Ayn Rand, author of Atlas Shrugged, once said "The hardest thing to explain is the glaringly evident which everybody...
has decided not to see." This statement hits close to home within the IT and information communities in terms of incident response. Every business is seemingly secure, compliant and capable of handling whatever security event comes its way -- that is, until the event actually occurs. Then reality hits. The gaps, holes and shortcomings in the organization's incident response policy are brought to the forefront. As the IT or security manager, suddenly you're center stage. It's a test to see how you respond. Unfortunately, odds are you're not going to be prepared.
Many cybersecurity incident response plans exist in theory but not on paper. Every single business out there should be documenting the procedures to follow after an incident or confirmed breach. Forget about informal policies -- they're usually not enforceable and most people don't pay attention to them. These days, a detailed security incident response policy or plan is as critical -- if not more -- than an enterprise disaster recovery plan. If you don't have a security incident response policy or functional program, it's time to start one. If you do, kudos. Either way, do what you can to not make these mistakes:
- Making decisions without all the right information.
Like a solid set of IT and security goals that guide you in the desired direction, you need good information from your systems and people in order to effectively deal with security incidents. The interesting thing about certain events is that some people rationalize what happens and put a positive twist on an otherwise unfavorable incident. In many cases, this is done without any information at all. It's more of a "CYA" move than anything but it's not good for business.
- Focusing on checklist items rather than processes
The reality is that many organizations don't have a true assessment of where they stand with their information risks. The majority of IT and security pros don't know where their sensitive information is located. In the event of a breach, it's going to be extremely difficult to figure out which systems and information have been compromised. Rather than using a checklist for responding to cyber incidents, focus on processes. Otherwise, the fact that you didn't follow all of the steps on your checklist can be used against you in a court of law, i.e. in a negligence case against the business.
- Not acting quickly enough
One of the overarching goals of having an incident response policy is to maintain the integrity of the systems, information and logs associated with any ensuing investigation. Get information and set it aside as soon as possible. Ideally, you'll have an outside incident response and forensics firm on retainer to assist any investigation.
- Legal counsel is not leading the charge
A key strategy in legal situations is obtaining and maintaining attorney-client privilege. Your legal counsel needs to head things up and, especially, serve as the main point of contact with security team members and outside vendors.
- Lacking the proper tools in advance
When incident response is an afterthought, it's often too late to implement the necessary security and forensics tools to help with incident investigations. Procure the proper tools, i.e., log aggregation, SIEM and forensic analysis -- either in-house or outsourced -- before you need them. Otherwise, you're not going to have or know how to use the tools you need when you need them most.
- Failing to develop a public relations strategy
Many assume that management will handle things once the going gets rough. Guess who management is going to be calling on to get the necessary information? You. If long-term reputation is important, it pays to determine who is going to speak on behalf of your organization along with the message points that will be provided. When in doubt, hire an outside PR firm in advance.
Regardless of your organization's maturity level or approach to an incident response policy, management must be on board. They need to see this as a core function within information security that plays a significant role in overall business continuity and resiliency. If they get it, odds are good that everyone will be on the same page when the incident occurs, thus simplifying an otherwise painful and complicated process. If they don't get it, things may appear to be smooth-sailing for now but once the inevitable occurs, all bets are off. Everyone will be sent scrambling, as has been seen time and again with the largest and seemingly most resilient of corporations and government agencies.
Do the professional and mature thing. Take a step back and think about how the enterprise has responded to security issues in the past and how it will prefer to respond to them moving forward. Fix your security incident response policy weaknesses now before they make you look bad.
Find out if your enterprise should attempt to use "hack back" deception techniques
Learn how to identify hard-to-spot network intrusions
Read how to best adhere to your IT security plan