Incident Response Plans Heighten All Facets Of Cyber Defense

Reviewing Aug. Report; Plus Additional CSIRP Insight

Add bookmark

Dan Gunderman

The security posture of today’s enterprise is largely dependent on its resiliency – how capable is it of responding to a zero-day threat? If that cyber-attack latches on to a part of the network, is it equipped to remediate?

What’s more, the question of “resiliency” is largely answered by the presence or absence of a detailed incident response plan (IRP).

This month, the Cyber Security Hub released a report on diagnosing disaster and recovering from an attack, which highlighted the paramount importance of an IRP – and one that’s both codified and repeatable.

Even in the face of these IRPs, hacker sophistication has grown, and that includes automated reconnaissance and payload efforts.


Commenting on that interplay between fortified defense and hacker advances, Security Executive Candy Alexander told the Cyber Security Hub: “Responding to an incident has become commonplace. IT and security teams used to have to exercise their IRPs, but today, they exercise them for real.”

Keith Hollender, CISO, Vaco, told the Cyber Security Hub: “Incident response has become more of a focus in the industry. The mindset has shifted from ‘not if, but when’ we will deal with a major incident.

He continued, saying that incident response platforms and cyber fusion centers are now focused on minimizing impact and being prepared. Comparatively, he said that just a few years ago, only select large companies had IR teams – and the capabilities were limited.

“Today, more and more companies are investing in incident response and containing an incident once it occurs,” Hollender said.

Report: 'Diagnosing Disaster: How To Recover From An Attack'

This report on incident response and recovery offers pivoting strategies and identifies top internal and external challenges for security teams.

Wider Challenges

These efforts come as the space contends with a glaring talent shortage, and a sort of identity crisis, insofar as communicating to the C-Suite and upping the ante with board involvement.

Instead of robust SOC teams triaging and remediating potential threats, because of the talent crisis, it often falls to the same analysts who are occupied elsewhere.

As analysts are exposed to indicators of compromise (IoC), how do they know what to act upon? It’s here where “pivoting” comes in handy – in order to detect, respond and remediate.


A recent Security Intelligence post highlighted a few of these methods. For one, the Diamond Model is useful in determining the infrastructure involved in an attack.

In the model, IoCs are marked as data points on vertices representing capabilities or infrastructure. The visualization allows for further pivoting to understand contextual evidence behind the incident.

As illustrated here, there is certainly a data science element to CSIRPs, and that could involve enriching and correlating data from the threat intelligence feeds, solutions or the firewall. The team has to corroborate, authenticate, investigate and contain.

Other challenges in the enterprise on the IRP front include “white noise” from the infrastructure, in an age of increased automation. With more false positives, security teams are forced to vet red flags quite closely – thus potentially opening up a “window” to the crown jewels.

There’s also the subjectivity component of cyber security – how do you determine return on investment (ROI) for the spend, and how can you predict activity for the next fiscal year?

Today’s vibrant enterprise, with CISOs heading off illicit black-hat activity, depends on simplicity and complexity, minimal “fronts” and progressive growth.

See Related: Top 5 Security Initiatives Include IIoT, ML & Extensive Research

IRP Assessment

In speaking with the Cyber Security Hub about incident response, KnowBe4 Security Awareness Advocate, Erich Kron, advised execs to: stay calm, over communicate and learn from your mistakes.”

“Make sure what you are communicating is not Fear Uncertainty and Doubt (FUD), but rather what you actually know and what you don’t know…” Kron said. “(Also), make notes during the event, and then document all of the things that worked well, as well as the things that did not…”

Altogether, Kron said, “I have seen more and more organizations moving toward a…mature, formal, documented process as opposed to just reacting when it happens. I believe this shift is due to the fact that even smaller organizations are starting to understand that there will be a security event of some sort in their future, and they have seen the impact it can have on an organization.”

Will the next wave of incident response capabilities venture into AI-only territory? Kron does not think so. “The plan itself will continue to need skilled, knowledgeable humans to maintain and update,” he said. “For example, scripted restoration or redeployment of affected machines and similar technological automatons can make the restoration process much easier. However, revising and updating the plan based on lessons learned is something I believe humans should continue to handle.”

Regardless of the maturity level of today’s organizations, one fact remains: The business must be able to detect and respond to a bevvy of cyber-threats.

Be Sure To Check Out: Cyber Security Hub Survey Reveals GDPR Effects, Purchase Power & More