call and when to involve legal, etc.
- The most important thing to remember is train, help and work with your team. If you’re not getting the cooperation from your team, then change your team. Do not let your team think that a reactive, fire-fighting approach is a good approach to protecting your security posture.
We look forward to introducing IR17 to the community and market. It’s going to be a hot year for the entire SOAR community.
The CyberSponse Crew