10 Common Flaws in Incident Response Plans: Flaw #10 – Actually Executing the Plan

Alex Waintraub, with Michael Wilkes
This blog series by Alex Waintraub, mirrors the SafeHouse Podcast about the 10 Common Flaws in Incident Response Plans.

In our final flaw in Incident Response Plans, Alex Waintraub and special guest, Michael Wilkes, Chief Information Security Officer, discuss the cost and impact of not executing your plan in an incident.   In this blog they outline the dangers of not executing the plan that your organization built, and strategies for a successful execution.  Listen to the podcast on Thursday, August 22nd here: https://safehouseinitiative.org/podcasts/

 

 

Introduction

Incident response plans are critical for organizations to manage cybersecurity threats effectively. However, having a plan is just the beginning. The real challenge lies in executing the plan when an incident occurs. In this blog, we will explore insights shared by experts in the field about the importance of executing incident response plans and the common pitfalls organizations face.

 

The Importance of Execution

Execution is where the rubber meets the road. An incident response plan is only as good as its implementation. Mike Wilkes, a Chief Information Security Officer, emphasizes the distinction between being effective and efficient. Effective execution means getting the right answer, while efficient execution means getting there quickly.

 

Effective vs. Efficient

Effective execution focuses on accuracy and thoroughness. Efficient execution, on the other hand, emphasizes speed. Both are crucial for a successful incident response. For instance, at the Chicago Mercantile Exchange, a major financial institution, failing to execute the disaster recovery plan within the set recovery time objective could have severe penalties.

Mike shares an experience where the actual bridge line failed during a disaster recovery test. The team had a secondary bridge line in place and managed to continue the test, bringing everything up within four hours. This example illustrates the importance of having both effective and efficient incident response plans.

 

Strategies for Successful Execution

Ensuring that your team is prepared to execute the incident response plan involves several strategies. Here are some key points to consider:

Regular Testing

One inexpensive way to test your incident response plan is by using an ICAR test file. This benign malware file can be used to verify detection capabilities. Tools like MITRE’s Caldera and Stratus Red Team can also be used to perform lightweight tests, ensuring that your team is prepared to escalate incidents appropriately.

Documentation

Good documentation is essential for effective incident response. High-level diagrams, data flow diagrams, and system diagrams can help your team understand the system’s structure and the downstream impacts of an incident. Poor documentation can turn a few hours of disruption into several days.

Continuous Discovery

Incomplete asset inventory is a common flaw in incident response plans. Continuous discovery-based asset management can help address this issue. Tools like Shodan and security ratings scanning can provide insights into your infrastructure, ensuring that no devices are overlooked.

Post-Incident Analysis

Learning from past incidents is crucial for improving future responses. Conducting post-incident analysis and root cause analysis can help identify areas for improvement. Even learning from other organizations’ failures can provide valuable insights.

Executive Support

Lack of executive support can lead to delays and inadequate resource allocation. Ensuring that your executive team is aware of the importance of incident response and is prepared to act swiftly can make a significant difference.

 

 

Challenges in Execution

Executing an incident response plan is not without its challenges. Here are some common issues organizations face:

Coordination and Communication

Effective coordination and communication are critical during an incident. Ensuring that all team members know their roles and responsibilities can prevent confusion and delays.

Emotional Impact

Unannounced red team exercises can cause unnecessary stress and emotional damage to your team. It’s essential to balance testing with the well-being of your employees.

Complex Networks

Complex networks with mixed infrastructure can make incident response more challenging. Deception technologies and honeypots can lead to false positives and complicate the response process.

 

 

Real-World Examples

Mike shares several real-world examples to illustrate the importance of execution in incident response:

Chicago Mercantile Exchange

At the Chicago Mercantile Exchange, a disaster recovery test involved failing over to a secondary data center. Despite a bridge line failure, the team managed to continue the test and bring everything up within four hours. This example highlights the importance of redundancy and preparedness.

Disney Incident

During an incident at Disney, poor documentation led to extended disruption. The lack of a clear understanding of the system’s structure made it difficult to identify and address the impacts of the incident.

 

 

Conclusion

Executing an incident response plan effectively and efficiently is crucial for minimizing the impact of cybersecurity threats. Regular testing, good documentation, continuous discovery, post-incident analysis, and executive support are key strategies for successful execution. By addressing common challenges and learning from real-world examples, organizations can improve their incident response capabilities and ensure that they are prepared to handle incidents effectively.

Remember, the goal is not just to have an incident response plan but to ensure that your team can execute it effectively when the time comes. By focusing on both effectiveness and efficiency, you can minimize the impact of incidents and protect your organization from potential threats.

 

 

Final Thoughts

Incident response is a complex and ongoing process. It’s not enough to create a plan and hope for the best. Regular testing, continuous improvement, and strong executive support are essential for ensuring that your team is ready to respond to incidents effectively. By addressing the common flaws in incident response plans and focusing on execution, organizations can improve their resilience and protect their critical assets.

If you found this blog helpful, be sure to check out our other resources on incident response and cybersecurity. Stay safe, stay resilient, and remember to be kind to each other.