Measuring incident management maturity

- [Narrator] The effort put into preparing for an incident will be paid back many times over through a timely and effective response which contains the damage. Preparation involves establishing and training an incident response team, establishing and exercising processes, and acquiring the necessary tools and resources. Once a basic program is up and running, it's useful to carry out a baseline survey of incident response preparedness. CREST UK has developed an incident response maturity assessment tool, which is free to download and use. This is a spreadsheet-based tool which contains over 600 questions across the three stages of incident management. And it can be used to assess an organization's readiness to respond to a cyber attack. A summary version of the tool with just a handful of higher level questions is also available for download from the website shown here. Another early task for the incident response team will be to take advantage of the strategic threat intelligence sources which are being used to inform the cyber risk management team. In addition to the threat reports, it's useful to have tactical and operational threat intelligence. Tactical information exchange is usually available within an operating community. A good example of this is the financial services FS-ISAC. FS-ISAC is an intelligence sharing community for the banking industry. This allows organizations to get early warnings and real-time information about the kind of activities that are impacting other members of the community. At an operational level, the use of mechanisms for distributing indicators of compromise provides real-time actionable intelligence for feeding into firewalls and intrusion detection devices. MITRE has been leading the development of standards for operational feed mechanisms, and the STIX/TAXII protocols are widely recognized within the incident response community. Incident response procedures need to be defined and installed. An issue tracking system is an important tool to enable effective incident management from operational detection through to resolution and recovery. While a standard service management or IT operations ticket system may include incident tracking, it may not satisfy the full requirements for security incident handling. TheHive is an open source cybersecurity incident management system which runs in the cloud and allows multiple teams to collaborate on incident investigations. It enables automated analysis at scale of incoming incident information and includes integrated real-time threat intelligence. Another requirement is to establish a set of response playbooks which detail the actions to be taken for specific categories of incident. Many incident response teams create a jump kit, which is a portable case that contains materials that may be needed during an investigation. A jump kit typically includes a laptop loaded with networking and forensic software, backup devices, blank media, and basic networking equipment and cables. The preparation stage is a good time to build relationships in the incident response community, so that access to information and support comes naturally during a crisis. It's also a good time to build relationships inside the company, particularly with the IT team, so that there's no political stumbling blocks when a response is necessary. Finally, incident responders will need to be able to function effectively when managing the containment of an incident. And this means having pre-authorization to take unilateral action and make or direct emergency changes. The last thing a good crisis needs is decision making by committee. With a team established, the key element of ongoing preparation is cyber crisis exercises. These exercise the incident response procedures as well as the skills of the team, and provide visibility of the impact of a cybersecurity incident on the organization. The initial website provides a substantial amount of training and exercise material which can be used for internal cert training and as the basis for customization to the wider crisis management program. This includes handbooks tools, and a full program of pre-exercise training through to complete exercises.