Preparation puts you ahead in incident response

You know it's common sense, but is it common in your workplace? I had the opportunity to attend a webinar covering incident and breach response and the reality is, having the framework to respond to an attack is becoming just as important as preventing an attack in the first place.

The speaker listed the 6 biggest setbacks that he had noted first-hand when responding to an incident or breach. He also outlined what can be done now to ensure these failings don’t cripple your team in such a crucial situation.

1. Security staff not trained to handle breaches 

   • What you can do:  Train your security staff on standard incident response techniques and, more importantly, on the specific procedures set by your organization.  Take the time to conduct tabletop exercises to let your team prepare for various scenarios and look for ways to improve their response.

 The speaker also added that organizations are placing too much focus on prevention and not enough on incident detection and response.
2. Organizational shellshock
   • What you can do:  Promote user awareness that breaches do happen and are a very real thing.  Focus on what to do next at various levels of various departments.  Don’t make the mistake of only communicating this to IT staff.
3. Incident response team poorly represented
   • What you can do:  Be sure to include other departments along with IT and Security, like Executive Management, Legal, Human Resources, Public Relations, etc. It only works if everyone is on the same page.
4. Lack of network visibility
   • What you can do:  Create an accurate representation of your digital enterprise.  This includes accurate, up to date, network diagrams, data flow diagrams, IP address lists, asset inventory, etc.
5. Lack of skills to perform network/packet forensics
   • What you can do:  Keep the experts on speed dial.  Some digital forensics experts require an on-boarding fee along with ongoing retainer ahead of time to “be available” in the event of a cyber incident.  Communicate with those experts what you will need for an incident ahead of time; don’t wait until a crisis to have that conversation.
6. “Ideal” packets not stored in advance
   • What you can do:  Forensics teams are relying on network packets now more than ever to piece together the puzzle of a breach or major incident. Without baseline network packets stored before the alert, it becomes difficult to differentiate the good from the bad.  This doesn’t mean keeping EVERYTHING, but only packets around detected events.  Setting a strategy for this would probably mean a conversation with your Log/IDS team or SIEM provider.

The key takeaway from these 6 items is that you don’t wait for the incident to happen to address them. It takes much less time to build from framework already in place than to build from the ground up. With a little preparation ahead of time, you can avoid some of these most common pitfalls when trying to put the build your organization back up.