NZ Incident Response Bulletin - April 2021

NZ Incident Response Bulletin - April 2021

Campbell McKenzie Campbell McKenzie

Campbell McKenzie

Forensic Computing Expert Witness and Cyber Security Consultant

Published Apr 1, 2021
+ Follow

The April edition of the NZ Incident Response Bulletin was published today. The bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Each Bulletin also includes a section of our own content, based on a trending theme, this months being “Electronic Incident Control Rooms”.

Each article contains a brief summary and where appropriate, a linked reference on the web for detailed information.

We'll give you a brief summary of each article, and a link to more information. Why do we publish this bulletin? Because we want to keep you up to date with the latest Forensic and Cyber Security news, so that you aren't caught by surprise - and you'll know about risks and changes before they become problems.

Electronic Incident Control Rooms

Successfully managing a cyber incident is crucial to minimising the impact of any compromise. When asking what ‘Good’ looks like, it is reducing recovery costs, avoiding potential liabilities, and recovering to business as usual quickly. In our day-to-day jobs as incident responders and forensic examiners, we cannot stress the importance of having a structured plan to achieve this and manage any crisis effectively. However, we have also witnessed first-hand, both during active events and through our cyber simulations, the collaboration challenges involved when managing a cyber incident. Challenges that we have seen repeatedly rearing their heads for organisations during this process include:

Selecting appropriate communication and collaboration tools: Do all Cyber Incident Response Team (CIRT) members have access to the chosen tools? Does everyone know we are using X tool? What happens if our systems are down due to a cyber-attack? What happens if we are all working from home or in multiple locations? How do we add all the relevant people to the communication group when time is of the essence?

Difficulties in securely sharing critical information: How can we ensure everyone has access to the information they need during an incident? How can we review what has already been done? Where can we post files so that partners and third parties can view these? How can we keep track of material up to date?

Challenges with keeping track of progress through the Incident Management Plan: Do all key stakeholders hold a printed copy of the Incident Response plan? What page are we on now? Where do I find this information?

Difficulties with managing actions and decisions and providing visibility of information: Who is doing what right now? Was that decision made? When and why did we decide this?

Lengthy update meetings and stand-ups: How do we spend less time keeping everyone up to date and more time responding?

Plan updates and playbooks: When was the plan last updated? What actions do we take for this new type of attack?

Reporting and post-incident review: Did anyone save the whiteboard notes? Who knows when the first notification came through?

Whilst much of the magic involved with a smooth response comes down to knowledge, experience, and strong incident responder skills, we know and endorse the benefits of a pre-prepared cloud-based incident response control room.

Advantages also include:

The ability to quickly add new playbooks based on new threats: An electronic control room grants the ability to dynamically change and update information in real-time and add new playbooks when required. For example, we recently developed a Microsoft Exchange Server playbook in response to the developing threat. This playbook was invaluable in saving time in responding to these compromises.

Provides a single source of truth: The electronic control room becomes the location for the plan, playbooks, actions, meetings, minutes, documents and any other information related to the active incident. The whole team can see immediately what actions are assigned to them, what has been completed and what is yet to be done.

Allows secure collaboration: Secure access can be easily granted to all parties needing to collaborate in an incident regardless of where everyone is located. Various areas can also be locked down where necessary to smaller groups. Hosted out of your network, the electronic control is always available even should your systems be impacted.

Post-Incident Review: All information captured within the control room can be archived, providing an auditable record of all actions taken throughout the incident.

As managing a complex cyber incident can be daunting, we recommend setting up a pre-configured control room ready to go should the worst happen. With a small amount of preparation, this will aid a smooth and successful response to any cyber incident your business may face.

The Bulletin:

To obtain a full copy of the Bulletin, please visit https://incidentresponse.co.nz/bulletin

To view or add a comment, sign in

More articles by this author

See all

Insights from the community

Others also viewed

Explore topics