How to select a suitable incident response program for your organization
All organizations, regardless of how well they think their walls are fortified, will at some point fall victim to an attack. How they respond to the attack could mean the difference between recovering with minimal loss to shutting the organization down.
In this podcast recorded at Black Hat USA 2017, Susan Carter, Sr. Manager Threat Intelligence and Incident Response Services at NTT Security, talks about how to select a suitable incident response program for your organization, and outlines the options organizations have to help them prepare for that imminent attack or breach.
Here’s a transcript of the podcast for your convenience.
Joshua Corman, founder of I am the Cavalry and Director of the The Cyber Statecraft Initiative, stated in a recent keynote that for all vulnerabilities disclosed anywhere, commercial databases currently track only 80% of those vulnerabilities. CVEs tends to have 60% of that 80%. So, when an organization is making a risk decision, they’re doing it with a blind spot of about 50%.
All organizations today, regardless of how well they think their walls are fortified, will at some point fall victim to an attack. It’s almost guaranteed because of the statistics from Joshua Corman, and it’s only going to get worse. How the organization responds to the cyber attack could mean the difference between recovering with minimal loss to shutting the organization down.
Not only can the financial impact of an attack due to downtime, lost business, cost of mitigation and cleanup and possible regulatory fines be astronomical; other facets such as loss of intellectual property and reputation are hard to put a price tag on. Just one catastrophic critical incident of security concern could shutter an organization for good.
The U.S National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber attack. In my experience, the only way to insure survival of an attack today is to invest in a solid incident response program, and that investment needs to include talent, time and money.
The organization needs to ensure they have an incident response program that is championed by a C-Level executive. This will ensure visibility to other C-level execs, assurances that understanding the importance of the program from above it is a priority, and that an investment of some kind is promised to ensure a successful program.
In my opinion, organization have a few options to help them prepare for that imminent attack or breach. All three options have different degrees of commitment and investment with slightly different results, depending on the organizations size and funding commitments.
First, this may be the only option for a smaller organizations with limited funding. Realizing the importance of having a plan of action in case of critical incident is half the battle. These organization usually have a very small in-house IT staff, if any, so it’s prudent to contract in advance with and third party incident response for on-demand retainer services.
With the assurance that expert help is just a phone call away, and that help can be reached 24/7, is of upmost importance. Many of these providers, like NTT Security, may have contract options is place that allow the organization to convert the retainer hours at the end of the contract to other services. This way it’s better than an insurance policy, the organization can still get value out of the investment even if they didn’t experience a need to use it during that contract year.
Even if you have a third party in your back pocket, I would like to caution that it’s not a buy and pray for the best solution. It’s important to understand that there will be requirements of the organization during an incident response cleanup, or forensic investigation that require a little advanced planning. The provider will be asking for logs, system images, copies of gold images and other evidence. Being prepared in advance of these request will make a difference between a successful IR engagement with minimal impact to a very costly engagement.
The second option is for organizations that have in incident response plan written but don’t have the skill set or resources to support a major breach or their program is still in the maturing stages. Companies in this position would greatly benefit in partnering with a third party incident firm that offers program assessments and validation services.
We at NTT offer a proactive service where we come in an assess written documents from the organization, and we do an assessment against best industry standards and practices such as NIST and ISO, along with their own years of experience in the space.
We offer advice on how to improve the program. Once the assessment is complete and documentation updated, a test of the execution of the plans can take place to determine the effectiveness of the plan along with identifying other areas that can be improved. Like identifying at what point legal needs to be brought in and when third party providers should be called, or even if you know who to call.
If an organization does not have an incident response plan in place, or would like to supplement their incident response plan with specific runbooks or playbooks, NTT can help with that development as well.
An incident response program is not something that can be developed and forgotten. I see companies that are most successful and confident in handling incidents when they partner with a third party on an annual basis for program review and assessment, and to facilitate testing of the organizations incident response team.
Like a firefighter, they spend a good amount of time training and practicing so that instinct comes into play when they have to respond to a fire. It’s the same for your incident response team.
A residual benefit of utilizing NTT proactive services is that the analyst that go in to assess an organization incident response program will most likely be the analyst that will respond if they have a breach, and call in the cavalry for backup. The organization will know the analyst and their capabilities, and the analyst will already be familiar with organizations environment and the staff that will be working with them. This will speed up the response tremendously. And we all know time is money when it comes to breaches.
The third and final options is for organization that have the capability, talent and financial backing to define, build, mature and maintain an effective incident response capability. However, in cases where incident response capabilities are handled by an internal team, I have observed circumstances where special expertise is needed to support advanced response requirements. For instance, many internal incident response teams do not have training in detailed forensic analysis, or reverse-engineering of malware. Some organizations will elect to put a third party incident response service on retainer to assist in those situations.
In my experience, an attack never comes at a convenient time. It will be the Friday afternoon before a holiday weekend when your smartest IT guy is unreachable because he’s enjoying his ten year anniversary with his wife on a luxury cruise liner with minimal to no access to the outside world; or during the change control freeze to ensure production systems stay stability during critical times such as the Christmas shopping season.
Incidents will happen, and if your org is not prepared with a plan and practiced it could be the difference between the organization surviving the incident or shutting the doors.
Our view is that incident response should be looked at as a continuous process rather than a reactive process that can enable an overarching security strategy and is necessary to survive in today’s world.