Handling cyber security incidents can be stressful, especially with uncertainty regarding cause, remediation, and the extent of the impact. However, firms are often required to respond to an attack immediately with whatever information is available, or they run the risk of greater loss. This stress intensifies when firms do not know what to do or whom to call, leaving them seemingly helpless and more susceptible to loss.
To better prepare for cyber emergencies, firms should invest in a team of incident responders who are equipped with technical skills to act quickly and reliably. The incident response team is responsible for mitigating the effects of an incident in a timely and organized manner, including analyzing the intrusion, containing the impact, investigating the root cause, and remediating the issue.
Structures and Forms
Depending on the needs and priorities of an organization, the incident response team can take on varying structures, including both internal and external parties. The scope of responsibilities may also differ depending on the nature of an incident. For instance, an organization can set up its own dedicated Security Operations Center (SOC), an internal division consisting of IT and security personnel taking care of continuous monitoring and handling incidents. A company can also have an external partner committed to activating as needed to provide incident triaging services or an advanced level of digital forensics and crisis management expertise.
In order to ensure coverage and availability, many organizations, especially large global ones, choose to have their incident response teams located in multiple regions such as North America, Europe, and APAC with an active incident response team available whenever a security incident is discovered. Having worked in a few companies with such global incident response team set-up, I found the strength of local presence highly valuable.
However, teams operating across large distances and multiple time zones must employ proper communication and collaboration efforts. Information sharing and transparency with established standard operating procedures for incident collaboration and handover are extremely important for the multi-regional incident response team to be effective. For organizations without global presence, incident response teams may work in shifts to achieve 24/7 coverage as needed. Otherwise, partnering or contracting with locally-based, specialized incident response firms like Blackpanda is often more cost-effective.
Roles and Responsibilities
As the structure and form vary, an incident response team may comprise multiple different roles. Below is a list of key members for an effective incident response team and their responsibilities. Depending on the nature of a cyber incident, additional or fewer roles may be required.
Senior/Executive Management, who will effectively lead and oversee all activities, making or approving critical decisions and directives;
Incident Manager, who will manage and coordinate the overall incident response process, identify necessary tasks and assign them properly, ensuring important information and evidence are properly retrieved, documented, analyzed, reported, and escalated to the appropriate channels when necessary;
Department Leads, who will lead respective functional support as required, including timely dissemination of communications, media relations, regulatory compliance, HR and employee coordination (especially if an internal employee is discovered to be part of the incident), legal representation and guidance on any liability issues that may ensue;
Technical Lead/Recovery Manager, who will work closely with the Incident Manager, usually in leading the investigation on-site and focus on the technical tasks, particularly the initial scoping of compromised assets in the identification phase;
Security Analysts and Researchers, who will work closely with the Technical Lead to investigate the cyber incident, focusing on identifying the scope, containing the damage, analyzing the root cause, assisting in recovery, and documenting all details into an incident report; they may also conduct continuous monitoring and gather threat intelligence.
Regardless of the role a member plays in the incident response team, it is essential for everyone to be actively involved in the ‘Incident Response Preparation’ and ‘Lessons Learned’ phases to ensure the team understands the organization policies, communication plan, tools, and resources available.
Additionally, key members of the team are recommended to have auxiliaries or deputies such that the entire incident response team always functions seamlessly and effectively when any members are unavailable.
Skills and Experience
Varying levels of skill and experience are often required for different cyber incidents. Particular skills an incident response team may include digital forensics capabilities, malware analysis, and reverse engineering, data analysis, as well as soft skills such as effective communication, collaboration, and documentation.
To build an effective incident response team, relevant training on the required skill sets is essential. Table-top exercises and red team attack simulations are great ways to identify any gaps or critical skills missing for potential team training. Frequent training also keeps the team up to date on the latest risk and security trends, bracing them well to fight new threat actors and attack strategies.
In addition, arming the team with the right set of tools will also enhance the performance and capabilities. Likewise, it is highly recommended to provide specific training on available tools with hands-on practice to ensure the team fully understands how best to use them. With a structure suitable for your organization, the proper roles established, and the professional skills and tools training in place, an effective incident response team can be built.