Incident Response: Putting the Puzzle Pieces Together

Published on 20th May 2021 Author: Rob Black

Yesterday, I was given a homework assignment by a 7-year-old. Since it was my own daughter, I thought it best to pay attention:

“Daddy, will you solve my Rubik’s Cube?”

Uh oh. I hadn’t picked up one of those in over a year, when both of my kids were really into them. Like most people (of any age), they would inevitably get stumped. And somehow, it fell on Dad to keep restoring the cubes to “factory settings,” so they could try again.

But I was having trouble remembering how to solve it (I briefly considered just rearranging the stickers, the way we did it in the pre-YouTube eighties).

Luckily, I still had my “cheat sheet” – the notes I had taken after watching several hours of online tutorial videos. Sure enough, instructions in hand, I had the colors back in order in under ten minutes.

The professional Cubers (or whatever they’re called) don’t rely on cheat sheets, of course. Nor do they use a “same every time, step-by-step approach,” the way I did. Rather, they learn how to spot “meta patterns,” and proceed based on whatever state the cube happens to be in when they pick it up.

When it comes to managing cybersecurity incidents, there’s a lot to be learned from both varieties of Rubik’s Cube solvers – the pros and the dad-level amateurs. More specifically…

Draft an Incident Response Plan

A good incident response plan, like a Rubik’s cube pro, doesn’t follow a recipe – it’s flexible, working from whatever scenario it encounters.

That’s important, since new cybersecurity incidents occur all the time. On any given day, you don’t know if you will be fighting ransomware, phished credentials, wire transfer fraud, or something you’ve never seen before.

What you do know is that certain response patterns and resources – technical team, communication team, legal team, regular meetings, good notes, etc. – will be valuable in any situation. Your job is to ensure that the necessary players have the tools and training they will need to be effective.

Further, and thanks to the broad range of possible incidents (and the lack of frequency, therefore, with which any particular scenario repeats), you’ll want to develop your own “cheat sheets.” These notes, checklists, and reminders will help ensure you don’t forget important steps as you speed along to respond – things like contacting the cyber insurance company, using an approved list of vendors, or involving legal in your customer communications. Mapping this out beforehand can save precious time when speed is most critical.

All that said, if yours is an organization of fewer than about 250 people, you don’t need to invest the time and effort in creating a detailed, step-by-step “run book” for every conceivable incident. As a small organization, it’s best to keep your plans at a slightly higher level, making sure you don’t overlook things of consequence, but also staying flexible.

Get Clear on Your Philosophy

The world record for solving the Rubik’s Cube? 3.47 seconds. If you hope to compete at that level, you’ll need to train in a particular way and with speed as your primary objective.

Dad-level is (thankfully) quite different. You’re a hero if you can solve the cube at all, and nobody cares if you use printed instructions to get the job done. The priorities here are not the same.

Likewise, your incident response policy ought to reflect the things that are most important for your particular industry and circumstance.

For example, if you are public utility, availability – keeping the lights on – is what matters most. If you are a financial institution, on the other hand, it’s probably better to prioritize security and confidentiality, even if it means having the system offline for a little while longer.

Having explicit organizational philosophy discussions as part of your incident response policy will help guide the way as your team reacts to various events: What triggers an incident? Who can declare a breach that may have legal/insurance implications? Who is in charge (CTO, COO, etc.) of your incident response program?

Practice, Practice, Practice

I’m sure there are certain innate traits and skills that allow someone to solve a Rubik’s Cube in less than four seconds (long fingers?). But I’m willing to bet that the professional cubers put in hours and hours of practice to get to that level. As Gail, my childhood tennis teacher used to say, “Practice makes automatic.”

So it goes with incident response, which is why we hold regular “tabletop exercise” sessions with clients, where we game out various scenarios and practice responding. This helps work out the kinks in the system, while putting everyone in the mindset of what to do when bad things happen.

Final Thoughts

When it comes to the list of things that impress a 7-year-old, solving a Rubik’s Cube is pretty high up there. Even so, given the lack of frequency with which I am called upon to perform this trick, and the extended time frame I am given when I do, I have no plans to memorize the solution anytime soon.

Likewise, when developing an appropriate incident response program for your organization, it’s important to consider what’s best for you, given your industry, company, philosophy, and available resources.

The ultimate goal, of course, is security. As to how you get there, there are a nearly infinite number of ways to twist the cube.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).