The subject of incident response has been a constant in our industry, mainly in the shape of reminders that you need to do it more often, involving more real life scenarios and getting people involved. For that last point though, how can you get people involved when they are not in the same physical location or as concentrated on the task as you would desire?
In research featured on Infosecurity last week, where Immersive Labs surveyed 402 organizations about their incident response plans, three data points stood out: 20% of respondents said they find it impossible to effectively involve people in crisis response remotely from other geographies, a quarter of organizations ran crisis exercises without senior cybersecurity leadership in attendance and only 20% of exercises involved communications team members.
Brandon Hoffman, CISO at Netenrich, recommended three elements to consider for having meaningful participation in the IR process:
- First, have a very detailed and document incident response plan with runbooks, standard operating procedures and expected outcomes
- Second, identify steps in the runbacks or procedure that a non-technical person can take an action to support the desired outcome
- Third, train the people on the steps they can take and how to identify the opportunity to take that action
Training people is a challenge when they are not in the office though. Heath Renfrow, director and vCISO at the Crypsis Group, said having everyone in the same room has been a luxury for most companies, “so conducting tabletop and disaster recovery exercises with everyone remote may be an adaptation, but it isn’t an insurmountable one.”
He claimed that the pandemic shows remote collaboration can be effective, and these exercises can be done using the same technologies we are using today, with detailed, planned exercises put into a presentation, leveraging thought-provoking questions and facilitated by a non-participation party guiding the exercise.
What are the options for remote exercises? Jack Mannino, CEO at nVisium, recommended the use of “engaging, self-paced education” to communicate some of the important information without burying team members in useless data, and this can involve running through security playbooks and collaborative exercises to ensure everyone knows their responsibilities and how to accomplish their duties in the event of a security incident.
Eric Friedberg, executive chairman of Stroz Friedberg, said in his experience, there has been use of table top exercises, and in getting employees to do drills. He disagreed that it is harder to do incident responses exercises when employees are working remotely or from home, citing one example where the incident response plan was utilized after an east coast USA company was impacted, and the CISO was based in Phoenix, Arizona. “What was interesting about that was that we had 15 people on it as 90 companies were down.” This led his company to do scanning of host environments and using its own EDR tool across regions remotely, and so he was able to resolve the situation.
Joseph Carson, chief security scientist and Advisory CISO at Thycotic, explained that the current remote working climate is “a great time to test your incident response and business reliance.” Echoing what Friedberg said, he claimed that in his experience, “security breaches tend to happen when people are not in the office” and he recalled tough long distance calls during the NotPetya ransomware incident in July 2017.
He recommended taking advantage of this time “to test your process and procedures as it will provide you with a more realistic scenario of a real cyber-incident.”
The statistics we saw last week suggested that all of the work that could be done on incident response was being put to the side because of the dispersed workforce. In fact, as Friedberg and Carson pointed out, the pandemic (or other incidents) can be and should be no barrier to ensuring business as usual.