"...If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle..."
Sun Tzu, The Art of War
Bottom Line Up Front
The bedrock of a mature Incident Response Capability is a brutally honest understanding of where your preventative and detective controls are strong and where they are weak, and your personnel's confidence in a "...no fear..." incident reporting policy.
Incident response is a "...people thing..." not a technology thing, the ease of use of the process, spells either the success or failure of the program - maybe the same for your business.
What we will discuss in this section:
- Why your Communication Plan IS the Incident Response Program [IRP]
- Insurance and Corporate Risk
- Types of "incidents"
- What works re: triage "incidents"
- Your Incident Response Process
- Why tools cannot save you...
- Why your Risk Register is the backbone of your Incident Response Program
- Why your Risk Committee must own the Incident Response Program
- Resources, where can you get some help?
Why your Communication Plan IS the Incident Response Program
An "incident" can and should be reportable by anyone... the ease of and familiarity with the process by all personnel will define the effectiveness of the program. An easy to use, "...no fear..." (of blow-back) based process will give you timely results you can use, right now to protect your business.
Since we're talking people here, communication is the key:
- Who is the point of contact [POC] for the IRP? Are they available 7x24x365? Here's a hint, your "Service Desk" staff should be extremely well trained and "own" the possible incident until handed off to the Leadership Team. You must empower them (really) to expend resources to protect your business until someone more knowledgeable arrives on the scene.
- How well is the POC trained to calm down the person reporting and gather information?
- How quickly can the POC contact a business decision maker to take action?
- Who "owns" the incident, cradle to grave?
The quality of your Service Desk staff's Incident Response training will be 90% of the success of your IR Program, bank on it.
Insurance and Corporate Risk
Cyber Security insurance has become a significant component of an organizations’ cyber risk mitigation planning. Cyber Security insurance primarily covers the often excessive and normally under budgeted expense of responding to a major cyber incident. Unfortunately, most cyber insurance policies are purchased in conjunction with Workers Comp, E&O, D&O, etc., and without direct input from the cyber security group.
If this is the case, take action now to ensure that your Legal, Compliance, Risk and Cyber Security Leaders sit down now, and review your Cyber Security Insurance Policy, and if necessary, develop a punch list of "issues" and facilitate a negotiation with your Insurer to tailor your coverage to exceed the needs of your business to protect your market share and competitive advantages.
Cyber insurance policies are contracts that establish expectations between the insurer(s) and the insured. If these expectations are not satisfied, the insurance policy may not deliver on its promise.
More importantly, these policies will provide your incident response team with a plethora of tools to move swiftly and decisively to reassure customers, investors and to protect your business.
Types of "incidents"
From a policy perspective, document your types or phases of incidents, so that in the event of legal action, you can adequately justify your actions.
There are normally, three types of incidents:
Potential Cyber Incidents: these are "incidents" where so little is known that they are not actionable. As a matter of policy, until a "potential incident" is handed off to the Incident Response Team, it should only be referred to as a "potential incident.
Cyber Incidents: these are identified, "Cyber Security Related Incidents", we believe they are Cyber Incidents, however, we are still collecting information and performing triage.
Reportable Cyber Incidents: these are the real deal, these meet all the legislative, legal, regulatory or policy requirements as "reportable", you may still be collecting information and performing triage but you have legitimate business risk involved. You are required to notify your insurer at a minimum, legal, any regulated oversight bodies, etc... Before you do, find your Corporate Communications Polices and Officer and take a few minutes to assign tasks and set expectations. This is where people are navigating in uncharted territory and may get emotional. Work hard to keep things low key and level headed.
What works re: triage "incidents"
How do you get real time visualization of your enterprise, so that your IR Team can function rapidly? How will you contact the correct key personnel in a timely manner for decision making and consensus building? Better to work that out now.
The neat thing about this is that the requirements here are functional, as opposed to the nonfunctional ones in prevention and detection. So, the good will beat out the mediocre. We need to build good things and bring people and technology together to mirror less of IT and more of generic risk management. We can learn a lot from other domains that have been doing this for decades.
Your Incident Response Process
The classic approach to Incident Response is made up of four phases: (1.) Preparation; (2.) Detection & Analysis; (3.) Recovery; (4.) Post Incident Activities. Let's look at each in a little depth:
Preparation Phase: This is your training and "risk register" phase. Creation, care and feeding of your "risk register", attention at the Risk Committee meetings, grooming, validation, allocation of resources to mitigate, etc... Training of your Service Desk team in their role of "Incident Response - First Responders" are your key performance indicators in this phase.
Detention & Analysis Phase: This is where your training pays off, your "first responders" are appropriately trained and resourced to act swiftly and decisively to protect your business. Bringing the right people together at the right time to ACT!
Recovery Phase: The worst is over and now it's time to manage resources to get back to customer focused resource allocation. Hold the Champagne until your customers are happy again...
Post Incident Activities: This is where most business scrimp, but in reality where most businesses should lavish resources. What did we learn? How can we, proactively, work to ensure that that never happens again? What training, policies, processes, procedures, people, etc... need to be modified to better support the business continuity plan should we find ourselves in an other emergency situation? Do yourself a big favor, spend the most of your IR time here...
Ensure if you can that your Cyber Security Insurance covers these post incident activity costs, if it does not, see if you can negotiate a "rifer" to cover these costs, it will be money well spent.
Why tools cannot save you...
As technologists, most people, when facing a challenge, look for a tool to "...do the work...", like it or not, the Incident Response world is the people world, a tool cannot interview an employee about what happened, it cannot talk to the press, it cannot brief the Board of Directors, the Audit Committee, the CEO, etc...
Give alot of thought to the folks that will make up your IR team and specifically, who will lead that team. Do yourself a favor and don't make it an emotional appointment, make it a solidly merit based appointment, a cool headed person, who can clearly see the guard rails and understands that a "policy" is just guidance, not stone tablets from on high...
Why your Risk Register is the backbone of your Incident Response Program
In a perfect world, your "risk register" contains the "...indicators of compromise..." of your next incident and may very well be your roadmap for your next "incident". If your next incident in the final analysis, was not related to an item on your risk register, there is something wrong with your risk identification and analysis process.
Is your "risk register" open to anyone to comment on it? For example, during a new customer assessment we were pleased to find that one of the Service Desk staff had been keeping notes on root cause analysis of problems for years... apparently, no one had been willing to listen...
Why your Risk Committee must own the Incident Response Program
Hopefully, we've made the case that the effectiveness of your Incident Response Program is easily within your grasp, that it can be managed in a cost effective manner without major expenditures and deliver significant risk mitigation benefits. That your "risk register" if properly managed can be your early warning system of potential incidents. That the training and sweat you spend, now, with hour "first responders" will pay major benefits when that day comes (and it will). That your Cyber Security Insurance investment must be proactively managed by your key stakeholders to address unforeseen costs and drive meaningful benefits during and after your incident.
Resources, where can you get some help?
Cyber Security Insurance - primer
Bruce Schneier on Incident Response
NIST Incident Response Guidance
NIST - Computer Security Incident Handling Guide