| Panos Dimitriou, CTO & Co-Founder of Encode Group, encourages organisations to revisit their incident response planning and engage with personnel from all departments.
The key to the successful formulation and implementation of a cyber-security strategy is to make sure that business units understand that they are stakeholders and that it is in their interest to support the IT security function. In the event of a serious security incident, coordination of actions plays a crucial role in recovery and remediation.
Ultimately attacks impact the business and the business must be involved in this process. In this context, apart from a well trained and equipped Cyber Incident Response Team, you need to make sure that specific roles and responsibilities are assigned from inside the organisation to include, as a minimum, the following:
= Line of business owners whose services and systems could be affected (impact assessment)
= Legal (regulatory requirements)
= Marketing and PR (external communication).
Abolish the doctrine of contain and ask questions later
A common strategy regarding incident response, often mandated by security policies in many cases, is the immediate isolation and containment of the systems that are considered compromised, followed by a forensic digital examination. Although this might be appropriate for a worm infection or a website defacement, with a critical incident such as a cyber-security breach instrumented and operated by an adversary this is a recipe for disaster, as you have thereby notified the attacker of detection, allowing them to respond - and you don't yet know the extent of the compromise, from a technical or business perspective. More systems may be compromised and data may have already been exfiltrated.
A well designed incident response plan with corresponding resources is critical to allow your IR team to:
= Monitor the attackers activities
= Understand their Tactics, Techniques and Procedures (TTPs), develop Indicators of Compromise (IoCs) and utilise these to detect further compromised systems and additional or possible footholds and re-entry points
= Pinpoint the root cause of the incident
= Provide a complete picture of the breach, enabling the appropriate containment and eradication activities to be selected and executed.
Make your IT environment forensics and monitoring ready
For a cyber-incident response plan to be feasible and effective, the IT environment needs to be forensics and monitoring ready. Systems should be configured to produce the logs required, which are then centrally collected for analysis, with the IR team having the required tools to provide full visibility on suspicious network and host activity. Such tools must be either pre-deployed strategically or deployed ad-hoc within an acceptable timeframe upon the detection or verification of an incident.
Align and streamline detection and response
Typically there is a significant gap in cyber security defences. On one hand there are real-time detection (and prevention) controls and on the other there is post event incident response. The problem with this is that a threat is either prevented or detected in real-time or detected after the fact following the shockwave of business impact. This is usually when incident response processes are initiated.
Targeted cyber threats utilise low and slow attacks, so the probability of detection in real-time is unlikely. Security monitoring practices need to refocus from real-time to early warning and detect the incident as it evolves but prior to serious impact. To verify and respond to the incident in a timely fashion and not after the fact, this early warning capability should be complemented with pre-deployed network and host forensics tools.
Battle-test with real-life simulations to assess effectiveness
Organisations with cyber-incident response plans prepared, rarely, if at all, use real-life simulations of cyber security breaches. With traditional penetration testing exercises being myopic at best, there is a need for companies to execute an active, red-team type of cyber-attack simulation. It is only by testing the controls and capabilities designed to stop, detect and respond to cyber security incidents that the battle can be turned in your favour. | 
