When things go BOOM and you’re sitting in the middle of a cyber attack as calm and cool as a cucumber, it’s because YOU have a Cyber Incident Response Plan. You know what to do, where to be... and as soon as you can get everyone’s attention, you’ll start to bring order to chaos.
HUGE thanks to the fantastic panel and to SideChannel that partnered with us to deliver this new back-to-the-basics series! Incident Response was the topic of last week's webinar in the Back to the Basics series.
You can watch the entire 1-hour webinar above or read the short write-up below if you don’t have time to watch the whole recording.
Let’s start with the timeline - Before the Incident, During the Incident, and After the Incident.
Before the Incident
Don't put your head in the sand. Bad things can or will happen. It’s out of your control, however how you respond is something you can control. When you build your incident and response plan, don’t get specific, instead generalize for what is going to happen and build muscle memory.
Start with Definitions - People need to understand the language of incident and response. Is the difference between an Event and a Crisis clear to everyone? What about Incident, Breach, ticket, or Case?
Next, you need to define when you are going to activate your plan, and who is going to be involved.
Why does an incident response plan fail?
There are many reasons. Usually it’s because there are not enough people to make the rest of the company comfortable about how the incident is managed, which results in eroded confidence. For example, who has the authority to order supplies, shut things off, turn things on, or communicate to the top customers about what's going on.
Another reason an incident and response plan will fail is if it was built in a vacuum of experience. It may have been built by well-meaning people and intentions, but without previous experience it will lack overall effectiveness. The problem is they don't have muscle memory, and it will translate to the plan. It’s like Mixed Martial Arts. It's one thing to know the theory, but another thing to use it in real-time.
Lastly, don't make introductions during a crisis. Make sure everyone involved in the incident response plan knows each other before the incident.
How to Test Your Incident Response Plan
Try to make it as real as possible. Not everyone may be present during a real event, so you need to be prepared for that. During the simulation, send a few guys to go get coffee, and check if the rest of the team can figure out what to do. This will help you to identify if you are missing a 2nd or 3rd tier person and whether you need to contract a third party incident response service provider just in case.
Have an incident and response team on stand-by Sometimes the plan is built by the people who won't activate it. You need to ensure the people who are actually activating the plan have practiced it monthly or quarterly. Make sure everybody knows everybody before something bad happens.
Strong leadership is key to success - Who are the decision-makers? When you do tabletop exercises, define your goals. For example, making sound decisions. When the heat is on, you need strong leadership.
Incident and response is not like riding a bike - You can't just jump back on and say we totally know how to do IR. You can't build a plan and put it on the shelf and not crack it open until you need it. You can't operate like that. You need to practice.
What if the SANS Incident Response playbook is too complicated for an SMB?
Your cybersecurity incident response policy is NOT weighted in pounds, it needs to be something people can use and actionable. It doesn’t matter if you are a small company or an enterprise, you can't have more pages in the incident and response plan than employees. Create a high level 5 pager.
Determine and categorize the impact of the event - Let's say someone clicked on a phishing email. Did it lock the entire financial system or just a single laptop? That helps define the scale of the incident and who needs to be alerted. The higher the impact, the more people need to be involved in the response. If it's a low impact, maybe the help desk can take care of this, but if it is high impact, you need your critical incident response team to be involved.
It is a living document - An incident response plan isn’t a write and forget thing. It should be a living document and it needs to be revised and tested.
Who should have access to the incident response plan?
Short answer - Everyone who participates in the IR plan should have a hard-copy. If you only have a soft copy and get ransomware, you may not have access to it.
Also, the copy should be accessible from wherever you are. If you work from home, you should have a copy at home.
It's good to have a Crisis Coordinator who understands the whole incident response process to coordinate between all the teams.
During an Incident
When something happens, you need to have rings of awareness - or in other words, an "escalation plan". You can't be clumsy in your communication. Let's say you are dealing with ransomware, you may not want everyone to know right away the depth you are into, especially if you don’t know yet. You don't want someone to tweet about it. You should be able to control the message.
Next you want to keep regular cadence with those who need to know at a specific time, otherwise you will be distracted by people knocking on your door every 5 minutes asking for updates. Layout the cadence for which people will receive communication. For example, every 30 minutes or 1 hour. You may need a speaker who will be responsible for updating leadership even if there isn’t a meaningful update.
Prepare for being unprepared - You need to be prepared for stress. You have to have control of the situation - otherwise someone else will, whether they should or not. If there is a vacuum in leadership, people will run everywhere. So establish a chain of command and make it clear what people are not supposed to do - for example, Tweeting about it.
When you are dealing with an emergency, even as simple as someone breaking a leg. You can't expect someone to call 911. You literally need to point and tell someone to call 911. You need leadership!
When Does an Incident & Response Fail and Lessons learned?
When people pull out the plan for the first time when they need it… The first time you read the plan shouldn't be during a crisis. The first moments are critical, if you are not organized then be prepared for chaos.
When people blame. This is not the time to throw someone under the bus, and you can't blame or attack each other when you are trying to save the company.
When no clear leadership - Communication needs to be clear and in a calm tone. You are dealing with a high-stress situation. Be self-aware of how you speak and only speak in facts not assumptions.
What do you do now? You need to reflect on what happened. You need to invest the same amount of time you put in during the incident as in after the incident. Understand the things you did well and the things you didn't do well. Pass on the things you did well with other groups in the organization. Document that process. You don't want it to happen again. Identify any process that needs to be updated. Don’t forget to acknowledge those who did well and provide more training to those who didn't. This needs to drive change. It makes your company more resilient.
Resources from our panelists
Brian Haugli - Managing Partner, SideChannel
- Web: SideChannel
Rob Burton - Veteran - Crisis Management - Exercise Specialist
- Training on how to run effective Tabletop Exercises: https://crisisconferences.com/product/principles-of-simulation-exercises-march-2022/
- PreparedEx: https://preparedex.com/
- LinkedIn profile: https://www.linkedin.com/in/robburton9/
- Email: firstname.lastname@example.org