Create an Incident Response Plan and Test It
All airline flight crews have aircraft evacuation plans for emergency landings, and they test them as part of training. Office buildings of any substantial size plan fire drills and test them, typically semi-annually. Businesses have cyber incident response plans that they test at least annually.
Well, two out of three “ain’t bad”. According to the “Cyber Resilient Organization”, a 2018 study by the Ponemon Institute1, 77% of organizations lack a cyber incident response plan that is applied consistently. An internet search brings up many studies over the last five to six years that paint a similar picture of preparedness.
I can reflect on one organization to which I recommended development of an incident response plan. As part of that plan, I proposed pre-positioning outside counsel, forensics, and public relations/crisis management. They declined, apparently thinking the cost of such preparation exceeded the value of what could be lost. But they could have lost a considerable amount of as yet unpatented intellectual property and their investors’ startup funds. Fortunately, they did not suffer an attack.
Incident Response Plans You’ll Find on the Internet Are Mostly Technical
A search for an incident response plan will likely turn up a largely technical response process, perhaps a flowchart with a box somewhere labeled “Inform Management”. I’ll abstain from showing samples gleaned from the internet, but for your interest, ask Anthropic’s Claude or Microsoft’s Bing Copilot to “write a concise incident response plan”. You’ll get outlines that are variations on NIST’s Incident Response Guide2, e.g., Prepare, Identify/Detect, Contain, Eradicate, Recover, Review Incident for Lessons Learned. Typically, you’ll find all technical work, with non-technical steps only in the first and last of these activities.
Most Incident Response Plans Are Missing Management
What part of such a response plan deals with stockholders, employees, customers, prospects, vendors, regulators, cyber insurance, law enforcement, the trade press, and social media? None of it. Responding to a major cyber incident requires planning for a much broader process.
I recommend organizing your response as five parallel tracks (at least), managed by separate subteams of your Cybersecurity Incident Response Team (CSIRT):
- Governance Track: Performed by an Incident Response Leadership Team (IRLT), this team is responsible for leading the organization’s response. Its standing members should include the COO or other executive with suitable authority, the Heads of Legal, Corporate Communications, IT, Information Security, and Compliance (if appropriate). All may send a delegate with suitable authority. The Incident Commander and outside counsel, if engaged, are required members of this group. Situational members may include Heads of HR, Finance, and Business Operations if their data was compromised or operations disrupted. The IRLT approves or guides all legal action, communications, technical response, and operations response.
- Technical Track: This is the usual focus of most incident response plans. Led by the Incident Commander, the technical team executes detection, analysis, containment, eradication, and recovery, supported by outside forensics. The Incident Commander acts as the conduit to the IRLT, informing the Governance Track on the nature and impact of the incident, explaining the effect response actions will have, and bringing guidance back to the technical team.
- Legal Track: Led by the internal Legal officer or Outside Counsel (if engaged), this team is responsible for keeping the company out of legal trouble with regulators and other stakeholders, negotiating with cyber insurance and ransomware attackers, engaging law enforcement, and approving all communications.
- Crisis Communications Track: Led by the Head of Corporate Communications, this team develops all messages to management, employees, stockholders, vendors, customers, and the media, and it gauges the sentiment of various stakeholders by taking all calls and emails, and by monitoring the media (including social media). The team may include an outside PR firm specializing in crisis management.
- Operations Track: While this varies depending on the company’s business, this team informs the rest of the overall response team on the actual impact and collaborates with technical team to restore operations.
All teams participate in preparation, all synchronize through the IRLT, and all meet together in the post-incident review.
Be Prepared
Each of these teams has to prepare if your organization has any hope of responding to a cyber attack in a timely way with minimal cost. Before any incident materializes:
- The Incident Response Leadership Team must have its checklists for first meeting, ongoing meetings, and incident closing meeting, and it must contract with outside counsel.
- The Technical Team must have attack-specific playbooks, they must perform drills, and they must contract with outside forensic and incident response services. Better yet, the forensics service may want to preposition their tools on the network for a fast start.
- The Crisis Communications team must pre-position outside public relations firms who have expertise in this area. The combined team must have scenario-specific templates for messages to management, stockholders, employees, and the media.
Finally, put it all together with a table-top exercise or a drill. Alternatively, run a table-top for the IRLT and send the technical team to a cyber range. And remember, exercises are a process of continuous improvement: These drills may start out awkward with lots of questions, but the real objective is to develop “muscle memory” so a real incident is not met with disarray and uncertainty on the response process.
If you’re interested in more detail on creating such plans, please contact me.
References:
© 2024 Stephen E Lipka, All Rights Reserved.