Taking a proactive approach
Many people associate the term “incident response” with response, recovery and mitigation efforts following a major security breach. However, incident response is not just a reactive activity. As best practice and industry frameworks indicate, and as the evolving adversaries and regulations demand, you need to consider proactive activities as well.
Incident Response Lifecycle
There are 4 key phases of incident Response:
- Detection & Analysis
- Containment & Eradication
- Post Incident Activity
Being Proactive Across the IR Lifecycle
Knowing an incident is a likely scenario, you need to ensure that you have the capabilities and processes to detect and respond to security incidents so that you can be resilient to an attack and prevent more in the future. Incident Response Preparedness or Proactive Incident Response services provide you with expert help in the preparation phase (e.g. developing and maintaining a cybersecurity incident response plan) but can also assist with maturing IR program maturity, building new or developing existing capabilities, aligning to industry best practice and industry requirements, or providing preparation support across the lifecycle with:
- Preparation & Planning
- Exercises & Assessments
- Regular Reviews & Iteration
Valuable insights straight from the cyber experts
In the Learning from Incident Response: April – June 2022 report, from the Secureworks® Counter Threat Unit™ research team, you’ll find valuable insights into the nature of the threats our customers face, including a look back on recent IR engagements and the trends they revealed, observations of the threat landscape and the impact it can have on your organization.Get the IR Report
The cyber threat landscape continues to evolve, and organizations cannot afford to rely on a reactive approach. By proactively developing and testing an incident response plan, an organization ensures that it can effectively and thoroughly respond to cybersecurity incidents and minimize damages, downtimes, and losses.
Preparation: The Role of Education and Training
Well-meaning but inappropriate actions after an incident can destroy valuable evidence about how the attacker accessed the network and the extent of malicious activity. Hands-on, lab-based workshops allows students to practice fundamental skill sets and help ensure an efficient and effective response and hand-off to third party emergency services.
Understanding the Threats
Understanding the threat to your organization and the risk you face is important when designing security programs and processes. Educational briefings provided by threat intelligence researchers and analysts can provide a relevant and targeted analysis that will serve to identify areas of exposure and opportunity, but also help take a threat driven approach to your cybersecurity incident response plan development and scenario-based exercises best suited to your organization.
Simply planning for the inevitability of a cybersecurity incident does not ensure preparedness. Performing tabletop exercises is a low-impact mechanism to ensure team readiness and spot problems before they arise during real incidents. Tabletops can be technical or non-technical, typically serving to identify pitfalls and raise awareness across your organization and key stakeholders. Equally, for less mature organizations, a tabletop exercise can be used to help design a plan by bringing key considerations to the fore.
While some workshops focus on technical education, it can also be worthwhile having expert-led, facilitated dialogues on non-technical topics. These may include some form of interviews. Non-technical workshops are designed to raise awareness, understand stakeholder concern or enable business buy-in. For instance, interactive workshops with key stakeholders of an IR plan can provide an alternative approach to a scenario-based exercise (tabletop).
Third party adversarial security testing services can deliver the independent expertise, experience, and perspective you need to expose gaps, enhance your security posture and improve incident readiness. With so many different tests available to assess threats to your environment, how do you chose the one that is right for you and your objectives?
Incident Response Lessons Learned Template
Capturing lessons learned post-incident can enable technical and non-technical improvements that strengthen overall security posture and help reduce the risk of a repeat occurrence. Incident Response experts provide their insights on the key steps to planning an effective lessons learned workshops.Read the White Paper
Exercises & Assessments: Which to Choose?
Rehearse, Validate & Raise Awareness of the CIRP
What: Tabletop Exercise
Conversational, facilitated walk-through. Designed to validate roles, responsibilities, coordination and decision-making. IR experts act as facilitators, design and conduct plausible simulated exercises to evaluate your team’s performance.
Who: All levels of IR maturity, technical and non-technical participants
When: Annual inspection of an Incident Response plan (increasingly becoming a contractual or regulatory obligation), exercise a newly developed or reviewed IR plan, educational exercise focused on non-technical roles (e.g. Legal, Human Resources, Executives) or targeted technical aspects of the plan.
Tip: When starting to plan a tabletop exercise, consider your goals and the stakeholders that will be included. These simple planning steps are often ignored and lay the foundation for a successful tabletop.Learn More
Stress-Test the Effectiveness of Response Capability
What: Functional Test
Simulated, hands-on exercise, typically involving artefacts. Designed to exercise roles and responsibilities of specific team members and procedures in one or more functional aspects of a plan. Allows personnel to validate their operational readiness for incidents by performing their duties in a real-life simulated manner.
Who: Intermediate to mature in-house IR capabilities.
Consider when: Just completed hands-on training and want to follow-up to test your team’s ability to perform key incident response-oriented tasks.
Tip: Consider providers who can leverage threat intelligence to advise on most relevant threat scenario for your organization. Real-world IR experience.
Identify Unknown Current or Past Compromise Activity
What: Threat Hunting
A comprehensive and intensive investigation of your environment to identify indications of hidden adversaries. Security experts collect data from your environment and use hunting tools and technologies to scan your environment.
Who: Mature Organizations
Consider when: Merger & Acquisition, new CISO, validation of detection efficacy, changes to IT infrastructure
Tip: Consider providers with proprietary hunting technologies and threat intelligence to benefit from expertise and visibility to identify presence of compromises and entrenched threat actors operating in your network.What is Threat Hunting?
Measure your Response Capability
What: Purple Team or Full-Spectrum Exercises
Real-time simulated exercises mimicking adversarial tactics. Test detection and response capabilities with offensive teams (Red Team) exercising defensive teams (Blue Team) with custom, simulated threat scenarios.
Who: Organizations with Mature In-house Incident Response Capabilities
Consider when: Goal is to determine efficacy of controls across people, process and technology.
Tip: Look for providers who have both IR and deep technical testing expertise focused on simulating real-world adversaries to challenge your blue teams with what matters the most to your organization and leverage the very latest threat intelligence to drive realistic scenarios.
To help identify weaknesses and opportunities in existing plans and processes beyond exercising your plan consider other means to help guide improvement:
CIRP & Documentation Reviews. Incident response consultants can help review and compare your CIRP against industry best practice (e.g. NIST, ISO), and draw from IR experience and expertise to offer recommendations to improve existing documentation. CIRP information does expire and regular reviews and maintenance is needed on a regular basis.
Comprehensive Program Assessments. More comprehensive reviews that go beyond merely reviewing documentation. They can combine stakeholder interviews, workshops, technical and non-technical exercises and hunting. The result is a holistic examination of different facets across your organization in order to understand strengths and opportunities for improvement.
Lessons-Learned Analysis. Capturing lessons that can be learned from an incident also help improve preparation and planning. These should feed and inform the Incident Response Preparation and Planning phase.