You believe all the planning, moat digging, and stone wall building around your castle is the key to protecting your data, your users and ultimately your customers. Day after day your defense in depth layers work flawlessly, the incidents reported are false positives, file them as investigated and closed. Until one day, the layers or protection for your fortress fail, and the incident is real. If anyone has worked an incident response you know the situation and emotions increase minute by minute, the situation seeming desperate as two suspected endpoints turns to twelve, then twenty, then fifty. It seems out of control. In fact, it is out of control, it is in the control of the malware or ransomware – that is why the famous Lockheed Martin kill chain labels its sixth step as ‘command and control’ – they are in control – within the walls of your castle. It is acceptable to feel out of control; it is NOT acceptable to be out of control. Below I’ve outlined three simple steps to surviving your first, or next, incident response.

1. Keep your cool – this seems impossible, but believe me, it is possible AND more than that, it is necessary to stay calm, cool and collected. The team will respond to your level of stress, emotion and fear. They need a leader, not a hot mess. It is okay to show and share your fear, but through your actions show how to power through the fear. Finally, let there be one calm, cool, collected leader – a single quarterback. Not everyone should be calling plays, with team members running all over the field in chaos. Incident Response is not a single person event, be sure to use the full power of a coordinated team, be the delegator, leader, emotional support animal, and quarterback they need during this difficult time.

2. Follow your Incident Response Plan (IR) – these plans are built during times of calm and rational thought. They are methodical, building on steps that follow a logical set of processes and procedures, getting a positive or negative outcome that either continues, pivots, or halts the workflow. This allows you to suspect something, validate with data, and then continue to the next step. The plans are tested and refined over time, include key team members (including your legal players), and have the approval of leadership. It is critical that you not trust your own brain during this time, physiologically your brain under stress does not make sound decisions. Know that. Slight deviations are expected, but don’t do any major trailblazing. It is imperative you trust in the plan and follow it.

3. Make data driven (not emotional) decisions – during my last incident response we confiscated an endpoint that the team was told was encrypted by ransomware. We spent 1-2 hours believing the endpoint was actually infected and making decisions as if the ransomware had already encrypted an endpoint. Our forensic analyst performed his inspection only to find it was NOT encrypted. Validate data points - always. Are endpoints showing indicators of compromise (IOC) or actually infected – the line is blurry sometimes, but it is critical to know. Having data helps you understand how pervasive the incident is within your environment and allows you to make good decisions as you continue to work the Incident Response plan.

These steps are not ground breaking, earth shattering, radical, or even awe inspiring. They are simple, real and yet they work. Leadership, well prepared incident response plans and validated data will make all the difference in the success of an incident response, or one that is spiraling out of control with the IOC’s or infections spreading faster than you can contain it. In the end our goal is to protect the holy triad – confidentiality, integrity, and availability of the systems and data. A successful incident response will ensure the triad is honored, the castle is protected, the defense in depth layers remain intact, and we all live to fight the good Cyber Security fight another day.

#IncidentResponse #IR #CyberSecurity #InfoSec