Your IR Contact List May Not Be CompleteTop 5 Findings from Secureworks’ Proactive Incident Response Engagements, Part 2 By: Donald Allison
The Secureworks ® Incident Response proactive consulting practice develops incident response (IR) plans, performs IR plan gap analyses, and facilitates tabletop exercises featuring various security risks to the more than 4,000 customers in our base. Over time we have analyzed findings from each engagement. And it is from those findings that multiple patterns emerged showing consistent challenges to our customers’ security posture and response capabilities.
This 5-part blog series details the top 5 challenges we see when we’re called in to do a proactive incident response engagement. As these are systemic, widespread issues, we want to raise awareness and share our guidance to help your organization get ahead of them.
The first blog in this series looked at what should be considered the basic foundation of any security practice: the definition of “incident.” Click here to read part 1.
This second blog in the series discusses another relatively simple item: the contact list.
It’s straightforward. During any incident, knowing who to call is important. And yet, the data from our look at “normal” shows that this is an area that is surprisingly neglected.
Most organizations have a contact list in their incident planning or at least in their business continuity/disaster recovery plans. Both large and small customers inform us regularly that “we know who to call.” Many of those contact lists are relatively complete, with the operative word being “relatively.”
Contact lists need to include every member of the core incident response team, senior executives, business division leaders, legal, HR, sales, marketing, personnel to help coordinate at remote locations, contractor support, Internet Service Providers, local law enforcement, regional law enforcement, national law enforcement, regulatory contacts, compliance contacts, everyone in your data supply chain, and everyone else you may be able to identify based on your organization’s requirements. Oh, and by the way, make sure you have their backups to contact as well in case they are not available. You also want to update that list with any changes that occur.
At face value, maintaining a contact list may appear to be a simple exercise. But we’ve seen first-hand that it’s not quite as easy as most would like. All it takes is one incident response tabletop exercise for customers to experience an “ah ha” moment and re-prioritize their contact list. But for those who don’t practice their IR plan, the “ah ha” may come too late.