Have you ever been in a situation where one of your employees has left a laptop in the back of a taxi or perhaps an airport? If you had a webserver that's been left on-line with open vulnerability or where someone could log in with their admin credentials?
If you have ever been in any of these situations then you probably needed a cyber-incident response process.
At its core, a cyber-incident response process is a pro-active approach to a reactive situation and at the heart of building that process is preparation. Whether you use SANS or NIST or any other cyber-incident response model, one of the most overlooked parts of the process is the preparation prior to the incident occurring. You need to consider your incident response process from all angles and all teams. That means answering questions such as "do your technical teams know when to ask for legal assistance?" and "are your legal teams aware they should be getting involved?" There's other questions that relate to publicity, who should be talking to the media and when. By putting the right policies and technical controls in place upfront, you can answer the big questions before an incident becomes a problem. You should also think about testing your incident response process and testing it with all teams.
Ultra commonly when people are looking at their incident response process they will run it through the lens of a technical team or the C-suite but if you don't understand what your forensic techs are saying then you're not good enough to give the correct advice legally about the situation that your company is in. Simulations and table top sessions will help you answer important questions for the future of the incident response process. "Can you pull logs from servers as you need them?". "Do you have access to the data that you require?". "How does working from home affect your ability to run a forensic investigation going on in the future and do you have the policies in place that your users understand that you can and will be able to access their data in the event of a security incident?".
You should consider your incident response simulations as part of a holistic exercise. Include teams from perhaps finance and accounting. Perhaps even your physical building security may have important data which you wouldn’t think to access in the heat of the moment. Really test your processes from end to end. During these simulations you may come up against the big questions. You may have to consider containing a threat and in the containment of that threat, you may actually have to turn off some of your services and you may start to ask yourself questions like "how long can we last without email for an hour a day?", "what kind of service level agreements do we have with our business that may be impacted by turning off a service?". These are all questions that you should consider during your incident response testing. You should also consider testing the resilience of your business. Can it continue to function whilst it is under attack and can you bring back lost data if it is taken away? If you don't test these processes you might find that at the end of an attack, where you think you have backup, that backup isn't functioning because you haven't tested it.
Today we have only really discussed a couple of high level things that you can consider in building your own holistic incident response process but if you start building one today you will have more secure environment in the future and you will continue to improve. Every modern business will at one time or another will face a cyber-attack. It's not a matter of avoiding the attacks, it’s a matter of coming back stronger using appropriate incident response process to build up your business to be more secure in the future.