Incident response: resilience takes practice
Regular fire drills are common, what about a cyber incident exercise?
For today’s connected organisations, being able to detect and respond to security incidents is a critical security and business capacity. Given the practical challenges during most incidents, combined with the time-critical nature, it is essential to start preparations across all layers of your organization long before you encounter your first real incident.
Jelle Niemantsverdriet, Bas de Vogel & Theodorus Niemeijer - 29 June 2016
Incident response is an incredibly practical, hands-on discipline. When we help our clients respond to incidents ranging from hacks, denial of service attacks to full blown crises, we see a lot of positive things. When things go wrong and organisations are in fire-fighting mode, plans go out of the window, decision cycles are accelerated and all leave is cancelled. Slow and formal organisations all of a sudden try to become agile and pragmatic and that long-overdue increase in security budget is signed off without questions asked.
Sounds great – in a way. Sounds like everybody should have to deal with a security incident at least once, doesn’t it? Maybe so – but let me burst your bubble, because a real incident is really not the best way to get started. You also would not start to run a marathon without going through any training, would you?
Beginner incident response
While most organisations definitely show an incredible increase in activity after detection of an incident, a lot of that activity is not well coordinated, not well rehearsed and therefore not as effective as it can be. As I said: this is a hands-on discipline, but to be good at a hands-on discipline you need to practice – or you will run into all sorts of seemingly simple mistakes. A good comparison might be how it feels and looks when you are just picking up a new sport – you are in full enthusiastic action mode and giving it your best shot, but your technical skill and coordination are those of a beginner: clumsy and not yet effective.
The “Dead body paradox”
What does beginner incident response look like? Let me draw a comparison here: we all know how to deal with a ‘real’ crime scene, right? Just like in the movies: a dead body, blood, a knife… Stay away, don’t touch anything and call for help. Ironically, when we are called in to assist with a cyber incident, we experience the ‘dead body paradox’ – even though this could very well be a crime scene as well, people show completely the opposite behaviour. Everybody is accessing the affected systems, running tools and modifying data. Often with the best intentions but without having insight into the impact – they are potentially altering evidence and making it a lot harder for an incident response team to find out what happened.
The “Consensus network diagram”
You can imagine, having insight into which systems you have and how they are connected is a key element of a fast response to an incident. While most people will agree with this statement, this is also where we often come across some practical hurdles. The request to see a network diagram to understand an organisation’s infrastructure and potentially affected systems often results in a somewhat troubled and puzzled look. Most organisations do have a network diagram, but often lack an up-to-date version.
We now typically resort to what we call the “consensus network diagram”: get everybody from the IT team into the room and just start drawing the relevant infrastructure on a whiteboard. This takes a bit of time, but is eventually quicker and more up to date than relying on the outdated and incomplete diagrams.
Multi-disciplinary approach is key
These are just some IT-related examples – but please don’t think an incident is only about IT. At today’s modern, digitally enabled businesses, most incidents have the potential of severe business impact. Having the right disciplines be part of the response team is a critical success factor for incident management – in most organisations this would mean that representatives from communications, legal, affected business teams and senior leadership need to be involved and need to be empowered to make decisions.
These are just a couple of these very practical elements you don’t want to start thinking about when you are going through a real incident – there is just no time and even your well-intended efforts will most likely look like those of a well-meaning beginner. You don’t want to start debating who can decide to take a production website offline or about the best wording to inform customers about a disruption to your business when you are going through a real incident and are trying to coordinate your response.
Prepare, practice and evaluate
Take the opportunity and calm of normal days to prepare your incident response plan – and more importantly: continuously test the plan through simulated incidents. After all – to repeat our sports metaphor – you don’t run a marathon just by drafting a training program, you need to put on your shoes to go out and run and you have to run a lot during a couple of months. By making responding to (simulated) incidents part of your normal routine, you will become that pragmatic and agile team – but without the unnecessary stress and improvisation of those who are just trying their luck for the first time at a real incident.
More information on Incident Response?
Do you want to know more on incident response? Please contact Jelle Niemantsverdriet at +31 (0)88 2882433