Companies are set to spend over $8 trillion in damage control costs this year – that’s a whole lot of money at stake for poor risk management. Unfortunately, given the current cyber ecosystem’s challenges, traditional measures around framing policies and building awareness fall short without a concerted effort, which is where collaboration takes center stage.
This article will explore the primary considerations for achieving collaboration in a cyber security incident, the nuances of good collaboration, and the benefits for organizations.
Behind the Scenes: Why do we Need Collaboration in the First Place?
While the need for collaboration on cyber security incidents is apparent, the means and methods of achieving it often require more clarity in the form of a standardized approach backed by a comprehensive strategy that hinges upon a few critical decisions. These decisions must consider three traits around the complexity of every cybersecurity incident investigation.
1. The second or third-order impact of a cyber security incident
Cybersecurity incidents have a broader impact beyond the initial breach. Think of the countless data records exposed or the productivity loss running into days or weeks, or the business and reputational losses impacting revenue and stock prices. These are the second and third-order impacts of a cyber security attack on a large organization, sometimes more catastrophic than the initial incident itself.
The processes devised to tackle any incident should equally focus on the second and later-order impacts rather than just plugging the gap at the point of the breach. This planning stage should happen in addition to the core process workflows and protocols established for robust incident management.
2. The dynamic attack surface
Incidents happen due to a misconfiguration in the network or as a result of malware infiltrating a computer, and social engineering techniques further increase the probability of such attacks. Therefore, an organization is constantly under attack, either induced externally or planted internally, impacting any functional or business unit. As a result, the main stakeholders involved in incident management should represent the cross-functional hierarchy of the organizational structure rather than a siloed team with cyber security investigation skills alone.
3. The risk of technological adoption
Security incidents are always a result of interactions between systems and users as part of the day-to-day user workflows. In some cases, like email, the threat landscape applies to the entire organization since everyone has an email address. It’s critical that organizations choose cybersecurity tools and technologies with caution to ensure they do not open up another front for threats. It would be best to focus on leveraging technologies to automate processes that expedite incident management chores and provide valuable insights to stay ahead of the threats.
The Four Stages of Collaborative Incident Handling
The critical decisions for collaboration revolve around building efficient processes and protocols, choosing the right stakeholders, and selecting the appropriate tools and technologies to thwart an incident and defend against potential threats swiftly. Upon discovering a cybersecurity incident, teams usually fan out into multiple sub-teams, starting with the first responders and additional domain-specific response teams that handle the impact on organizational assets, clients, and other areas. The collaboration among these teams follows a four-stage progression.
Stage 1: Contain
At this point, the team’s primary goal is to contain the damage caused by the incident. It requires an initial assessment by the first responder team to identify the incident’s origin, severity, and scope. Based on the initial assessment report, the specialized response teams are notified and begin to look at the organizational domains (such as IT, operations, legal, and compliance) to determine the extent of the attack, the affected systems and data, and the potential impact on the organization. These teams are also responsible for sensitizing staff about the incident and seeking volunteers to help in the subsequent stages.
Stage 2: Conceal
The conceal stage is marked by specific information sharing among the response teams. It is the basis of an incident response plan to identify the root cause and gather relevant data to understand the spread. Following the incident response plan, the teams have to mobilize resources to conceal the attack surface by shutting down affected systems, isolating compromised assets, and implementing mitigation measures.
Stage 3: Construe
By now, you’ve likely taken sufficient measures to prevent the incident from inflicting further damage. In the construe stage, a thorough investigation is conducted to interpret the incident and its entire chain of first, second, and subsequent order impacts. The end goal is to build and execute an incident remediation plan, which may involve restoring systems from backups, patching vulnerabilities, or implementing other security measures.
Stage 4: Conquer
After the incident has been remediated, the work isn’t over yet. The response teams congregate to conduct a post-incident review and evaluate the response process to eradicate any further impact. Most importantly, this stage is about learning from mistakes to prevent similar incidents in the future. It involves conducting audits and updating the existing processes and protocols per the learnings from this specific incident.
Building a Collaborative Culture for Strengthening Cybersecurity Incident Investigation
While there is little doubt about the importance of collaboration in tackling cybersecurity incidents, building that culture into the organization’s DNA takes some effort. A few best practices can help ensure collaboration sustains and runs smoothly.
One strategy is to journal the incident logs. It serves as a blueprint to simulate a mock incident collaboration during a cybersecurity incident response drill. Such drills can also be organized in conjunction with data obtained from threat intelligence platforms to facilitate collaboration when identifying potential threats.
Finally, collaboration must be treated as a pan-organizational responsibility, achieved through regular training on incident handling to employees with up-to-date knowledge of the organization’s processes. It will enable them to respond promptly and effectively during times of crisis, thereby minimizing the load on incident response teams.
Dotan Nahum is the Head of Developer-First Security at Check Point Software Technologies. https://spectralops.io/ Dotan was the co-founder and CEO at Spectralops, which was acquired by Check Point Software, and now is the Head of Developer-First Security. Dotan is an experienced hands-on technological guru & code ninja. Major open-source contributor. High expertise with React, Node.js, Go, React Native, distributed systems and infrastructure (Hadoop, Spark, Docker, AWS, etc.)
Dotan on Twitter https://twitter.com/jondot
Dotan on LinkedIn – https://www.linkedin.com/in/jondot/
Dotan Nahum is the Head of Developer-First Security at Check Point Software Technologies.