Advanced planning, training and simulation, and understanding organizational risk will go a long way to avoid rookie mistakes when a cybersecurity team meets its first critical incident.
Responding to a security crisis can be a challenge for most cybersecurity teams. It can be doubly so for a team with relatively new and inexperienced security professionals.
Mistakes that security groups often make when responding to an incident can be amplified when individuals with little prior experience are suddenly called in to deal with an exploding crisis. Problems can include everything from failure to understand the scope of a breach, not knowing how to escalate, and communications breakdowns to technical mistakes like not retaining logs, not making backups, and pulling the plug too soon on infected systems.
Preparing a cybersecurity team for a crisis is a multi-step process that requires a blend of theoretical knowledge and hands-on experience, says Craig Jones, vice president of security operations at security operations firm Ontinue. “The CISO or security leader must invest in comprehensive training programs that cover detection, response, and mitigation of security incidents, as well as conducting regular crisis simulations such as tabletop exercises,” Jones says. “This will not only ensure that the team is well-prepared for a potential crisis but also minimize business disruption in case of a security incident.”
Here are five tips, that Jones and other security experts identified as critical to ensuring a rookie cybersecurity team has what it takes to deal with a security crisis.
1. Establish foundational organizational knowledge
For a new cybersecurity team to be effective it needs to have a foundational knowledge of the organization, its business requirements, risk profile, risk tolerance and key assets. The security team needs to know what they are securing and why, so they can understand what is required of them. In addition, they need to understand business processes and their importance, as well as how potential breaches could impact them, says Jones. This foundational knowledge enables a better understanding of the potential vulnerabilities and threats that the organization might face, he says.
“The team must be familiar with the existing incident management processes that the organization has,” adds Fernando Montenegro, an analyst with analyst firm Omdia. The team also should be familiar with organizational and business priorities and know which systems and relationships are key. In addition, it’s vital that the team knows basic incident response and forensics techniques and tooling. They need to be familiar with both the technical aspects of dealing with a crisis--such as EDR investigations, detection engineering, network analysis and cloud drift detection--and also procedural aspects such as systems ownership and chain of custody, he notes.
“The idea here is to tie together security, IT, and business insights as the team looks at the technical evidence in front of them,” during an actual incident, Montenegro says.
2. Define what a crisis would look like and create playbooks
Not all security incidents cause an enterprise-level crisis, and not all crises are cyber-related. Natural disasters, product recalls, accidents, and public relations debacles are all examples of non-cyber events that could have a significant negative impact on an organization. So, in preparing a new cybersecurity team for a crisis, it is important to define and rank--first, by severity and then by likelihood--what precisely the business would define as a security “crisis,” says John Pescatore director of emerging security trends at the SANS Institute.
“It is not the case that the top of the list will always be something like ransomware,” Pescatore says. Sometimes, a crisis might have nothing to do with cybersecurity, he notes. “For example, I remember hearing a Boston-area hospital CIO talk about how they were bombarded with attempts to get into hospital data after the [Boston Marathon] bombing because press reports had noted the bombers went to that hospital.”
Once the cybersecurity team has an understanding of what would constitute a security crisis for the company, create playbooks for the top handful of them. The playbooks should have defined roles for who does what and when. Consider doing an internal tabletop exercise at the next cybersecurity team meeting. “From there you can usually modify one of the first handful of playbooks--or sections with a playbook--for less common crises,” Pescatore says. “From there you can find many guidelines and courses on incident response processes and best practices.” Pescatore points to the Forum of Incident Response Security Teams as a good source for free resources, as well as resources that are only available to members.
3. Create an incident response plan
Preparing a team of new cybersecurity professionals for a crisis means developing an incident response plan for them for responding to and mitigating any security incident that might trigger an enterprise-level crisis. Unlike a crisis management plan, which takes a high-level, strategic approach to decision-making and management during a crisis, an incident response plan is more of a tactical document that provides step-by-step guide for mitigating an incident. Such plans often provide detailed technical instructions, workflows and tools for identifying, containing, eradicating and recovering from a security incident.
While there often can be an overlap between a crisis management plan and an incident response plan, the latter tends to get much more into the weeds, says Christopher Hallenbeck, CISO, Americas at Tanium. In developing the plan, make sure the cybersecurity team can assess if the incident significantly impacted operations, resulted in data loss or exposure, and whether they need external help to investigate and recover.
“A ‘yes’ to one or more of those questions should trigger the crisis management plan,” Hallenbeck says. “Triggering the crisis plan doesn’t mean a full spin-up of those processes, but the people responsible for crisis management now need to be briefed so they can make a decision.” Security leaders need to ensure clear delineation of responsibilities for their team and brief then on when to involve other people. They should be trained to “default to letting leadership know about an incident sooner rather than later as effective crisis management hinges on early involvement of the right people,” Hallenbeck says.
The incident response plans that security leaders develop for their teams should ideally align with common cybersecurity frameworks, such as NIST CSF, and include processes for detecting, responding to, and mitigating different types of incidents, says George Jones, CISO at Critical Start. It should also address internal and external communication and escalation procedures, as well as any legal and regulatory requirements.
4. Training, tabletop exercises, and simulation
Practical training is a fundamental aspect of crisis preparation. Expose the team to crisis scenarios through simulations to improve their ability to detect and respond to actual incidents says Jones from Ontinue. A tabletop exercise, for instance, is an effective way to simulate a cyber crisis. Having a team of new security professionals gather to work through simulated but realistic cyberattack scenarios can go a long way in enabling a solid understanding of threats that are relevant to the organization, and how to mitigate them. “This method allows them to practice their response in a safe environment, refine strategies, and clarify roles and responsibilities,” he says.
Consider training the new team in using technologies such as security information and event management (SIEM) and threat detection tools as well as in how to use threat intelligence and indicators of compromise (IOCs) to detect threats and signs of compromise. Prepare the team react promptly and decisively, Jones says, “Incident response training should include proper classification of incidents, prioritizing based on severity, containment strategies, and communication protocols,” he says. “They should also understand when and how to escalate incidents, especially if they have the potential to disrupt business operations.”
Jones from Critical Start says regular attack simulations or tabletop exercises will help the team practice responding to different scenarios, provide practical experience, and identify areas for improvement. Training also instills a culture of collaboration and knowledge sharing within the team and across different departments, he says. “Incidents often require cross-functional coordination, so relationship building and protocol establishment across IT, HR, legal, and other relevant teams is critical to the success of the organization.” In preparing a new team for a crisis management, make sure to cover technical skills such as network analysis, malware analysis and forensic investigation, he adds.
5. Leverage immersive training courses and experiences
One of the best ways to prepare a new team of cybersecurity professionals for a crisis before one actually occurs, is to engage the services of a cyber range says Rik Turner, an analyst at Omdia. Cyber range platforms--like those from companies such as Cyberbit, Immersive Labs, and CDeX--offer participants an opportunity to engage in realistic scenarios that replicate actual operational conditions. Immersive training cyber ranges provide an experiential learning environment for individuals unlike tabletop exercises that simulates a scenario to simulate an emergency.
Organizations can use immersive platforms to replicate real-world cyberattacks and defense strategies. Often, organizations can configure these platforms and services for their specific environments. CDeX, for instance, has positioned its platform as giving organizations a way to create a digital twin of their IT and OT network, subnetworks, and machines. Cyberbit offers a cyber crisis simulator that gives security teams an opportunity to bring their incident response and executive teams together.
“These are companies that provide an immersive experience of living in the SOC [security operations center] as an attack takes place on your company's infrastructure,” Turner says. “Their programs extend beyond strictly technical staff to other departments that will need to be engaged such as PR and marketing, HR if there is an insider component, and, of course, the management team and board.”
While creating a series of rules for how to respond can have some value, an immersive training course of two or three days, particularly where the participants' results contribute to their career progression, can help sharpen their response capabilities, Turner says.