Who You Gonna Call? For Incident Response

Gary Perkins, Chief Information Security Officer 

Preventing and detecting incidents is a solid starting point, but a few additional items can significantly improve your response posture when an inevitable incident occurs: an incident response team, an incident response plan, runbooks, and drills.  

As always, know your assets and be aware of everything you could lose — this should drive how much effort you put into thwarting incidents. Keep in mind there’s more than financial loss in jeopardy and remember other qualitative factors as well as the quantitative impacts of a cyber attack. Brand and reputational damage can be the most difficult to recover from and even the most comprehensive insurance policy cannot cover everything that’s at risk. 

Many organizations are struggling to implement basic security controls, which makes it even more important to have an incident response plan in place. With the barrage of inbound attacks in today’s digital environment, it’s often necessary to respond to an incident before organizations have finished implementing the other security items they have planned. 

1. Incident Response Team 

Make sure you know who you will call for actual or suspected incidents. Don’t dwell on trying to determine if it’s real or not, as this can cost precious time in a situation where minutes matter. It’s important to know that all incident response teams won’t look the same; they might be full-time, virtual, or on-retainer. Some companies have a team of individuals whose full-time job is incident response. However, most organizations won’t have the luxury of a dedicated, internal team. Instead, they may choose to borrow resources from different teams within their organization to form a virtual team, or some companies find that outsourcing this task with an IR team on retainer is their best option. 

If your organization chooses to have a virtual team, do each of the individuals know they are part of this team? Are they keeping their skills and knowledge current? Do they know the role they are expected to perform? 

2. Incident Response Plan 

Having a plan is great, but make sure you take it a few steps further. Each member of the Incident Response Team should be familiar with your plan. If, during an incident, your team is opening a 180-page incident response plan and reading it for the first time, you are in trouble. Much of the value in an incident response plan comes from the thought and planning that goes into building it, as well as having key reference points in the document. Your incident response plan will guide the overall approach to handling the incident successfully. 

3. Runbooks 

Runbooks are more tactical, technical documents with step-by-step instructions on how to handle common types of incidents. Resist the urge to make these longer than necessary and keep them succinct. Runbooks should be readily available to those who need them and easily consumable in a short amount of time. This helps ensure consistency across team members and a mutual understanding of what steps will be taken. Parts or all of the runbooks may be automated but there should still be a collective understanding of who is responsible for performing each task and when. While it may be true that you can’t develop runbooks for every possible scenario, most security incidents will fall into a finite number of categories. 

4. Drills 

Organizations should prioritize conducting drills at least annually or more often. These ensure team members know what will be expected of them and provide a safe environment to identify opportunities for improvement while not ‘under fire.’  These can range from an hour-long tabletop drill to a multi-day event involving a variety of organizations. If you come away with any action items to improve then it was worth the time spent. 

Take this moment to ask yourself. When was the last time your organization had a drill? Did it take place when scheduled, or was it deferred due to other important things going on at the time? Did you learn anything from it? Did you follow through and make adjustments, so your organization is better prepared next time? Do you know who to call in the event of a security incident? Is it widely known throughout your organization who should be called during an incident? 

Whether you have experienced internal members or not, it’s advisable to also have an Incident Response (IR) Retainer with a third-party organization to assist if necessary. The level of your retainer fees may affect your response times and rates, so it’s important to discuss and finalize the contract terms with the third-party provider well in advance. Don’t wait for an emergency to sort through the details. 

At CISO Global we’d be happy to work with you to ensure you are prepared when the inevitable happens; ensuring you have a team in place, a plan with runbooks, and conducting drills to help improve your security posture. We are also happy to arrange an IR Retainer with your organization so that our experienced Incident Responders are ready to assist you when you call. 

____________________________________________________________________________