Responding to a cyber incident – the cyber chess game

A well-established Cyber Incident Response framework is essential for organisations. Having a “fit-for-purpose” foundation, regularly tested through practice, can be the difference between overcoming a cyber threat efficiently or facing a cyber disaster with long-lasting consequences. This chapter explores the key elements of Governance (The Strategic Layer), Operations (The Tactical Layer), and the Digital Surface (The Information Technology Layer), all of which are crucial for effective cyber incident response. Whether your organisation is large, medium, or small, understanding these layers will improve your chances of defending against a cyber-attack.

Cyber incident response can be compared to cyber chess. The more you understand the strategy and practice how to move your pieces effectively, the better your chances of successfully overcoming the challenge. Each move, whether strategic governance or tactical operations, plays a role in protecting your organisation. Just like in chess, preparation and understanding strategy are essential, and so is the ability to adapt by recognising the many possible moves your opponent might make, requiring you to adjust your approach in real-time.

Governance – get comfortable with the rules of the challenge

Governance is the foundation for effective incident response. An organisation, like a chess player, must know the rules and tactics required to respond and practice them to improve over time.

Documentation and organisational structure plays a critical role in this process, it acts as the rulebook that defines how an organisation prepares for and responds to incidents, guiding each team on their specific roles and actions. Without well-developed documentation and cyber incident response team structure, it becomes difficult to ensure coordination among teams or make effective decisions during high-pressure moments. Even for small businesses, it’s important to have some documentation in place, so that you’ve thought through your response in advance. For any organisation, the Incident Response Plan (IRP) is the first place to start, as it provides the foundation upon which other governance elements can be built.

Depending on the size of your organisation, here are some of the key governance documents you need to develop:

• Board Cyber Guidance Documentation: Provides high-level direction to the board on cybersecurity priorities and risk levels, aligning the incident response strategy with business objectives.
• Crisis Management Plan (Cyber Adapted): Outlines how the organisation will respond to significant cyber crises, ensuring business continuity and minimizing reputational damage.
• Incident Response Plan: Offers a detailed, step-by-step guide on how to detect, contain, and recover from cyber incidents, defining all teams, their roles and responsibilities.
• Communication Plan(s): Defines how internal and external communications will be managed during a cyber incident to ensure consistent messaging and prevent misinformation.
• Incident Response Runbooks: Provide specific tactical instructions for handling different types of cyber threats, such as ransomware or phishing, ensuring rapid and consistent responses.
• Stakeholder Maps and Thresholds: Identify key stakeholders and the conditions under which they should be notified, ensuring compliance with regulatory obligations and fostering transparency.
• Computer and Data Asset Registers: Catalogue all critical assets, including systems and data, to support asset management and facilitate quick decision-making during an incident.
• Business Continuity Plans: Ensure that essential business functions can continue or resume quickly during and after a cyber incident.
• Disaster Recovery Plans: Focus on restoring IT systems and data following a cyber incident, ensuring the organisation can return to normal operations.
• Training Programs: Provide regular training for staff on cyber incident response procedures to ensure preparedness and continuous improvement.

The Incident Response Plan

An Incident Response Plan (IRP), as mentioned, is the cornerstone of any response strategy. It provides a clear checklist to guide actions during a cyber incident. When creating your plan, these are the kinds of things you need to think about and record:

• Defining the purpose and scope of the plan.
• Assigning roles and responsibilities for the response, including identifying a stakeholder map, who in your organisation (eg., HR, Finance, IT) needs to be involved to address different aspects of the response.
• Categorising incidents and setting severity levels that define reaction times and effort reuired.
• Establishing detection, reporting, and escalation procedures.
• Outlining the phases of response, including preparation, containment, and recovery.
• Developing communication strategies for internal and external stakeholders.
• Connecting the plan to registers of critical assets and processes to protect.
• Connecting the plan to runbooks designed to address the specific threats relevant to your organisation. It’s often easier to develop detailed steps for each type of incident within a runbook, rather than embedding all scenarios into the main incident response plan, allowing the runbooks to be updated more frequently. (For example, do you now need a runbook for deepfake or AI-related incidents that you didn’t have before?)
• Considering legal and insurance requirements that you may need based on the impact of the incident.
• Building continuous improvement through training and lessons learned.

Operations – the chess pieces

To succeed, your teams must work together like chess pieces, each with specific roles and capabilities. If any piece is missing, it weakens your response, so you may need to acquire or outsource certain roles based on your organisational size, appetite, and capabilities, whether you are a small, medium, or large organisation.

As mentioned, each team or role has a specific remit and accountability, contributing to different aspects of incident response. Within each team, it is important to focus on three key elements:

• People: Do the individuals in each team have the necessary experience and expertise to fulfill their roles in a cyber incident? If not, they may require additional training or support to ensure they can act effectively when needed. This ensures that team members are not only present but also prepared to meet the demands of their responsibilities during an incident.
• Processes: What processes are in place to guide each team’s actions? These should align with the team’s specific functions during an incident, such as containment, communication, or recovery, to ensure a smooth and coordinated response.
• Technology: What tools and systems are available to support each team’s role? Technical teams need detection, analysis, and containment tools (between others), while non-technical teams like HR or Finance require systems aligned with their functions. It’s also important that teams performing critical functions have technology they can fall back on if their primary tools are compromised. For example, a communications team should consider backup methods in case their primary communication tools are impacted during a cyber incident.

By ensuring each team has the right people, processes, and technology in place, your organisation will be better equipped to respond efficiently. Collaboration across teams is essential, as no single role can address every aspect of a cyber incident.

Digital surface – your chessboard

The digital surface represents the environment where the cyber incident occurs. Just as a chess player needs to see the entire board to plan and execute moves effectively, your organisation must have full visibility and control across its digital assets. This includes, but is not limited to, internal systems, cloud platforms, websites, and social media channels. Without visibility, you won’t know where attackers are, and without control, you can’t stop or mitigate the threat effectively.

Visibility

Visibility means having a clear and complete understanding of your systems, data, and activities across the organisation, both in real-time and historically. Here are some considerations to keep in mind:

• Know your assets: Ensure you have a complete inventory of your data, systems, applications, and services. In cyber incident response, it’s critical to be able to reference what systems have been impacted and understand what business processes those systems support, enabling faster prioritisation and response.
• Classify your data: Identify and categorize data based on sensitivity (eg., personal, financial, confidential). During a cyber incident, knowing what data has been affected and from which system is essential to understanding the impact on customers, compliance, and operations.
• Set up alerts for suspicious activity: Ensure your monitoring systems can detect unusual behaviours, such as unauthorized access or unusual traffic patterns, so you can act quickly.
• Access to historical data: Determine how far back your monitoring systems can provide logs and records. This helps with investigations, as some incidents require tracking patterns that span weeks or months.

Control

Control refers to the ability to act on alerts and manage systems effectively to contain and mitigate threats when they arise. Consider the following:

• Make alerts actionable: Once a threat is detected, can you act on it? Ensure you have processes and tools in place to act when alerts are triggered. Think about the process or tool you need to contain a specific threat.
• Backup and recovery preparedness: It’s important to have backups stored securely in case a cyber incident compromises your data. Determine how far back you can recover both data and system configurations, this can make the difference between a quick recovery and prolonged downtime. Also think about whether your backups are tamper proof or easily accessible by a malicious actor.
• Have fail-safes for critical technology: Consider what alternative systems you have available if key tools or platforms become compromised. For example, ensure you have backup communication tools in case your primary systems are unavailable during a crisis.

Identifying what to protect and prioritising your response

Not all incidents require the same level of response, and understanding what is critical to your business will help prioritise your actions. Two key areas to focus on are critical processes and critical data. Critical processes, such as payroll systems or a sales website, are essential for keeping your business running, if they stop, your operations will suffer. Critical data, such as customer records or employee information, must be protected because if it leaves your business, you could face serious reputational or regulatory issues.

To bring an example from the physical world of how digital controls should function. A bank secures its vault, the most critical asset, with the highest level of protection, while areas with minimal impact, such as the cafeteria, have fewer controls. Similarly, this is how we should consider our digital processes and environment, by understanding what is most important and focusing our efforts there first.

A good way to figure out where to start in a cyber incident is by considering your critical processes and critical data above, and then making a priority list to identify which ones are most important. Prioritizing these will help guide and plan your cyber incident response activities to focus where it matters most.

This is a chapter from a new free e-book created in partnership with Cyber Daily.