The past few years has seen a massive shift in business strategy towards digital solutions. This shift has resulted in business-critical processes relying on highly heterogeneous digital ecosystems. Businesses need to be highly flexible and immediately available to ensure they survive and remain profitable. This shift brings new and unexpected risks and challenges for companies of all types and sizes, particularly when responding to cyber threats.
Incident preparation and response planning is increasingly becoming a topic of conversation for business decision makers. Good preparation and planning are at the heart of effective incident response, to ensure threats are mitigated in a safe, effective and timely manner. Chris Taylor, Principal Analyst Incident Response at NormCyber, has put together a list of tasks to aid in the decision-making progress.
A survival guide for any company having to deal with a cyber intrusion: An incident response plan.
This should be a comprehensive document that details the who, how, what and when of incident response. It should include how communications are managed and who manages them, how containment, eradication and recovery are enacted, escalation points for decisions and who would undertake specific technical response actions. This can and should be bolstered by technical playbooks for specific tasks (password resets for instance) and all relevant parties should be trained in its enactment and use.
Oh, and don’t forget to test it. IR planning needs to be like preparing for a real-world threat (think fire or flood). How do you know the fire alarm works. Do staff know what the alarm signifies? Norm can help document and then test IR plans using real world experience, so you know the IR plan is effective and resilient.
To have adequate IR preparedness, it is necessary to have all the tasks assigned to people. You need an IR team!
It’s important to understand the relevant IR tasks, and to assign them to people before an incident occurs. You will need decision makers, technical staff to enact actions on systems. legal council and data reporting staff, and people to handle communications.
Risk assessments are a must for all companies and aid in the decision-making process for incident response. You need to understand what risks the company face, the impact of outages and how risks can be mitigated prior or during an incident. This work will naturally lead to understanding your assets and their criticality, which are also important pieces of information in times of crisis.
Companies should implement and test security controls to strengthen their cyber resilience. Key measures include:
You can prebuild a lot of the information you will need in an incident before one actually occurs. This would include communications to specific stakeholders and reporting/interim updates.
Efficiency and speed or response can be improved by making decisions and defining actions based on thresholds prior to an incident occurring. This includes things like allowing technical team members the authority to segregate a system if malware is detected, without asking permission to do so (ensuring they communicate the action out to relevant people after the act) or resetting a password if an account logs in from abroad.
Building relationships with external partners, such as cyber security vendors, law enforcement, and incident response consultants, can be invaluable during an incident. These partners can provide additional expertise, resources, and support to help manage and mitigate the impact of an incident. Its also important to understand what you would do if one of your external vendors were breached. This type of pre-planning and discussion would provide resiliency and give you guidance should a vendor be impacted by a cyber threat.
Proactive incident response preparation remains a critical part of a robust cyber risk management strategy. By developing and testing an incident response plan, assembling a dedicated response team, conducting thorough risk assessments, and implementing robust security controls, businesses can significantly enhance their cyber resilience. Additionally, automating response actions, predefining communication templates, and fostering strong relationships with external partners can further streamline the response process. Cyber threats are inevitable, but with careful planning and strategic preparation, organisations can minimise damage, recover quickly, and maintain business continuity. Investing in these foundational practices today will ensure your business is well-equipped to tackle the cyber challenges of tomorrow.
Chris is the Principal Incident Response (IR) Analyst at NormCyber. His team have worked with businesses across a diverse array of verticals to efficiently remediate cyber security incidents. They are dedicated to identifying and eradicating threats within compromised digital ecosystems and have a wide variety of skills and capabilities to provide the best possible IR function for our clients.
