The term incident response means a lot of things to a lot of people. Historically, words like "unpleasant" or "chaotic" come to mind when thinking about the last time many organizations responded to the suspicion of a compromise by external attackers. Today, for most organizations incident response is a part of their security program but is still primarily a reactive premise centered on a plan or policy document that describes how they should handle such an event.
How do you ensure your incident response plan is optimized to handle the demands of an escalating threat landscape? Is a plan enough?
I recently spent some time talking with the Incident Response experts on my team, our partners, and about 80 customers in CISO roundtable events over the past few months. A clear answer surfaced.
An incident response plan is a key building block to success in cyber defense but you can't stop there. We must focus on turning our incident response plans into an Incident Response PROGRAM.
But what makes an Incident Response (IR) Program? How do you turn your plan into a program? Consider these recommendations:
Dedicate Project Management Resources. An IR PM is responsible for coordinating all areas of the Incident Response process:
The triage of incoming requests for assistance from the NOC, the Helpdesk, SIEM/MSSP alerts, SecOps, etc...
Coordinating resources and planning
Managing 3rd party vendor engagement and contracting when needed
Driving completion of milestones outlined in your IR process
Managing each incident within a Case Management tool
Sending out status updates and Communications to internal stakeholders
Documenting lessons learned and driving/tracking the learning's into implementation.
Updating IR plans and policies based on new learning's from prior incidents
Escalating changes to project scope or plan to the appropriate IT resource owners and business owners
Proactively disseminating project information to all stakeholders
Implement Case Management. A frightening 80% of CISO Roundtable participants responded they were not using any sort of case management tool. Case Management tools are a critical component of any IR program in order to manage workflows and customize IR processes, coordinate resources, prioritize activities, document and track incidents and activities, retain evidence for litigation purposes, and evaluate the success of an IR plan. Case Management can:
Enable an organization to manage workflows
Customize IR process to specific scenarios
Document status and maintain a timeline of events
Correlate across incidents, over time, to identify persistence campaigns
Track evidence for litigation needs
Evaluate performance of the IR plan over time
Generate reports for auditors, law enforcement, and management
Conduct and Maintain an Investigation Skills inventory. The heat of an incident is not the time you want to realize that you don't have the skills you need. Will IR investigations in your environment require SCADA expertise? Mobile platforms? Embedded Systems? IoT devices? It's highly recommend that you maintain an up-to-date skills assessment of your internal investigation team and place 3rd party vendors on retainer to cover the gaps.
Purchase a Retainer. Consider putting a 3rd party vendor on retainer. This not only helps to back up your own teams in the case of a surge of activity, but can also provide expertise in the case of a data breach that are difficult to maintain internally such as crisis communication and legal support.
Create and Maintain Incident Playbooks. A playbook is a document with specific guidelines for given scenarios. A playbook defines specific steps to follow unique to DDoS, APT, malware outbreaks, web server compromise, and so on.
Understand Business Context of Systems and Applications. As part of an investigation, it may be required to take systems and applications offline for analysis. When investigating a system for potential compromise, considering the business impact and knowing what confidential data is known to be stored on, or passed through, the system is critical. Leverage Data Loss Prevention solutions to map out the important data flows in your organization.
Cross-Organizational Buy-in. Success in IR often requires cross-functional buy-in from both IT owners of an array of systems and the business owner of the data in those systems. Don't wait until an incident to engage key stakeholders and obtain their buy-in on how your IR plan would be implemented.
Practice, practice, practice! Just like Disaster Recovery plans, IR plans need to be tested. This can be as simple as regular table top exercises or as thorough as use of "cyber range" solutions that simulate attack scenarios.
Create and Maintain an Incident Response Plan. Though we are discussing the need to evolve your plan into a program, this doesn't mean to downplay the need for a plan. Plans define and document things like internal stakeholders, vendor and support contact lists required to ensure success of the program.
A plan is a key enabler but it's ultimately a statement of intent. Success comes only in consistent execution of the plan in a way that's orchestrated, measurable, repeatable, and optimized. Focus on turning your plan into a program. Though I have worked with some customers who have many of these recommendations implemented, I haven't come across an organization yet with all of them. Most have very few of these in place.
Which one are you?