Taking a proactive approach
Many people associate the term “incident response” with response, recovery and mitigation efforts following a major security breach. However, incident response is not just a reactive activity. As best practice and industry frameworks indicate, and as the evolving adversaries and regulations demand, you need to consider proactive activities as well.
Incident Response Lifecycle
There are 4 key phases of incident Response:
- Detection & Analysis
- Containment & Eradication
- Post Incident Activity
Being Proactive Across the IR Lifecycle
Knowing an incident is a likely scenario, you need to ensure that you have the capabilities and processes to detect and respond to security incidents so that you can be resilient to an attack and prevent more in the future. Incident Response Preparedness or Proactive Incident Response services provide you with expert help in the preparation phase (e.g. developing and maintaining a cybersecurity incident response plan) but can also assist with maturing IR program maturity, building new or developing existing capabilities, aligning to industry best practice and industry requirements, or providing preparation support across the lifecycle with:
- Preparation & Planning
- Exercises & Assessments
- Regular Reviews & Iteration
Despite an increasing number of breaches and rising risk, 54% of companies still don’t have an incident response plan. Regardless of maturity, developing a cybersecurity Incident Response Plan (CIRP) tailored to your requirements is the first step towards IR program maturity. To prepare and plan comprehensively, consider the variety of plan and process documentation that exists.
Well-meaning but inappropriate actions after an incident can destroy valuable evidence about how the attacker accessed the network and the extent of malicious activity. Hands-on, lab-based workshops allows students to practice fundamental skill sets and help ensure an efficient and effective response and hand-off to third party emergency services.
Understanding the Threats
Understanding the threat to your organization and the risk you face is important when designing security programs and processes. Educational briefings provided by threat intelligence researchers and analysts can provide a relevant and targeted analysis that will serve to identify areas of exposure and opportunity, but also help take a threat driven approach to your cybersecurity incident response plan development and scenario-based exercises best suited to your organization.
Simply planning for the inevitability of a cybersecurity incident does not ensure preparedness. Performing tabletop exercises is a low-impact mechanism to ensure team readiness and spot problems before they arise during real incidents. Tabletops can be technical or non-technical, typically serving to identify pitfalls and raise awareness across your organization and key stakeholders. Equally, for less mature organizations, a tabletop exercise can be used to help design a plan by bringing key considerations to the fore.
While some workshops focus on technical education, it can also be worthwhile having expert-led, facilitated dialogues on non-technical topics. These may include some form of interviews. Non-technical workshops are designed to raise awareness, understand stakeholder concern or enable business buy-in. For instance, interactive workshops with key stakeholders of an IR plan can provide an alternative approach to a scenario-based exercise (tabletop).
Rehearse, Validate & Raise Awareness of the CIRP
What: Tabletop Exercise
Conversational, facilitated walk-through. Designed to validate roles, responsibilities, coordination and decision-making. IR experts act as facilitators, design and conduct plausible simulated exercises to evaluate your team’s performance.
Who: All levels of IR maturity, technical and non-technical participants
When: Annual inspection of an Incident Response plan (increasingly becoming a contractual or regulatory obligation), exercise a newly developed or reviewed IR plan, educational exercise focused on non-technical roles (e.g. Legal, Human Resources, Executives) or targeted technical aspects of the plan.
Tip: When starting to plan a tabletop exercise, consider your goals and the stakeholders that will be included. These simple planning steps are often ignored and lay the foundation for a successful tabletop.Learn More
Stress-Test the Effectiveness of Response Capability
What: Functional Test
Simulated, hands-on exercise, typically involving artefacts. Designed to exercise roles and responsibilities of specific team members and procedures in one or more functional aspects of a plan. Allows personnel to validate their operational readiness for incidents by performing their duties in a real-life simulated manner.
Who: Intermediate to mature in-house IR capabilities.
Consider when: Just completed hands-on training and want to follow-up to test your team’s ability to perform key incident response-oriented tasks.
Tip: Consider providers who can leverage threat intelligence to advise on most relevant threat scenario for your organization. Real-world IR experience.
Identify Unknown Current or Past Compromise Activity
What: Targeted Threat Hunting
A comprehensive and intensive investigation of your environment to identify indications of hidden adversaries. Security experts collect data from your environment and use hunting tools and technologies to scan your environment.
Who: Mature Organizations
Consider when: Merger & Acquisition, new CISO, validation of detection efficacy, changes to IT infrastructure
Tip: Consider providers with proprietary hunting technologies and threat intelligence to benefit from expertise and visibility to identify presence of compromises and entrenched threat actors operating in your network.
Measure your Response Capability
What: Purple Team or Full-Spectrum Exercises
Real-time simulated exercises mimicking adversarial tactics. Test detection and response capabilities with offensive teams (Red Team) exercising defensive teams (Blue Team) with custom, simulated threat scenarios.
Who: Organizations with Mature In-house Incident Response Capabilities
Consider when: Goal is to determine efficacy of controls across people, process and technology.
Tip: Look for providers who have both IR deep technical testing expertise focused on simulating real-world adversaries to challenge your blue teams with what matters the most to your organization and leverage the very latest threat intelligence to drive realistic scenarios.
Exercising and testing a plan through tabletops, enables teams to practice and raise awareness, but they also provide a forum to examine roles and responsibilities, unearth interdependencies, and evaluate plans to enable you to iterate and improve.
To help identify weaknesses and opportunities in existing plans and processes beyond exercising your plan consider other means to help guide improvement:
CIRP & Documentation Reviews. Incident response consultants can help review and compare your CIRP against industry best practice (e.g. NIST, ISO), and draw from IR experience and expertise to offer recommendations to improve existing documentation. CIRP information does expire and regular reviews and maintenance is needed on a regular basis.
Comprehensive Program Assessments. More comprehensive reviews that go beyond merely reviewing documentation. They can combine stakeholder interviews, workshops, technical and non-technical exercises and hunting. The result is a holistic examination of different facets across your organization in order to understand strengths and opportunities for improvement.
Lessons-Learned Analysis. Capturing lessons that can be learned from an incident also help improve preparation and planning. These should feed and inform the Incident Response Preparation and Planning phase.
While lessons learned from exercises and tests provide valuable remedial actions and insights into an organization’s defense and response capabilities, capturing lessons that can be learned from an incident also help improve preparation and planning. Lessons learned are a critical part of the response and recovery process, allowing you to identify ways across people, process and technology to decrease the likelihood or impact of a reoccurrence and iterate existing practices.