Breach Defense Playbook: Incident Response Readiness (Part 2)

As I discussed in my last post, having an incident response readiness assessment (IRRA) can be a make-it-or-break-it factor when it comes to breach response preparedness. In this post, I’ll detail what specifically you should be looking at during the evaluation, as well as how to conduct the final stages of training the team and providing a report so your findings can be put into action.

Documentation Review

Your documentation review should begin with your incident response (IR) plan, security operations plans, escalation plans, security baseline documents, and corporate policies such as:

In addition, you should review regulatory compliance and response strategies that are written to support audits, compliance, and legal requirements. Lastly, you should perform a gap analysis of your existing security control documentation and supporting policies and procedures.

Network Security Review

When assessing network security with respect to IR, you should focus on the implementation of your organization’s defense-in-depth strategy, including:

In addition, you should look at your security operations center (SOC), focusing on the people, processes, and accessible technologies. At a minimum you should:

Incident Response Team Review

Next, you should review the IR team under the lens of determining whether appropriate stakeholders are included and if they have access to IR plans and documentation; if everyone on the team is fully aware of the comprehensive team structure/goals; and if proper training and exercises are taking place. At a minimum, your IR team should include stakeholders from IT, public relations, legal, risk management, vendor management, HR, and executive leadership.

The roles and responsibilities of each stakeholder should be established and written in the IR plan, along with escalation procedures that are exercised and further evaluated. The effectiveness of your IR capability is directly related to your team being prepared and trained, and understanding their roles and responsibilities during an incident.

Internal And External Response Capabilities

When reviewing your internal response capabilities, you should begin by ensuring that there is a secure location (physical or digital) to store IR data. Ideally, there needs to be a war room for SOC and IR team personnel to work in a collaborative environment during an incident.

Additionally, your organization needs to have access to IR triage and investigation hardware and software; network, log, and system forensic software and equipment; and malware reverse engineering capabilities. Many organizations do not provide these capabilities in-house, so you can leverage a trusted partner – keeping in mind that it’s important to proactively select them before an incident occurs, not after.

Many times organizations choose to place organizations on retainer for legal, crisis management, regulator, and insurance assistance. Therefore, when reviewing your internal response capabilities, you must evaluate what areas your organization will address in-house and what areas are outsourced, which is called your external response capabilities.

For external response capabilities, you should review your organization’s process of vendor management, including documentation and contact information. During an IRRA, you should ensure that the agreements with IR providers are accessible and reviewed, as well as those with outside counsel, crisis management firms, auditors, regulators, law enforcement, information sharing associations, and insurance providers. Lastly, you should review third-party service level agreements (SLAs) that pertain to monitoring, incident response, and forensics support.

Practice Exercises

In addition to assessing your overall readiness, it’s equally important to train your team and practice your IR plan. There are two main approaches you can take. The first is a paper-based tabletop exercise in which team members get together and are presented with a security incident scenario. The team members act out their normal duties and talk through the steps they would take to address and resolve the incident, and then afterward the execution is analyzed and reported back to the team for feedback, guidance, and enhancement.

The second approach involves a live test in which a piece of benign malware is placed on an internal system. The SOC and technologies are then tested for detection, and the IR team is activated and their actions are monitored, including the process of submitting tickets to initiate an incident response, forensic imaging and analysis of a system, analysis of network logs, and preparation of documentation such as reports and internal/external communications.

This approach can be a true comprehensive test of your organization’s IR capabilities, but it is often time-consuming and may require activation of third-party agreements. That being said, the value is generally greater than that of the first approach, since it provides the team with real-life training and provides a deeper level of authenticity to the analysis.

Assessment Report

At the end of your IRRA, your final report should include what mitigation activity you recommend, as well as a roadmap that includes short-, mid-, and long-term IR capability enhancements with defined milestones to gauge progress. The enhancements must be actionable and quantifiable with measurable outcomes.

Keep in mind it’s important to present your findings in plain English for non-technical readers. Your recommendations will likely require buy-in from above, so you need to present the appropriate justifications for implementing and the measured risks for not taking action so your leaders have all the information they need to make an informed decision.