Since our PacketWatch team performs complex incident response around breaches, we are often asked: “What are the most important things for us to do in the first 10 minutes of an incident”? It’s hard not to chuckle when you hear that question. It most likely means it’s not going to go well for that client unless they make some changes. Let me explain why.
A Football Analogy
It’s football season, so we’ll pick an analogy from there. Imagine the Offensive Coach has an idea for a new play and jots it down on his playboard. It’s a great play against a particular defensive formation. He’s shown it to a few people, and they agree. Say it’s now game day and he sees the telltale defensive formation on the field.Time to run the play!Except not everyone on the field has seen the play, much less practiced it. The General Manager and the Head Coach certainly didn’t know that was going to happen. None the less, you send in the play to the quarterback and tell him to execute. I think we can safely say that it’s not going to work well. If, by some chance it does, its only because of the shear athleticism of the team members. More likely it’s going to be chaotic, disorganized, and potentially disastrous. Most of the team will have no idea what to do and may not even recognize the call for the snap. The General Manager and the Head Coach will not be happy and be looking to blame you for the disaster. They’ll let you face the press at the after-game conference. If you’d only had time to practice it and put the play through the paces with the team, it could have been stellar. But it’s too late now.
Incident Response Plan
So it is with incident response (IR). Typically, a document (IR Policy/Plan) is created by someone in the compliance department [because you needed to have one for your cyber insurance application]. Customers and partners have also been asking if you had one. Few internal people have seen it. Truth is, you copied it from someone else’s plan and put it in the policy binder. No one has ever evaluated the plan, worked through the processes, or developed playbooks for common scenarios. The folks on your team are not the most experienced and they probably can’t save you from disaster. If an incident were to happen today, the result would be like the infamous play above. Likely complete chaos and an expensive failure. Perhaps even a “resume generating event” for you.
Practice, Practice, Practice
“A winning effort begins with preparation” – Coach Joe Gibbs
The solution is just as the coach should have done above. The coach should have walked the team through the play and each player’s role. He should have made sure communications were clear and who was authorized to make decisions on the fly. He should have told the “head shed” to make sure they have the right players on the field and what they should expect. What could go right and what could go wrong. He should have taught the team to anticipate the unexpected. Train some more and then do it all over again. Once they have rehearsed it a few times, the likelihood of success jumps exponentially.
The Tabletop Exercise
AnIncident Response Tabletop Exercise(TTX) can accomplish just that for your organization. A TTX should be performed at least once a year. We recommend breaking them into a technical track and an executive track. Different topics, different personalities. The technical track focuses on the security team and their response processes and capabilities. The executive track focuses on the legal, communication and crisis response elements of an incident. The PacketWatch TTX is run by experienced responders who have seen it all – good and bad. With an emphasis for a few days on each track, your organization can be better prepared to respond quickly. As Coach Joe Gibbs said: “A winning effort begins with preparation.” Contact us today to scope and schedule an IR TTX for your organization.