Incident Response: It’s All About Being Prepared
by Dan Didier, VP of Services, GreyCastle Security
Be prepared. Everyone agrees that it’s not if, but when the proverbial hack will hit you.
And I’m not talking about a malware outbreak or a minor case of ransomware. I’m talking about something much scarier. Something I often refer to as the “B” word. That’s Breach, of course. I don’t even like to say the word, as it implies a legal situation that is of the most serious sort. That is, a legally bound event which requires notification, investigations, credit monitoring, audits and all sorts of business-halting activities. Not only that, it usually has a significant impact for customers, clients, business partners and anyone else that trusts you to deliver projects or services.
The bottom line?
- Relationships are tested
- Finances are stressed
- Employees focus on response, not normal activities
- Reputation is impacted
- Business operations recover (usually)
- Lessons are learned
I’d like to talk about that last point of learning lessons, as this is truly where you have the most opportunity today. Imagine if you were able to go through all the pain and torment of an actual incident and learn from it without any of the real-world impacts.
You would adjust business processes, train people, develop procedures and be better prepared to recover from an incident. It would be amazing to be able to recover faster with less impact, wouldn’t it?
So do it. You can start right now. You can ensure less impact and a quicker recovery simply by putting together a reasonable plan, involving the right resources and testing that plan. Of course, if you test it you’ll find things you can improve, so do that as well.
And don’t get caught up in a common misconception that you cannot test anything but a great plan. Actually, you can test any plan no matter how incomplete or complete it may be. If you wait to test your plan and your people until you believe you have the perfect plan, you’ll never test it. No response plan will ever be perfect, but testing will reveal where there are weaknesses.
Some helpful tips to get started:
- Build a plan using a good starting point: NIST has some great guidance
- Define a way to categorize the event so everyone quickly understands the impact: again, NIST provides some great guidance
- Test the plan
- Use real-world events based on other scenarios applicable to your industry. Please avoid the common mistake of testing only more IT-focused events such as malware. Consider a data leak reported by a business partner, lost backup tapes/phone/laptop, and unauthorized access to critical systems/data. Ensure you consider what happens if the media catches wind and how your business partners may respond. Ensure legal is involved so that you test your ability to decide if an event is a legally reportable breach or not. Make sure the plan clearly defines when and how to conduct forensic investigations so that you are prepared for litigation and avoid destruction of evidence.
- Update the plan
- DO IT AGAIN
Before you know it you’ll have a solid plan and a team that knows the plan and how to use it. In the event of a Breach, this will limit your exposure and expedite the recovery process.