I want to take the opportunity to break down what goes into the preparation for incident response and what things could like from the perspective of an infosec professional.
Going back to NIST, there are a few things that are considered:
Part of a well-defined IR Plan includes things like creating an IR Policy and plan, and what tools will be used for performing incident handling and reporting. A determined team structure, who are the players?, lead Engineers? who is in charge of collecting forensic data? what happens during the eradication and recovery phases, and who is in charge? Should these functions be assigned to a team or an individual? – A well-described line of communication between teams and technical and executive teams (Yeah – Executives need to be involved)
One thing that is also considered as part of the preparation phase is training, this is particularly important and something that takes time and effort, but I’m very glad something like this is included as part of the framework.
Last but not least, having the ability to invest in protecting Systems, Networks, and Applications should be at the top of the list of priorities. Like everything in life, we prepare for something that we do not want to happen to us. From a business perspective, maintaining Systems, Networks, and Applications secure should be part of an Incident Response plan, or at least Accountability should be called out inside the plan, for example, who is in charge of any of the pieces mentioned above.
Now without much preamble, the planning and preparation are extensive, let’s take a look at the following breakdown of things to consider
Cybersecurity IR (Prepare): Develop an incident response plan
A well-defined incident response plan should outline the roles and responsibilities of the IR team, the steps to be taken during an incident, and the tools and resources that will be needed. The plan should be regularly reviewed and tested to ensure that it is up-to-date and effective.
Is is also very important to define the team or teams that need to be involved when responding to an IR event. You could have multiple frameworks or structures on how to handle it.
A Central IR Team is effective for Small companies. A Distributed IR Team or Teams, this one works effectively for organizations that are larger, maybe in multiple geographic locations, although this system functions in a distributed fashion, it will be required to have a single channel of communication between IR Teams that operate like this. Last a Coordinating IR Team, which operates more like a team that has no authority over the Teams Handling an Incident, however, this coordinating team provides guidance and advice.
Cybersecurity IR (Prepare): Train employees
Employees should be trained on basic cyber security principles and best practices, such as how to identify and report suspicious activity, how to create strong passwords, and how to protect company data.
Comprehensive cybersecurity training for companies of any size could have the following elements:
- Security Awareness Training
- Password Security Training
- Phishing Awareness Training
- Social Engineering Training
- Mobile Device Security Training
- Incident Response Training
- Data Protection and Privacy Training
Again, I think its important to understand that 1 size does not fit all, and this is also the case for the training provided for and required by employees
Cybersecurity IR (Prepare): Implement technical controls
Technical controls, such as firewalls, in