Organizations make significant investments in cybersecurity tools, platforms and vendors to defend their perimeter. But cyber professionals, C-suite executives and boards also know they need to be prepared, night and day, for the possibility of a successful cyber-attack.
The difference maker in those moments of crisis is timely, rigorous and strategic incident response (IR). On June 22nd, Dr. D. Kall Loper, VP of Digital Forensics and Incident Response at Cyderes, and IR experts from Wiz, Dragos and Kudelski Security joined a Dark Reading Virtual Event to share the how-tos of incident response.
Their collective knowledge highlighted three core elements: preparation, communication and contextualization.
Preparation Is Often Overlooked, But It Shouldn’t Be
Preparation is about more than having a documented incident response plan. “Overly-specific incident response plans will get worn out and become shelf-ware,” Loper said.
Rather, incident response plans should be flexible, putting controls in the hands of the experts and having those people build their own checklists and processes. Letting your incident response plan become an “artifact that belongs to the company rather than to the people who use it is one of the biggest mistakes you can make,” Loper warned.
Once established, it’s vital to put that incident response plan to the test through regular tabletop exercises. Ideally, a tabletop exercise should take place at least once a year and be designed to see how a team will react to an actual threat to the organization. Talking to a red team is a great way to identify realistic attack methods, vulnerabilities or risks to drill on.
“If you have something in your plan, drill that crisis,” Vern McCandlish, Principal Security Analyst at Dragos Threat Operations Center, said. By doing so, you’ll discover issues during the drill rather than during an incident. Regularly conducting these drills for specific teams or for specific types of incidents also builds and establishes connections between the incident response team that will be critical to lean on.
During an incident, there’s no time to decide who should be doing what — or when or how. “Have uncomfortable conversations before an incident,” McCandlish recommends, “during a calm period where people can think clearly ahead of a crisis.”
With this level of preparation in place, organizations can be much more confident in their ability to act swiftly and effectively when under attack.
Teams Recognize the Need for Better Communication During an Incident
During an incident, an organization is in disarray. Critical systems may be down, data can’t be accessed and everyone is demanding answers. In these moments, communication will make or break how successfully an organization responds to an incident. As Loper terms it, incident response is “the art of crisis management.”
As part of incident response planning and tabletop exercises, put that communication to the test. What does each layer of the organization need to know? Who is sharing that information, and when? Keep the team small — with too many people involved, it’s easy for communication to break down.
Loper noted that one of the biggest takeaways for teams coming out of a tabletop exercise is wanting to focus on improving their communication process, for example thinking through what the technical team is responsible for and how and what information gets passed along to executives. Buttoned-up communication leaves less room for hiccups or time gaps that can have serious ripple effects in high-pressure situations.
Contextualization of Threat Intelligence Leads to Swifter Conclusions
Incident response teams have both a boon and a challenge in the volume of data at their fingertips. Organizations can spend millions on threat intelligence labs and feeds, but for the intel to make a difference during an incident, it needs to be placed in context.
“A few years ago, it was ‘the more data the better,’” Mike Heller, Director of MDR Services at Kudelski Security, said. “Now we are really homing in as incident responders and wanting the data to help us move forward. Taking threat intelligence as we know it today and being able to contextualize it for the audience, I think, is key.”
Threat intel, whether from a feed or developed from individual analysis, clues people into the potential start of an incident and points the way to begin understanding what unusual behaviors are taking place that need to be further investigated. Pairing threat intel with context from logs and other artifacts narrows down what behavior and activity to focus on.
Teams need to have the right tools and processes in place to leverage this data and push it out into the right information streams as quickly as possible.
Timely and Strategic Cyber Incident Response
When organizations and their teams are prepared and equipped to react, incident response leads to reduced recovery times, costs and damage. The specifics of incident response may look different for every organization, but the fundamentals stay the same.
For more on incident response and developing an incident response plan that aligns to industry frameworks, take a look at services for Digital Forensics and Incident Response at Cyderes.
Watch a replay of the Dark Reading Anatomy of a Data Breach Event
Watch now to hear from Dr. D. Kall Loper, VP of Digital Forensics and Incident Response at Cyderes, who joined a panel on “Cyber Incident Response Guide: A How-To.”