Why you need better incident response – and how to do it (Part 2)
- Posted on April 29, 2019
- Estimated reading time 3 minutes
This is the second of a two-part series on incident response (IR). In the debut post, we described the risks of not being prepared, and the benefits of a fully-fledged IR strategy. In part two below, we cover the best practices for assembling and executing your own IR plan.
If you read the first post in this series, you understand the high-stakes of making sure you have the right incident response strategy. Now that you’ve come this far, how do you actually get better at IR?
If you take away one message from this article, it should be this: Incident Responses must be practiced so they are efficient and faultless.
With more than 20 years of experience in both IT and IS, working in every sized organization from small to large, it has become apparent to me that many organizations don’t possess an incident response playbook. Or, even worse, they have one that is grossly out-of-date. With the sole exception of Avanade, nowhere I have ever worked has practiced frequent (monthly/quarterly) IR exercises.
Practice makes proficient
Avanade’s frequent IR exercises at the minimum include all Security Operations (SecOps) team, Information Technology Services (ITS), as well as Legal and Forensic Teams. They are always created by two or three dedicated SecOps team members, while another Junior SecOps team member will be appointed Incident Commander, providing a valuable learning experience.
Changing it up
One of the most important things to note is that each of these IR exercises is different in nature. The first might be a phishing attack. A month later, it could be followed by a DDoS, then a man-in-the-middle (MitM) attack. Sometimes the vector might be an account compromise, and then a malware infection. Each one of these teaches different skills. The best way for us to learn to recognize an event quickly, is by simulating it and then going through each step of the response process.
In each case, the Incident Commander will follow the recommended six steps of incident response which are:
- Detection and analysis
- Containment, eradication, recovery
- Post-incident activity (lesson learned)
- Incident handling checklist
Being Incident Commander is not an easy job, but the bigger lesson is that in any security situation, incident time is of the essence. It is vital to contain the incident as soon as possible to minimize the impact to an organization.
Building your team
Many organizations always put their Senior Incident Commander in charge of any on-going incidents. This is the right thing to do, when that person is on-site. Unfortunately, it doesn't provide growth opportunities to Junior SecOps team members.
These IR exercises are the perfect opportunity for Junior SecOps members to learn and grow this skill set and be better prepared to respond to any incident. Your Senior Incident Commander may not available due to illness, vacation, or even attending an out-of-town conference.
Following up is key
You should conclude each exercise with a “lessons learned” session or schedule a separate event (meeting/video conference) to discuss what went right and what went wrong and what needs to change.
It should be done while the details are still fresh in everyone’s minds. This is how needs for creating/updating policies & procedures are discovered, and security gaps are identified. Only then can you update the IR playbook with any weaknesses you have identified.
Both hiring new people and sending personnel for training can increase skills. Neither will result in personnel being more knowledgeable about your unique environment. The only real way to teach personnel to respond to attacks against your infrastructure is to train them on the process.
Audio-visual presentations allow a participant to retain a fraction of available information. This is not a good way to learn. Ask yourself: what would you or any of your staff do right now if a ransomware notice popped up on your screen?
If you don’t have an immediate, well-rehearsed response, you are not as prepared as you should be for an attack.
Simply put: In any attack, time is your biggest enemy.