An organization’s incident response team should include people in positions beyond security and IT. Stakeholders from legal, corporate communications, human resources, and more should also be involved in the preparation and execution of any incident response activity.
Preparation is key to allow for fast action when minutes matter. It’s not ideal to wait until a situation becomes a full-fledged escalated incident to start chasing down and educating stakeholders. Major players should know their responsibilities well ahead of time so that they only need the signal to jump into action. To help ensure team members are trained and empowered enough to take the right actions, at the right time, teams should conduct non-technical tabletop exercises and full breach simulations to run through the technical and non-technical processes.
Know your key players
When preparing for incident response, having the right people on the team is crucial. Every business has its own unique needs, but it’s recommended for organizations to identify specific individuals or teams for the following core functions:
- Incident management: This central role requires extensive technical knowledge and prior experience in management and incident response. The person in this role acts as an overall project manager to oversee technical task completion, as well as information gathering for all involved stakeholders.
- Enterprise incident investigation: This is where the challenges of working at an enterprise can vary from smaller counterparts. A large breach at a large organization requires leveraging technologies to assist in forensics across hosts (even remote ones) so that the team can find indicators of compromise, as well as potential scope, as quickly as possible.
- Technical analysis: These roles require technical know-how, and it's best to have analysts on the team who specialize in specific areas, such as malware analysis, forensics analysis, event log analysis, and network analysis. Any information these analysts find should be shared with the rest of the incident response team.
- Incident scoping: What was the extent of the breach? That's a crucial question any incident response team will need to know. The answer to this question may change over the course of the incident response and investigation, especially as technical analysis continues.
- Crisis communications: Sharing the findings of the investigation, as well as the scope and potential outcomes, will need to happen both internally and externally. An experienced crisis communications team should communicate the right details to the right audiences. Their responsibilities may include breach notifications, regulatory notifications, employee and/or victim notifications, and press briefings if needed.
- Legal, human resources, and regulatory concerns: If a breach has any regulatory or compliance considerations, it’s important to have someone on the team with knowledge of how to navigate disclosure requirements or work with law enforcement groups, such as a government representative. For teams that do not have in-house expertise for these requirements, specialized legal expertise on retainer is a worthwhile investment.
- Executive decision making: Any breach can potentially affect an organization's public image and financial standing, which is why executive leadership should always be involved. There will be crucial decision points over the course of an incident response and investigation, and the team will need executive input on how to proceed at these crucial junctures.
- Reporting and remediation: While working on incident response, it is important to document everything. With this information, teams should be able to piece together an entire story for the breach: what the attackers did, when and how they did it, and what they managed to compromise. This will make it possible to create a detailed response plan for remediation and mitigation recommendations to recover from the breach, and hopefully help the organization defend against any future attacks that are similar in nature.
After successfully responding to an incident, it's not time to rest just yet. The incident response team should conduct a post-mortem to learn from the experience—both to fine-tune their incident response program specifically, and also to retune their security program overall. What worked, what didn't work, and what could work better or faster? There's no better teacher than experience, so it’ll be important to glean as many lessons as possible from responding to a real incident.