Blog | Apr 14, 2020

Updating your Incident Response Playbook During a Crisis

As we (perhaps uncomfortably?) settle in to the “new work from home normal” (or as I like to call it a Modified Disaster Recovery situation), it’s likely a good time update your Incident Response Playbook as new cybersecurity threats come to light almost daily in the current environment.

Don’t have an Incident Response Playbook? Start by reviewing this resource NOW:

I typically recommend a complete review of your Incident Response Playbook on an annual basis (with a likely scenario tabletop test every quarter). An annual refresh helps account for significant changes such as new staff, upgraded skills, new partners/vendors or technology.

The preparation column is among the most important facets of the Incident Response Playbook. Just as an ounce of prevention is worth a pound of cure, you’ll find that the better-prepared you are for the eventual incident, the better you’ll emerge from it.

Let’s get started with specifics to consider in these unusual times:

  • Endpoint visibility: Now is the time to ensure that you’ve got full coverage and visibility across all endpoints. Do you remember that great EDR software you purchased but couldn’t find the cycles to install? With a considerable portion of your workforce working remote, it’s now necessary, and it’s time to test and roll it out
  • Endpoint security: Consider the current process by which you update your endpoints for patch management. Is this process still viable in the mostly-remote scenario? Both regular and emergency patching processes become of higher priority, as does the need for regular remote endpoint vulnerability scanning
  • Readiness: Keep a copy of the Incident Response Playbook handy and printed out (in physical format) in case the network is inaccessible. Have a permanent remote meeting room designated as a war room, pre-defined, pre-published and ready to go. In case there are resource issues with that remote meeting room, have a backup available (from an alternate provider) similarly pre-defined. Ensure that all contact information for critical personnel is up-to-date (I suggest even including their spouse’s cellphone information, with the strongest caveat that you don’t abuse it)
  • Multi-factor authentication (MFA): Historically, the implementation of MFA has been highly recommended but given today’s more remote-agile working environment, all users’ remote access should incorporate MFA. It’s critical to start with full Administrator-level MFA to be enabled. As late as July 2019, less than 10 percent of O365 administrator accounts had MFA account. Now, it’s time!
  • A “Break Glass” MFA protocol: As stated in the previous bullet point, it is critical that MFA is enabled by default, but in case it is unavailable (for whatever reason) there’s a need for old-school administrative controls (with a long, highly randomized password). This emergency authentication method is usually referred to as “break glass credentials”
  • Review vendor access and THEIR updated IR plans: It’s a good time to reach out to your critical vendors, especially if they have access into your environment. Given this “new normal”, they’ll undoubtedly have people working from home as well. As such, their security stance intersects with yours and can expose you
  • Review your cloud infrastructure and assess its security stance: This is the time to analyze the security stance of infrastructure of which you’re not fully in control. This should include cloud (both private and public instances) to ensure that logging measures are in place, that your configurations are secured. This is especially true if they were created as a response to the pandemic (and might not have been through a formal vulnerability assessment process)
  • Corporate dependencies: Do you have external systems that rely on a wholly corporate address? By this, I mean external services that rely entirely on corporate IP addressing to restrict their access. It’s time to consider a slight relaxing of this standard, to diminish internal-only (on-prem) dependencies (e.g. IP address lockdowns for external portals/infrastructure management) in case corporate networks suddenly become unavailable (e.g. the “go dark” Protocol earlier mentioned. Build a “jump-off” box if there’s no way to diminish dependencies for emergency purposes only
  • A “Go Dark” protocol. A “go dark” protocol is a methodology to completely shut down the entire network in case the worst scenario plays out, and you’ll need to shut down the entire company’s network. Of course, it’s critical to have backup access measures in place, and tested. Similarly, tabletop scenarios should take into account what would happen if no person is available on-site to work the incident response process

The first priority within any incident response plan is to ensure the safety of your staff. The best way to do this is to be prepared for the security challenges moving ahead. I hope that you’ll take this time to review your Incident Response plans and update with the key points I’ve listed above. And visit this dedicated resources webpage to read more about cybersecurity strategies for uncertain times.

Eldon Sprickerhoff

Eldon Sprickerhoff

Founder and Chief Innovation Officer

In founding eSentire, Eldon Sprickerhoff responded to the incipient yet rapidly growing demand for a more proactive approach to preventing and investigating information security breaches. Now with over twenty years of tactical experience, he is acknowledged as a subject matter expert in information security analysis.