“Expect the best, prepare for the worst”
Have you ever tried to find a good electrician at a time when you really needed one?
Incident response specialists are a lot like electricians, only more difficult to find. To ensure that you are able to deal with an incident calmly, carefully and appropriately, you need to be able to call on people you trust, with whom you've worked before and who know you, your staff and your environment.
Calling in an unknown computer engineer who has to simultaneously figure out your network topology whilst it's under attack and having sections quarantined, is no way to get to the bottom of what's going on.
By establishing relationships with people you're likely to need during an incident, you can build a rapport and share the knowledge that can make the difference between a two hour outage and an all-day affair.
By having relationships like this ready to go, you're far more likely to get a positive response on the day you need them, rather than an unhelpful: "sorry, we're all busy today".
Make a plan
During any incident, the last thing you need to be doing is thinking about what you should be doing.
It's far better to sit down with stakeholders during normal operation and calmly prepare your response to a set of incident criteria.
A Forensic Readiness Plan should integrate well with any incident response plans that you have and will mean that you have everything in place that you need to ensure that logs are being generated, audit trails created and exceptions to standard processes noted. All of these things will assist not only your ability to investigate and recover from an incident, but also ensuring that your compliant with regulatory requirements governing risk.
Test your plan
It's fair to say that most organisations that create an incident response and forensic readiness plan will smile broadly at the fact, pop it on a shelf and promptly forget about it until sometime later when it's desperately needed.
By this time, new systems have been implemented and the plan doesn't work, because it's out of date.
It's important to test the plan that you make - possibly in conjunction with Disaster Recovery exercises. If your staff don't know what steps to take then it's unfair to hold them responsible for not following the plan when it's needed.
Stick to the plan
When systems fail or your network has been breached, it's very easy with the pressure of people looking to you for a solution, to abandon the carefully orchestrated steps laid out in the plan, because they look like they will take too long.
It's easy, even understandable that you might decide to put the plan to one side and play it by ear. Occasionally this works. Usually it makes a bad situation worse.
By ensuring that your plan has executive sign-off, the plan becomes your insurance policy when things go into meltdown. The board cannot criticise you too strongly for following the plan they signed off - but if you fail to follow it and things don't work out, then you are truly on your own.
How can we help?
We've been working in the area of Incident Response and Forensic Readiness Planning for more than ten years. We can help you assess the risks you face, implement and document the controls required to mitigate those risks and help you prepare a robust Forensic Readiness Plan that will ensure you have all of the bases covered - before you need it.
We can help you test it and if the worst happens, we can be there to help you when you need to implement it.
Call us now on 020-8166-0059 or send us an email and we'll call you straight back to discuss how we can help.