SOAR Platform / Blog / 7 Incident Response Lessons

7 Incident Response Lessons

Today there is an exponential rise in the number of attacks on the US government and commercial enterprise networks. These events have executives more proactive than previous years when it comes to their opinions on cybersecurity countermeasures. Firewalls, antivirus, IPS, IDS, are expected to assist with defending against threats but with the advancement of malware and other APT’s, these tools simply will not prevent you from a likely intrusion. It is not if, it’s when. When your network is compromised, what can your security team do to succeed in mitigating threats from your networks and doing so in a quick manner?

When it comes to big businesses and the government, security teams need to better grasp what to do and what not to do when you are compromised. Well here are the 7 most common mistakes when it comes to Incident response (IR) and lessons to learn from.

1. Not on the lookout

You cannot protect yourself from what you cannot see. Having an Incident response plan that most team members have never seen or heard of, is useless.  For most enterprises, IR consists of identifying the machine that had the “problem” and then takes it offline or of the network. This needs visibility because you do not know whether or not if the infected machine is also compromising other machines on the network. In order to be effective, the data from these advanced persistent threats should collect, analyzed and archived for a thorough review with law enforcement and for threat indicator sharing. You do not want people to be looking for the data “needle” in the network “haystack” when they recall a similar incident happening in the past.

2. Not having the mojo

An expert in security does not necessarily mean that one is an expert in cyber incident response. Cybersecurity is so broad and deep that skills in various areas can leave a team helpless if not occupied with the right skill sets. Corporations need skilled responders that know their network environment so they may assist in reviewing the risks associated but also have an open mind to suggestions. To have “mojo” you not only need technical responders but also key players in departments such as Legal, IT, HR, Public Relations. These players will be there to help with respective efforts surrounding your incident response plan. Bringing these departments at the forefront will avoid the scrambling around, stress and chaos when there is a breach.

3. Not having a budget

With certain situations, you have to cut corners with some department budgets more than others. In some security-related departments, leadership can at times not use their budgets effectively. With Incident responders, they need to translate technical needs into business relevance when addressing management for approvals. This approach helps keep stakeholders in the loop and what efforts are being taken to fix the security gaps. Do not forget if management has no idea what is going on with the IR team, there’s little hope of them increasing your budget. Communication is the key to all effective action.

4. Running with your head cut off

This somewhat goes without saying that besides the budget for tools, you will need 100% absolutely need a comprehensive plan to respond to cybersecurity threats. Businesses need to a well written IR visual playbook that has clear defined roles and approved procedures for responding to the certain type of incidents.  We all know that questions will come when certain events take place and it’s best to have pre-set and well-prepared answers.

5. You are just following everyone’s lead

There is no instruction manual that everyone uses when it comes to incident response plans or the playbooks that you use. Ideally, your IR plan should strike a comfortable balance between having policies in place and making the right decisions during a crisis. Don’t let bad leadership skills lead great team players. A well-prepared plan and team covers who owns what section of the plan and obtains familiarity with the leadership style of the organization. Do not let too many layers of approval hinder the efficiency of skilled responders.

6. Not the right threat model

Along those same lines, the digital assets that you focus the most time and effort on protecting should be what is most valuable assets to your organization. Unfortunately, no Computer Security Incident Response Team (CSIRT) can protect everything from everything and do it all the time. It is critical to know where your organization’s risk really lies and who and what is manning the tower. Know which assets would have the biggest impact on the success (or failure) to your organization if compromised.

7. Not knowing your devices and what they can do

There are multiple tools out there that can significantly improve your incident response process, plans and procedures. With today’s complex network infrastructures, devices need to be tuned and configured according to your organization’s size and needs. More often than not, these same tools need to be upgraded, traded, canceled or replaced as needs and requirements can change in this evolving space.  Neglecting to retune a security tool can also lead to alert overload, which actually makes the job of an incident responder painful and a complete hassle. When you purchase new security tools, be sure you take the time to learn how it works and how to make it work for you and your use cases.

Hopefully, you take the smart route and install a Security Orchestration  Automation Response (SOAR) product like Cybersponse to help mature your security team and build an effective incident response plan(s). A SOAR will save you time, money, hassle, turnover and have your IR team appreciate leadership’s decision to purchase one.
For more information about building some basic incident response plans, please go to and keep a lookout for the September Conference.