The wave of ransomware attacks has highlighted many areas of information security, and one of them is incident response. When a company is locked out of its data, knowing how to respond is crucial. When most organizations discover they are victims, it is way too late to create a formal incident response plan. Being reactive to a security incident only prolongs the incident, increases the damages and may have them violating contracts and regulations.
In 2021 it should be pretty obvious that every organization needs an incident response plan. The only question is why so many firms wait until they have an active incident to start thinking about how they need a plan. It is like trying to buy flood insurance in the days before a hurricane. Many people believe they can do it, only to find there is a 30-day period before the policy becomes active, and they have zero protection against the damages of the hurricane in their midst.
For those who want to be proactive when it comes to incident response, two books this month you should consider are Applied Incident Response (Wiley) by Steve Anson and Cyber Breach Response That Actually Works: Organizational Approach to Managing Residual Risk (Wiley) by Andrew Gorecki. The two books complement each other and are excellent references for those who want to create an incident response plan or revamp their existing incident response plan.
Of the two books, Applied Incident Response provides a more technical approach to the topic. Anson focuses heavily on tools, including those for forensic analysis. He gives a highly detailed approach to respond to an incident and has methods to avoid becoming a victim in the first place. This book is made for a security engineer or network analyst who needs to perform malware analysis, threat hunting, forensics gathering and more. For anyone dealing with an actual incident, these incident responders will find this book to be an invaluable resource.
For those needing a more high-level guide around the strategic areas of creating an incident response plan, Cyber Breach Response That Actually Works will be their go-to guide. The book helps create the incident response plan to help them when they need to break the glass.
The book shows how to create an incident response team, what their tasks are and how to deal with the myriad issues when the plan needs to be put in place. Gorecki also gets into the legal issues that may need to be dealt with in the event of a breach. While many companies focus on stopping the breach, they also need to consider how to secure forensic evidence so it can be used in the event you want to pursue legal action against the attackers.
One of the biggest reasons many security incidents don’t make it to court is that the digital forensic evidence was not handled correctly and can’t be admitted as evidence in court. Without that digital evidence, there is often no case.
These two titles provide a comprehensive approach to incident response. Your security and technology managers will want to start with Cyber Breach Response That Actually Works and then have their technical staff read Applied Incident Response.
Between these two titles, a firm will have a solid foundation upon which to build its incident response plan and team. In the event a breach occurs, they will be on solid ground. There really is no alternative—be prepared or go home.