No one wants to admit that their cyber-defences are fallible. But the truth is that all organisations must prepare for the inevitability of a security breach. Increasingly, it is the efficacy of these planning processes that differentiates mature corporate cybersecurity teams from the rest.
An intelligently devised and well-rehearsed incident response (IR) plan can greatly limit the impact of a breach – to the point where it may not even be necessary to inform the regulator. However, the devil’s in the details. Cool heads and experienced partners are required to get the right results.
Find the right partner
The world is experiencing a major cybersecurity skills shortage. At present, there’s an estimated shortfall of four million professionals, including over 73,000 in the UK. Over a quarter (26%) of organisations globally report having skills gaps in digital forensics and incident response. Therefore, the first port of call for any security leader is to find the right third-party expert to augment in-house skills.
It could be a managed security services provider (MSSP) or a specialist incident response firm. The key is to find a trusted partner with good references and reputation. They should specialise in client verticals and implicitly understand these organisations’ business priorities. Once they’ve been found, lock them in with a contract early on to avoid a last-minute post-breach scramble.
A retainer is a good idea. It should specify a certain number of days the provider commits to, alongside SLAs for response times. At the same time, it may be worth hedging bets by reaching out to two or three other providers and keeping them on the books in case Plan A isn’t possible. Remember, too, that incident response firms also suffer from skills shortages and may not have the resources to spare at the time.
Test, test, test
Far too often, enterprises will have well-compiled and documented incident response processes on file, but when an actual incident occurs things fall apart pretty quickly, as the plan has not been properly tested. Effective IR demands that organisations and any involved third parties conduct regular tabletop exercises that cover not only IR but also wider crisis management and DR/BC plans. Furthermore, at least one Red/Purple team test should be conducted annually, to ensure that the best-written plans can actually survive first contact with an incident.
It should be accessible to all and stored offline in case of a crypto-ransomware attack. In a similar way, communications channels should be kept open no matter what the state of IT infrastructure is. Consider a secure, encrypted third-party messaging service.
But what should an incident response plan contain? Every organisation is different and will have a different risk appetite and way of doing things. But when writing a plan up, consider at a high level the various scenarios that could befall the company, and then define alternative actions. This should help to keep all bases covered. Perhaps just as important is that the plan is reviewed and updated regularly to account for changing requirements, IT infrastructure, and to ensure an updated network plan is also accessible in case online management tools are not.
Incident response is everyone’s job
The bottom line is that incident response is not only a problem for IT. Whether directly or indirectly, it impacts everyone in the organisation. For that reason, senior leaders from across the enterprise should be involved in the planning and execution of IR processes.
Someone needs to be designated to inform the relevant authorities, customers and business partners. Someone needs to be in charge of crisis comms. Another stakeholder should take care of the legal and regulatory implications. And someone may need to reach out to the threat actors. The IR plan should set out who these individuals are and what their responsibilities are. That means each person can spring into action with no delay or confusion, as soon as a breach occurs.
A worst-case scenario
So what should happen when the proverbial sirens start sounding? Digitally or physically disconnect the network to prevent the spread of any malware. And then call in the IR team to help assess the blast radius of the attack, and examine, contain and restore. Remember, that even the best laid plans rarely work the same in a real-life IR situation. That’s why professional partners can be critical – they’ve seen it all before and their cool heads can calm the nerves of in-house stakeholders.
Remember also that an incident may last for several days, and therefore require significant resources and staffing – potentially through the night – to get to a position of safety.
Time for forensics
Forensics are critical to establishing exactly what happened, when and how. This is important to help with the immediate containment and remediation process, but also to build cyber-resilience for the longer term to prevent a copycat attack succeeding. Forensics also provide vital information which may be needed to share with regulators and other official authorities.
Event logs alone are not enough, as threat actors can manipulate these files to hide their tracks. Security telemetry, including data from endpoint and network detection (EDR/NDR) is particularly important – ideally centralised in a single-pane-of-glass XDR platform. Monitoring must also continue after the system is restored, to ensure the threat actors aren’t still present inside the network.
Planning to succeed
It’s not a case of “if” but “when” your enterprise is breached. But with the right planning, it need not be a moment of existential crisis. The goal should be swift action to assess the damage and contain the threat, with every individual knowing exactly what they need to do.
Mounting regulatory compliance requirements and legal pressure from impacted customers and employees make effective incident response planning an essential part of business continuity and operational resilience. Don’t leave it until it’s too late.