Moving from Tactical Computer Incident Response to Strategic Organizational Intelligence
Institutional Incident Response
The response to a security incident, or the lack thereof, belongs to the organization. The whole organization. Placing the responsibility for incident response (IR) into only the IT Department creates a short sighted and siloed culture which will not shield the organization from the repercussions of the incident. In fact, the skills required to navigate a cybersecurity incident may range far from those of most IT Professionals: corporate messaging, legal, human resources, and ultimately, executive leadership will all need to participate.
It’s also worth noting that focusing on response alone will see your management of an incident falling short of effective. The most important part of incident management is planning and preparation. Response without adequate, cross-departmental preparation is almost certainly lead to a chaotic scene. Responses should instead encourage involvement from as many departments as are impacted. While technical tactics may be required to detect, contain, and eradicate a malware infection, or halt an active attacker, the organization must author the strategy of its responses. Execution should be holistic, integrated, follow a replicable plan, and include “runbook” style procedures published for common incident types.
Scenarios That Beg the Question(s)
There are many incidents which can disrupt the operations of an organization far beyond technical impacts. Social engineering within an unaware organization can exploit the trust of its users and lead to financial loss. Insider threats perniciously multiply from one disgruntled seed causing the loss of proprietary company data. A simple unmalicious human error can disclose sensitive data to unintended parties.
These incidents pose reputational and operational risk to an unprepared organization and rarely include a technical recovery requirement.
Why then, do tactics and procedures drive the Incident Response planning when the stakes might be beyond them? Keeping IT at the center of IR can create a myopic response that neglects big-picture reputational stakes and omit key institutional players.
Instead, organizations should also consider:
- Does the organization practice phishing, network and customer pretexting, and on-site social engineering attack detection and response?
- Does the IR Team include cross departmental staff and leadership?
- Does the IR Plan include runbooks for common incident types, e.g., theft or loss of equipment, malware infection/ransomware attack, active cyber-attack, Denial of Service, etc.?
- What is the process at your organization for obtaining, analyzing, sharing and acting upon applicable threat intelligence?
- Who manages your threat intelligence feeds and library?
- Should the threat of malware have any impact on user browsing activity?
- What are your social media controls? Do you review user posts prior to publishing? Are you alerted when there is a post? Can you tell how many shares and views?
- What are your procedures for risky transactions/functions?
- How do you manage accidental disclosure of sensitive/protected data?
- What happens when a breach or incident hits the press? Who is doing the talking? Perhaps more importantly, who isn’t?
- Do you have scripts, outgoing messages, web-site specific messages pre-written, pre-recorded, and/or pre-configured?
- Would you pay the ransom?
Strategic vs. Tactical
Strategic approaches are based in foresight with the benefit of a calm, clear heads. They are focused on objectives that relate to a bigger business perspective. Tactics are immediate, short-term, and situational. Our strategy for responding to, and managing, incidents, should take advantage of all the intelligence the world has accumulated across more than 20 years of successful cybercrime, and all those lessons learned.
If tactics are not executed in support of a good strategy which can predict most threats, responses may be fated to fall short or fail. Strategic-level responses do best with buy in from cross-departmental executive leadership across the organization. That buy in converts the IR function into organizational intelligence that is active and builds resilience to adverse events across the organization.
Read Also: What is a Risk Assessment?
