Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Organizations continue to be challenged in their response to global threats, such as Log4j, but Log4j wasn’t the first global-scale cybersecurity threat, and it certainly won’t be the last. Organizations must balance their exposure to these
threats with their risk appetite, while responding in a methodical manner. This piece provides a six-phase framework for building out a global threat response.
Playbooks must be specific to each organization and tailored to the unique circumstances and capabilities present. They should not be simply lifted from one organization and used by another without careful analysis, because a playbook may rely on skills
or technical capabilities the receiving organization does not possess. Conversely, the original playbook may not represent the best course of action for another organization with additional skills or technical capabilities.
Six main phases should be included in any global response playbook:
The implementation of each phase will vary, according to a specific organization’s skills and capabilities.
Responses for global threats require mobilization of resources within the organization that distract from day-to-day operations and other planned initiatives. As such, response teams for global threats should be activated sparingly. By evaluating the
impact before proceeding with a response, the risk of prematurely activating the response is partially mitigated. Therefore, the first step in any playbook is to determine as early as possible whether the situation warrants a fire drill-type of response.
A technical stakeholder should be in charge of initiating the response and activating the response team; although, any stakeholder in the business should be able to make a request for a new response. Once the decision to respond is made, the factors that
led to the decision to act must be documented. Any factors that would have moved the organization in a direction of inaction should be documented as well. It is critical this documentation be provided to the party responsible for response oversight.
READ: 6 Key IR Responsibilities for Executives
Undoubtedly, the organization decided to act because of the potential of the global threat to adversely affect the business. The next step is determining exactly how the threat will affect the business if it isn’t adequately mitigated.
Some will argue this step should be performed before the decision to act. In other words, they believe the decision to act should be driven by the projected impact to the organization. While this logic may not seem unreasonable, in practice, getting all
the right stakeholders focused on evaluating impact is often impossible without first activating the response team.
To effectively evaluate the impact, we recommend organizations should:
Once organizationally specific impacts have been determined, the organization should reevaluate whether a fire-drill response is indeed appropriate. The team should also create a written justification for the response, which helps avoid “moving
the goal posts”—a common situation where a stakeholder is firmly entrenched in the notion that the issue requires an immediate response and, subsequently, realigns the organization’s risk tolerance to the situation to ensure a response
Once the impacts are understood at an organization-specific level, stakeholders must move to understand the scope of the response operation. Identifying the scope includes actions such as determining:
Note that at this stage of the process, the organization should not yet consider the specific remediation actions or response options that will be applied to each system. Doing so distracts from the complete identification of potentially impacted systems
and can result in incomplete response.
Pragmatically, there is another significant justification for this rigorous identification exercise. Many global threat responses require multiple rounds of patching and/or other mitigations before the threat has passed. This can be attributed to researchers
paying additional attention to a particular application or library that had traditionally received little scrutiny. Researchers may also discover bypasses for mitigations that were originally believed to be sufficient. Finally, a patch may itself
be incomplete, requiring organizations to apply additional patches to mitigate the original vulnerability.
READ: How to Build a Proactive Threat Hunting Strategy
It is rare for a global threat to have a single response option. Common options include:
READ: How to Choose the Right Incident Response Tool
In short, the response options chosen should be system-specific and account for constraints inherent in each individual system.
With response options appropriately identified and assigned for each affected system, the response begins. Coordination is required to ensure multiple response actions do not place the organization at undue risk. For example, coordination is important
Oversight during the response is critical. As mentioned previously, the oversight team should be responsible for coordinating response actions in a way that minimizes downtime. The oversight team also has two other important responsibilities:
Organizations can and should create playbooks to facilitate appropriate responses to global threats. To ensure your playbooks are successful, be sure to:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 29, 2024
By IANS Research
Access key data sets from the 2023 -2024 IANS and Artico Search’s Cybersecurity Staff Compensation Benchmark Report. Gain valuable insights on cybersecurity staff roles to hire and retain top security talent.
Access key data from IANS and Artico Search’s Compensation, Budget and Satisfaction for CISOs in Financial Services, 2023-2024 report. Find valuable insights around the Financial Services CISO role to help better understand your situation, improve job satisfaction and drive organizational change.
February 21, 2024
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.