Why incident response plans don't fly
Rethinking incident response for major cyberattacks
Imagine a scenario: turbulence hits your airplane mid-flight. Oxygen masks drop, a calm voice instructs you on their use. Passengers don't scramble for the emergency manual tucked in the seat pocket. Years of safety briefings and practice drills have ingrained the steps – muscle memory kicks in, ensuring a swift, coordinated response.
The same should be said for major cyberattacks. While traditional incident response plans (playbooks) serve a purpose, they’re often out of date or fall short when faced with complex, large-scale attacks. Here's why relying solely on playbooks can be a recipe for disaster:
The Limits of Playbooks: When Muscle Memory Isn't Enough
In a recent KPMG incident response, the threat actor evicted our client from their own cloud data center (i.e. the client no longer had admin access to any of their cloud resources) – would your playbook cover this situation? Traditional playbooks function best for well-defined incidents, like routine malware infections. These plans offer step-by-step procedures for a known threat. But major cyberattacks are different beasts entirely. They're intricate, often involving multiple attack vectors, and supplemental domains including privacy, e-discovery, recovery, crisis communications, cyber insurance, litigation, and regulatory response. A static playbook simply can't encompass the full scope and dynamism of such an attack.
Speed Bumps on the Runway: The Problem with Rigidity
Major attacks unfold rapidly, demanding swift decisions and resource allocation. Traditional playbooks, with their rigid procedures and bureaucratic language, can become major speed bumps. With the latest breaches only taking minutes not days, the time it takes to consult and follow a pre-defined script can be the difference between containing the breach and suffering a catastrophic data loss.
“An Incident Response Plan’s benefits should not be taken to such an extreme that it’s rendered a hindrance,” says Blair Dawson, Data Privacy & Cybersecurity attorney at McDonald Hopkins. “Application of the Incident Response Plan, or Playbook, as a roadmap for nuanced incident response is the most effective use of the tool rather than rigid, unyielding adherence to every step as written while conjuring up hypotheticals at the time it was created.”
Uncharted Territory: When Playbooks Leave You Grounded
Large-scale attacks often present novel situations, employing sophisticated tactics and exfiltration techniques unseen before. Playbooks, reliant on pre-defined procedures for known threats, may have no answers for these unique challenges. This leaves response teams scrambling to understand the attack and formulate a response from scratch.
“It’s important to leave enough ‘wiggle room’ in an Incident Response Plan so that it can be easily and quickly adapted to a multitude of unanticipated situations,” says Dawson. “Some of the most important areas to outline in the Playbook are key contacts and their roles – identifying the decision makers rather than scripting the decisions.”
Beyond the Cockpit: When Stakeholders Need More Than a Briefing
Major attacks aren't just a technical challenge – they have significant legal and regulatory implications. Law enforcement, regulators, and affected clients all become stakeholders in the response. Playbooks, with their narrow focus on internal procedures, may not address the communication and coordination required to manage these external parties effectively.
“One of the areas that are often overlooked in the planning phase is communications. It is difficult for stakeholders to clearly assess the affect certain messaging may have on employees, customers, regulators and the media when in the midst of a crisis,” Dawson states. “The knee-jerk reaction to over-promise, offer unverified information and unrealistic timelines can be catastrophic to an organization’s recovery from a reputational and relationship perspective. Once a misstatement is made, it is impossible to take back and undermines the organization’s credibility and perceived ability to properly address the situation. Communications should be thoughtfully considered and loosely scripted for modification in the midst of a crisis during the planning phase.”
Flying Blind: The Missing Piece of Legal Compliance
Playbooks rarely delve into the complex legal and regulatory considerations that arise from major attacks – especially for multijurisdictional environments. Organizations often have reporting obligations to authorities and industry bodies. Traditional playbooks may lack the legal and compliance nuances needed to navigate these complexities, potentially exposing the organization to further liabilities.
“Key to the planning phase is identifying legal support with the requisite expertise. It is critical to include experienced legal counsel (aka a breach coach) to ensure privilege over sensitive information and work product to the extent possible and to continually assess an organization’s legal obligations whether they arise from statute, contract or regulations,” Dawson recommends.
Building Muscle Memory for a Soft Landing
While playbooks often serve a purpose, and offer a valuable starting point, they're not enough to handle the complexities of major cyberattacks. Organizations need to know when procedurally to move beyond static procedures and develop muscle memory. So how do we achieve a soft landing? Here's how to get there:
- Simulate the Storm: Purple Teaming and Beyond
Conduct regular simulations, like purple teaming exercises or adversary simulations, to test your incident response plan and identify weaknesses. These exercises should mimic real-world attacks, forcing your team to adapt and collaborate under pressure. - Tabletop Exercises: Knowing Your Role Organize tabletop exercises where internal and external team members can walk through different incident scenarios, familiarize themselves with their roles and responsibilities, and practice critical decision-making.
- Onboard Your Crew: Bringing Vendors into the Fold Don't wait for the incident to meet your security vendors and legal counsel for the first time. Establish relationships with key providers beforehand, onboard them with your environment, and conduct joint exercises to ensure smooth collaboration during a real attack.
By adopting a comprehensive (but flexible!) incident response strategy that emphasizes preparation and muscle memory, organizations can transform their ability to handle major cyberattacks. Remember, a well-rehearsed response team is your best defense against the unexpected on a Friday afternoon!
Special thanks to Blair Dawson, JD, MS CyS, FIP, CIPP/US, CIPP/E, CIPM, McDonald Hopkins LLC, for supporting contributions.
Meet our team
