If your company has any type of regulatory cybersecurity requirement, chances are those requirements include a Cyber Incident Response Plan. Whether your requirement is DFARS 252.204-7012, PCI, or ISO 27001, incident response is a critical piece of your compliance and risk mitigation.
But for that plan to really have value, you have to test it.
Your CIRP is the blueprint your organization will follow – not just in a major event, but multiple times over the course of a year. Too many of our clients think of the CIRP as something on the shelf to be pulled out for when the BIG cyber breach occurs – ransomware, malware, or massive data loss.
The truth is, that’s the worst time to have to dust off and follow a plan that you haven’t looked at in months. Cyber security events happen regularly – every day for some organizations. Not big enough for executive leadership to get involved, but significant enough that someone has to decide how to handle it. Is it a false positive? An indication of a larger, coordinated attack? Do you ignore it? Investigate? What elevates an event to an actual incident?
True cyber maturity comes from procedures and decision-making being second nature to those in the organization, and that includes cyber incident response. We prepare by having layered defenses in place, procedures to respond to events big and small, and by training for the big event. You wouldn’t try to run a marathon without mapping the course, knowing where the water stops are, and maybe running a few 5Ks (at least).
Incident response is the same.
So why don’t most companies exercise the CIRP? Making the move from reactive to proactive is sometimes the hardest leap. If you are a CIO, how many times has a day gone off the rails to respond to a technical rollout gone wrong, or answer an unexpected data call? With barely enough time to get day to day tasks done, who in the organization is tasked with planning an exercise?
For companies supporting the U.S. Department of Defense, not only is an incident response plan required, but exercises and after-action reporting are too. A solid and mature IR capability is one of the most important requirements, because the ability to quickly stop an attack in progress, recover, and manage the event is key to limiting the damage and protecting your business.
When working with our clients on IR planning, we follow the crawl – walk – run philosophy. Too many companies think an exercise has to involve failover and potentially technical down time. It doesn’t. Once the Plan is in place, the first step is to make sure everyone who has a role in responding knows what that role is and when they are needed.
Next, we generate a simple scenario with a few injects that identify gaps or outstanding risk. This kind of exercise takes a few hours and brings an element of realism that participants remember even after the event has ended. Then, we create an after-action that documents the gaps, provides tasks for gathering more information, and update the plan.
You could, of course, do this yourself, but creating the exercise injects and facilitating the exercise is where many organizations get stuck. Strategic Cyber Partners works with and recommends FirstLook, a customized inject based scenario from PreparedEx for incident response of all types, including cyber. Rather than just a walk-through of the IR Plan, FirstLook provides actual what-ifs, and concludes with after-action items. For organizations who need to show a proactive, mature IR capability FirstLook is cost-effective and time-efficient, AND provides real results.
Interested in learning more about Cyber IR Planning, or FirstLook?