Summary
- There’s more to incident response preparation than having the right people, tools and a Cyber Incident Response Plan (CIRP) in place
- Incident Preparedness is a continuous cycle that considers an updated view of threats, risks and hazards
- There are different types of incident response exercises and all have a particular role in supporting a broader objective and strategy
It’s no coincidence that we’re seeing Scouting founder’s, Robert Baden-Powell, motto (“Be Prepared”) mentioned in numerous cybersecurity and incident response posts of late. In today’s environment of fast-evolving adversaries, expanding attack surfaces and complex environments – being prepared could make all the difference when faced with a likely attack. In a previous blog post, I compared leading incident response life cycles from NIST, SANS and ISO to draw attention to the inclusion of “preparation” in these frameworks. This inclusion highlights that it’s just as critical as any of the more “reactive” phases of effective incident response. But what exactly does incident response preparation entail?
One of the first things organizations will ask themselves is whether they have the people, resources and skills to respond to an incident if it strikes, as well as the tools and technologies needed to detect and investigate an incident. If these capabilities don’t exist in-house, they can be bolstered with the help of incident response service providers or Managed Detection and Response, like Secureworks® Taegis™ ManagedXDR. However, there’s more to preparation than having the people and tools.
Cyber Incident Response Plan
Naturally, organizations think of planning in the context of cyber incident response as having a Cyber Incident Response Plan (CIRP). And they’re not wrong; having a CIRP in place is a fundamental first step towards more proactive incident response. A CIRP sets out the how, what, when and who that apply to those tools and people, ahead of the incident, improving outcomes and effectiveness when the worst happens. Listen to our incident response subject matter expert share the Top 8 Incident Response Plan failures and what they tell us about incident response plan best practice.
With this in mind, it’s clear a plan alone is not enough.
Preparedness Cycle
Incident response often uses concepts from the emergency management community and preparedness is no exception. To help outline some of the key component of preparedness, I’m going to borrow an existing framework. Let’s consider the Integrated Preparedness Cycle, from the most recent version of the Federal Emergency Management Agency’s (FEMA) Homeland Security Exercise and Evaluation Program (HSEEP) doctrine. This cycle highlights 5 key areas:
- Plan
- Organize/Equip
- Train
- Exercise
- Evaluate/Improve
Figure: Integrated Preparedness Cycle – 2020. Homeland Security Exercise and Evaluation Program | FEMA.gov
It also highlights that preparedness is a continuous process, that requires a deliberate approach driven by a defined set of priorities and objectives, and draws on regularly examining threats, hazards and risks. This happens through assessments that can inform preparation planning and a program of activities/exercises. From an incident readiness perspective, this can involve both technical tests – such as vulnerability scanning or penetration testing, for example - and strategic assessments – including readiness, maturity and risk assessments. This input can also come from post-incident lessons learned from real-world incidents.
Organize/Equip and Train
As mentioned at the beginning, incident response requires a combination of people, resources, tools and skills to be effective. The same is true for proactive incident response and readiness activities to be successful.
Exercise
Practice builds confidence in advance of an incident, but also in the knowledge that most of the important decisions have been made and practiced. There are different types of exercises, and all have a particular role in supporting a broader objective. The HSEEP framework provides a useful breakdown of discussion-based or capabilities-based exercises. When helping customers design the appropriate exercise program, our proactive IR consultants consider:
- Is this for a technical or strategic audience? Effective incident response requires organization-wide awareness, and so all parts of the business and every business function should practice based on overall objectives or needs.
- Is it functional or non-functional (I.e. hands-on or not)?
- What is the focus of the exercise (scope)? Is it the latest web portal containing customer information? Is it a strategic business unit at a far-flung geographic outpost? Is the organization ready for a full-scale scenario or do we need to build up capabilities first?
Evaluate & Improve
As with any continuous cycle, it’s important that outcomes of activities are evaluated against the objectives and lessons learned are captured to enable ongoing improvements, recalibration, as well as inform exercise and preparedness needs moving forward.
Every organization is at a different stage in their security journey. While some may be starting out, others may be well-into real-time exercises designed to truly stress their team and organization-wide participants. The Secureworks Incident Management Retainer was designed to help unlock greater value by providing a proactive, consultative service. Secureworks incident response consultants help customers identify their level of maturity, and work collaboratively to develop a plan to mature their posture while taking into account organizational objectives and constraints. Reach out to an expert to find out how Secureworks can help you transform your approach to incident response for readiness and resilience.
Source: Homeland Security Exercise and Evaluation Program | FEMA.gov