Incident Response is counter intuitive for a number of reasons:
- It is the tool in your InfoSec armoury whose value you can really only demonstrate after you have used it
- It is something that is by nature reactive but actually requires so much preparation
- In an incident doing nothing is actually sometimes more advantageous than doing something
- It is often the last consideration for the security team when actually it should be the first
In this post we will consider why Incident Response is so counter intuitive and hard to get right and some tips that will enable you to make it easier.
What is Incident Response?
Incident response is an organisation’s planned approach to dealing with and managing a security breach or cyberattack, also known as an IT incident, computer incident or security incident. The aim is to address the situation in a way that limits damage and reduces recovery time and costs.
You need to focus on Incident Response because no matter how secure your business is there will always be opportunities for the malign to exploit your security. Also, just as in monitoring and reporting, it is important to get early warning and respond quickly, efficiently and effectively. It sounds simple but it is a complex task and needs to be well prepared in advance, practised and given plenty of opportunities to make it work.
What makes it so counterintuitive?
Picture the scenario: the bad guys are into one of your most sensitive systems; your monitoring & reporting systems have given you early warning and you can tell that the enemy is smuggling around looking at systems before they decide what to steal, lock up or destroy. But they are human and they have an objective; you have to get into their mind and think “what would I do if I was them?”.
In many examples when I have helped clients their gut reaction has been to disconnect the systems, but this may be the very worst thing to do - have you considered what the impact of disconnection will be? Every action is observable by the bad guys, so it you do something that makes it clear that you are onto them they have little to lose and may cause as much havoc as they go after the objective as quickly and in the most damaging way possible. This could mean triggering ransomware or a smash and grab of whatever information they have found. So, against all your better judgment the first thing to do is to investigate carefully in order to find what they are trying to do and how best to remediate. Potentially an even worse situation is that the channel they are using is not the only one open to them - frequently I have seen 3 or 4 items of malware in the systems. Once discovered, it is easy for them to go quiet for 3 or 4 weeks and then open up on another front.
So what should you do instead?
It is hard work to prepare effectively.
- Firstly, it is all about preparation - you need to be prepared on how you are going to respond before the incident happens – a clear set of procedures, processes, roles, information that you need to get hold of in order to investigate critical incidents, highlight the right logs and additional information that you need to secure.
- Secondly, it is about recognising that it is not just a technical problem - you also need to respond to the business issue that is occurring, with varying levels of response or teams depending on the situation. Just as in a business crisis it may need to be dealt with at a far more senior level than first indicated. The board will not necessarily know the systems and the technology involved but the media team may need to be involved, the markets need to be reassured, liabilities with customers need to be managed and the legal and commercial teams need to be prepared to deal with unexpected consequences. For example, if there is a degree of contagion of ransomware your systems may have infected others – you have a duty to remediate and coordinate with other companies.
- Thirdly, it is about recognising the potential scenarios and practising them in advance - in the most extreme cases having the right roles and the right people ready and able to manage a multifaceted incident in a cohesive way could be the difference between success of the company and failure. If you only start that process at the time of the incident the chances of getting the right people in the right place to make the right decisions is highly reduced. Preparation needs to involve not just plans but rehearsals and war games, giving the potential to get people to come in to run a proper real time exercise to stress test the procedures and tools until the organisation acquires the muscle memory and ability to be more relaxed when it happens for real.
Perhaps the best start point is to imagine a number of different incident scenarios, not just at the technical level but at the business level and start to consider how they might evolve and who might be needed to manage them. The team can build those scenarios to map out at a high level the end to end approach: through remediation to recovery to lessons learnt. There is plenty of freely available material on different high level approaches to respond to incidents but it is critical to tailor that to your own organisation and embed it into the business and exercise it on a regular basis so that when it happens for real all the intellectual energy can be focussed on the incident that you are dealing with rather than how incidents in general should be dealt with.c2 cyber ltd