10 Non-Technical steps to Cyber Incident response
I don't want to talk about endpoint protection, next-gen firewalls, multi-factor authentication, or other security technologies. I also don't want to scold you about what SHOULD have been in place.
Instead I want to offer you some helpful things to consider when managing a cyber-incident.
Identify the incident clearly. Was there an incident even? What do we KNOW vs. what do we THINK vs. what might be coincidence?
Inform users that they are not in trouble if they are the source of the incident. Cyber incidents can happen to anyone.
Secondary information is not useful. Bring in the user(s) that witnessed the incident and speak to them directly.
Assign roles for the IRT (incident response team). In smaller organizations, one person might have multiple roles. You should have the following:
A single point of contact (SPOC) who will communicate internally and externally
A single approver of purchases (mileage, overtime, overnighting devices, hiring cyber security vendors)
Someone to interview users / investigate user devices
Someone responsible for investigating infrastructure logs
Someone responsible for investigating security tools
Someone handling legal and insurance compliance
Everyone on the IT team needs to understand the urgency. This might be a late night. No, it can't wait until tomorrow.
Everyone on the executive team needs to understand the urgency. Expenses need to be approved quickly and people may be working overtime. They need to be comfortable with the SPOC communicating with external parties.
Maintain integrity. Logs aren’t overwritten. Suspect emails are quarantined but not deleted. No purging spam or trash. Compromised accounts are disabled, but not removed.
The IRT Team needs to be fearless about who they are taking offline. Whoever is suspected of being compromised needs to be isolated immediately, it doesn’t matter if it’s the CEO, CFO or Board Chair.
The SPOC needs to set an hourly communication cadence with Leadership and IT staff.
Include clients and suppliers if the incident was reported to to your organization by them.
Include a bulleted list of next steps in every communication. This goes a long way towards building confidence in the IRT.
Don’t skip the post-mortem. Once an incident has been resolved, it’s easy to get back to the work that has piled up while you were putting out fires. Momentum is lost easily, so recommendations from the post-mortem should be implemented within 2 weeks of the incident.