5 Essentials of a World-Class Incident Response Program

Cisco Talos

By Matt Olney, Director, Threat Intelligence and Interdiction, Cisco Talos

When you're defending, a multitude of possibilities compete for your attention. If you had visibility into incidents across industry verticals and around the world, which of these possibilities would you make real? From the perspective of a threat intelligence director who gets to work with both incident responders and intelligence analysts, here are five essential components of any IR program to help better prepare, respond and recover from attacks.

1. It's all about backups. Yes, you've heard it before and as unattractive as it sounds, performing regular backups and storing crucial backup data offline is paramount. These backups must be well protected, because attackers will work to destroy them if they can.
2. Don't take a set-it-and-forget-it approach. For security technologies to work, we need to pay attention to what they're telling us. In other words, closely monitor for alerts and abnormal behaviors. The security group should work closely with networking and IT teams to ensure that technologies are properly configured, and that any anomalies are thoroughly investigated.
3. Practice, practice, practice. Don't wait until the day of an attack to see if your plan actually works; practice what you'd do in certain scenarios to minimize impact. Train your team members on their respective roles, and include other key business units and stakeholders in your preparation. For example, if the public relations and internal communications teams need to be involved when an incident hits (they do), then they should also be part of the practice sessions.
4. If you're not retaining the right logs, you'll be left with nothing but questions. Logging can be expensive and is often challenging to centralize, configure and tune. However, it is essential to making threat analysis and response possible. As part of your IR practice, make sure your logs can answer the questions that are being asked and are kept for long enough to be effective. The only way to learn from an incident is to understand how the actors accessed and moved through your network, and logs are critical to that understanding.
5. Focus on secure access. Hardening your systems won't do any good if threat actors can steal user credentials and log in (which is one of the main ways they are currently infiltrating today's networks). Educate your employees on the importance of strong passwords, and deploy multi-factor authentication (MFA), so that a stolen password doesn't result in an attacker having the keys to your kingdom.

The nature of the modern threat landscape is such that no organization can prevent every cyberattack. But being prepared can mean the difference between a minor disruption and catastrophic consequences.

If you need assistance with your IR plan, Cisco Talos Incident Response Services helps bolster your defenses and provides rapid support when you need it most. Additionally, the Cisco Secure portfolio and SecureX platform plays a pivotal role in enabling thousands of customers to protect their infrastructure. To learn how effective IR contributes to building successful programs, check out Cisco's 2021 Security Outcomes Study.