Incident Response: Is Your IR Plan A Glorified Phone Tree?

Training internal security teams to be first responders can drastically improve an organization's effectiveness in the wake of a data breach. Here's why.

Kerstyn Clover, Attack & Defense Team Consultant

October 23, 2014

3 Min Read
(Image: Sylvain Pedneault, <a href="http://creativecommons.org/licenses/by-sa/3.0"target="new">CC-BY-SA-3.0</a>, via <a href="http://commons.wikimedia.org/wiki/File%3AFirePhotography.jpg"target="new">Wikimedia Commons</a>)

I've looked at incident response both as an investigator and a program builder preparing businesses before a breach occurs. This led to enthusiastic head nodding at articles by Kelly Jackson Higgins on incident response fails and preparedness. My major issue lately is this: I have seen one too many incident response plans that are really glorified phone trees.

The most common analogy to discuss a data breach is a fire. If your incident response plan is really just a directive to contact HR, legal, and an investigation team, you're skipping to the part where you call the fire department. You're missing the parts where you check doors for heat, use an extinguisher on small blazes, and grab your pets on your way out. Preparing for only the all-engulfing fire (something like credit card data theft) means you are missing opportunities to put out the little ones before they bring the whole building up in flames (network intrusions, unauthorized data access, and misconfigurations).

Where many companies miss out is on adequately training and utilizing the staff they already have. Who is most familiar with your network layout and where important data is stored? Is it a third party after the fact or the people who monitor and maintain it every day? Giving these people the resources to become first responders themselves can drastically improve an organization's ability to detect and react to intrusions. In fact, I'm sure many already feel that breaches have been a "not if, but when" risk for their company for some time.

Training and practice are crucial. Your SOC team cannot respond to an incident if they don't know what to do. Worse, they can make a responder's job far more difficult if they accidentally alter or destroy evidence. Training and education need to come first, followed by regular testing from a tabletop level to the hands-on with fabricated incidents.

The second half of the battle is to use this knowledge to build your documentation so that you stop leaping between either doing nothing or calling in the entire fire department. This benefits those of us who show up to help out, as well, because we have updated information on your network and daily activities.

Now that you have trained security firefighters, you need to give them the proper equipment. Tools can range from freeware to enterprise suites with on-call support. All that matters is that they enable monitoring, alerting, and response. A SIEM system is particularly valuable, because system and network logs are difficult to monitor and correlate manually; I frequently see one or two people tasked with reviewing logs for an entire company. Just think -- the more you can supplement your team with useful software, the less you'll have to spend on energy drinks to sustain their work.

Do you feel that your company is currently capable of handling intrusions without immediately calling for the sirens, ladders, and fire hoses? If so, please feel free to share your successes (or failures) in the comments.

About the Author

Kerstyn Clover

Attack & Defense Team Consultant

As a staff consultant on the SecureState Attack and Defense Team, Kerstyn works with a broad range of organizations across a variety of industries on security assessments including incident response, forensic analysis, and social engineering.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights