In a previous blog the MDR Cyber Incident response team examined some of the challenges that widespread remote working creates for conducting effective security incident response. This blog examines some of the challenges around communication that lead to incident responders being unable to operate as effectively as possible.
There is an important operational and strategic role for senior IT and security leadership in ensuring that incident responders are able to operate effectively under all conditions, including the current state of enforced remote working.
Experience suggests that amongst the challenges remote working poses to incident responders, communications and communications processes are among the most likely to be neglected as organisations adapt and prepare to respond to security incidents under remote working conditions.
Senior leaders can facilitate effective communication and collaboration by supporting training exercises, including exercise which specifically highlight and incorporate challenges created or exacerbated by remote working.
Framing the Problem
While it is common for responders to regularly train in digital forensics and investigative techniques, it is much less usual for them to be trained in how to communicate and work effectively as a team. Contrasted with the emphasis placed on these skills in the training required for other professionals responsible for emergency management, such as military and emergency services personnel, this may represent a limiting factor in the effectiveness of many IR teams.
Given the additional challenges created by remote working, organisations should give consideration to how personnel will communicate if an incident occurs and how senior leadership can help to make sure that responders are able to operate effectively as a team.
Team Structure and Direction
IR teams communicate and operate more effectively if a clearly defined team structure is in place, and team members understand their roles. This includes not only leadership roles, but also defined generalist and specialist roles for individual team members, and is not just limited to responders. Effective IR relies on support from IT, legal, media, data protection, and PR teams, as well as security specialists.
Senior leadership have an important role to play in facilitating engagement between response team leaders and personnel from other departments. Supporting and fostering cross-team engagement can help the different business units involved in IR understand each other's capabilities and define what role teams and individuals will play well responding to an incident. Responders and other employees communicate and work together more effectively if they already know each other and are not speaking for the first time over Zoom under the time pressure of responding to a security incident.
Determining IR team structure must also include definition of hierarchy – organisations must decide who will call operational shots when an incident occurs and make sure that everyone involved understands and accepts this. Again, during an incident is not a good time for responders, other employees, and data protection staff to be confused about which has decision making primacy.
Once an IR team structure is defined and every member understands their role and position in the decision making structure, it is important for senior IT and security leadership to provide IR teams with clear direction on the organisation's priorities and objectives for a response in advance of any incident taking place.
Clarity on objectives both allows communications in the course of a response to be more focused and reduces reliance on potentially unreliable communications in remote working situations. While team leaders are responsible for ensuring that responders understand their objectives and priorities when an incident occurs, they will be able to do this more effectively if they have a clear understanding of what senior leaders expect in response scenarios.
Practise Exercises
Once these decisions have been made, it is very important to run at least one exercise involving all members of the wider IR team. Live responses will inevitably lead to the discovery of issues with how teams communicate, collaborate, and makes decisions. It is much better to unearth these problems in a simulated exercise than when responding to an incident for real. In addition to making exercise scenarios as realistic as possible, consider introducing unexpected remote working challenges such as a critical team member's home router failing; these will force the team to consider how they would adapt to these challenges in a real response.
Use exercise notes and participant feedback to refine team structures, decision making hierarchies, and identify training priorities to help ensure that when an incident occurs, responders and the wider IR team can communicate and work together as efficiently as possible to contain and remediate the threat.
A full-time investigator or contracting service can be costly, and potentially disproportionate to your needs. If you need high-standard ad-hoc or tailored investigation services outside of “productised” offerings, consider our Remote Incident Response Service. A specialist team of investigators and intelligence analysts able to respond immediately to find hidden connections and critical evidence buried in open sources plus data obtained through disclosure.