In the initial hours after a breach, you’ll quickly realize that you need help — legal help, PR help, budgetary help, and definitely help from an experienced incident responder. Typically, that support will come from either an in-house team or an outside, third-party incident response team.
In this analysis, I’m going to lay out the differences between the two approaches, and their relative strengths and weaknesses.
Having Your Own Team
First and foremost, you may have those experienced incident responders in-house on your own information technology (IT) security team. If you do have a dedicated incident response team, consider yourself lucky: The people on the team are familiar with your environment and tools, have relationships with other IT people and staff across your business, and have in-depth knowledge and experience that cannot be replicated by someone from the outside.
However, even if you do find yourself in this fortunate sceario, don’t expect it all to be sunshine and rainbows. Unless you are working in a very large organization, chances are that your incident response staff comprises only a few people. If you have experienced a breach, this team will be stretched to its limit. Its members may be trained to find a needle in a haystack, but after multiple days, weeks, and months of long hours, even the best of us will be challenged to sustain our best work and maximum focus.
How to Help Your In-House Team
So how do you help them? First, make sure they are honing their craft regularly. IT is forever changing and the time to learn the latest tech is not the day of the breach. Allow them to run exercises; send them to training and conferences; set up a capture-the-flag event; and do anything else you can do to sharpen the knife.
Secondly, make sure they are getting enough time away from work to care for themselves and their families. Many incident responders will do their best impression of a labrador during duck season: They go until they literally fall down, then get up and go some more. Send them home, order pizzas, and make sure the coffee is fresh. Having a well-rested (and respected) team will show in the results of its investigation, and you’ll be happy that you took care of everyone working on it.
Finally, make sure they have the tools to perform the requisite tasks. Not all tools are created equal. Can your team create a forensic image using some commandlinefu? Sure. Are there commercial tools on the market that will perform that job in a much shorter time? Absolutely! During a protracted investigation, precious time can be saved by making sure the team has the right tools for the job.
Working With a Third-Party Team
Alternatively, if you do not have an in-house team, you’ll need to contract with a third party to perform your investigation. This approach has some strong benefits. Incident response is what these teams do. They go from one large breach to the next, so the team members’ skills and processes are sharp. You won’t need to worry about training and tools (these professionals will come with their own), but there are some other considerations you should think through.
One is that your third-party team is showing up cold. Its members don’t have relationships and trust built with your existing staff. Someone will need to help these people to get the lay of the land. They’ll likely need to know: Where can I work? Who do I talk to about permissions issues? How do I get firewall rules changed? Where is the nearest pizza place? (If you haven’t noticed, pizza is an important part of responding to an incident.)
Another consideration is that professional incident responders are expensive. That is not to say that they aren’t worth it, but you will want to focus them squarely on the work that only they are qualified to do. Imaging and hashing disks, copying packet captures (PCAPs), and picking up infected machines from employees’ desks are all examples of things that need to be accomplished, but which you can have junior IT staff do to keep your highly talented and expensive incident responders on task. This has the added bonus of getting your IT team some experience working in and around security.
You’re also going to make sure you shop around for a company that you trust before an incident occurs. What are the qualifications of the people they’ll send? How long will it take them to spin up after they are activated? What will they do with the data that is derived from the investigation? All these things need to be figured out before work can begin. I cannot emphasize enough, this will be a personally and professionally stressful time. Decisions will need to be made often and quickly. Anything that you can button up beforehand is worth your time investment.
No matter which kind of incident response team you’re dealing with, trust is a key factor. As a business leader, you’ll want to trust the information and advice coming from your team. At the same time, you’ll want the team to feel comfortable enough with you to speak the hard truths that are sure to come. Following the steps outlined above will help you establish a relationship with your team to allow a free flow of communications and help you to feel confident that you’ll make it through this trying time.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: