InfoSec-Specific Executive Development for
CISOs and Aspiring Security Leaders.
Live Faculty-led instruction and interactive
labs to build you and your team's InfoSec skills
Organizations continue to be challenged in their response to global threats, such as Log4j, but Log4j wasn’t the first global-scale cybersecurity threat, and it certainly won’t be the last. Organizations must balance their exposure to these
threats with their risk appetite, while responding in a methodical manner. This piece provides a six-phase framework for building out a global threat response.
Playbooks must be specific to each organization and tailored to the unique circumstances and capabilities present. They should not be simply lifted from one organization and used by another without careful analysis, because a playbook may rely on skills
or technical capabilities the receiving organization does not possess. Conversely, the original playbook may not represent the best course of action for another organization with additional skills or technical capabilities.
Six main phases should be included in any global response playbook:
The implementation of each phase will vary, according to a specific organization’s skills and capabilities.
Responses for global threats require mobilization of resources within the organization that distract from day-to-day operations and other planned initiatives. As such, response teams for global threats should be activated sparingly. By evaluating the
impact before proceeding with a response, the risk of prematurely activating the response is partially mitigated. Therefore, the first step in any playbook is to determine as early as possible whether the situation warrants a fire drill-type of response.
A technical stakeholder should be in charge of initiating the response and activating the response team; although, any stakeholder in the business should be able to make a request for a new response. Once the decision to respond is made, the factors that
led to the decision to act must be documented. Any factors that would have moved the organization in a direction of inaction should be documented as well. It is critical this documentation be provided to the party responsible for response oversight.
READ: 6 Key IR Responsibilities for Executives
Undoubtedly, the organization decided to act because of the potential of the global threat to adversely affect the business. The next step is determining exactly how the threat will affect the business if it isn’t adequately mitigated.
Some will argue this step should be performed before the decision to act. In other words, they believe the decision to act should be driven by the projected impact to the organization. While this logic may not seem unreasonable, in practice, getting all
the right stakeholders focused on evaluating impact is often impossible without first activating the response team.
To effectively evaluate the impact, we recommend organizations should:
Once organizationally specific impacts have been determined, the organization should reevaluate whether a fire-drill response is indeed appropriate. The team should also create a written justification for the response, which helps avoid “moving
the goal posts”—a common situation where a stakeholder is firmly entrenched in the notion that the issue requires an immediate response and, subsequently, realigns the organization’s risk tolerance to the situation to ensure a response
Once the impacts are understood at an organization-specific level, stakeholders must move to understand the scope of the response operation. Identifying the scope includes actions such as determining:
Note that at this stage of the process, the organization should not yet consider the specific remediation actions or response options that will be applied to each system. Doing so distracts from the complete identification of potentially impacted systems
and can result in incomplete response.
Pragmatically, there is another significant justification for this rigorous identification exercise. Many global threat responses require multiple rounds of patching and/or other mitigations before the threat has passed. This can be attributed to researchers
paying additional attention to a particular application or library that had traditionally received little scrutiny. Researchers may also discover bypasses for mitigations that were originally believed to be sufficient. Finally, a patch may itself
be incomplete, requiring organizations to apply additional patches to mitigate the original vulnerability.
READ: How to Build a Proactive Threat Hunting Strategy
It is rare for a global threat to have a single response option. Common options include:
READ: How to Choose the Right Incident Response Tool
In short, the response options chosen should be system-specific and account for constraints inherent in each individual system.
With response options appropriately identified and assigned for each affected system, the response begins. Coordination is required to ensure multiple response actions do not place the organization at undue risk. For example, coordination is important
Oversight during the response is critical. As mentioned previously, the oversight team should be responsible for coordinating response actions in a way that minimizes downtime. The oversight team also has two other important responsibilities:
Organizations can and should create playbooks to facilitate appropriate responses to global threats. To ensure your playbooks are successful, be sure to:
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
June 30, 2022
By IANS Faculty
Understand how zero-click attacks work and find best practices to help detect and prevent common zero-click techniques from harming your organization.
June 28, 2022
Find guidance on how to create meaningful security metrics and KPIs for measuring risk improvement across a variety of security areas, including vulnerability management, product security and more.
June 23, 2022
Gain an understanding of the latest insider data exfiltration threats, motivations and methods. Learn best practices for insider threat detection and data exfiltration prevention to protect your organization.