Achieving incident response maturity is critical for effective threat management
Agencies should take the principles outlined in CISA's playbooks and make them their own.
In instructing the government to make "bold changes" and "significant investments" to defend the United States, the Biden administration's recent cybersecurity Executive Order was a welcome and necessary directive. In 2021, cyber incidents in the government and military sectors rose 47% over the previous year, and they'll likely increase even more in 2022. Modernizing the government's incident response capabilities is critical.
To address this situation, CISA produced the Incident and Vulnerability Response Playbooks in November of 2021 to provide guidance for identifying, mitigating, and reporting cyber incidents and vulnerabilities. The playbooks provide a good overview and step-by-step instructions on how to respond to incidents. CISA also points to the MITRE ATT&CK framework as a valuable resource for cybersecurity teams.
The CISA playbooks are exceptional strategic roadmaps that help agencies build out their cybersecurity plans, but they don't provide guidance on which tools to use—or which to leave behind. For that, agencies need a more prescriptive approach that works in tandem with CISA's recommendations and helps create a mature incident response process.
Keys to a mature incident response system
Some agencies keep their security protocols in documents or spreadsheets, a manual process that's hard to maintain and creates challenges for information sharing. Others use different tools that are often not integrated and can present multiple points of failure, making it tough to pinpoint the cause of an incident.
Both are immature approaches to risk management—and neither are ideal. Instead, organizations should strive to mature their incident response programs by:
- Customizing CISA's incident response playbook for an agency's specific requirements
- Incorporating this guidance into a digitized, shared incident response system
- Creating automated triggers and notifications that are action oriented
- Using retrospective intelligence to learn from and prevent future cyberattacks
- Setting up technical teams for success
Bringing CISA's guidance to life
Essentially, agencies should take the principles outlined in CISA's documents and make them their own. They can do this by developing their own customized digital playbooks and placing them in a shared incident response system. Here, information can be kept secure, instantly shareable, and readily available from any device. It's a much better option than spreadsheets or written documentation that can be hard to share, easily forgotten, or even lost.
For example, CISA calls for establishing "local and cross-agency communication procedures" so everyone is kept informed, ideally in real-time, throughout the incident response process. A digital shared incident response system allows teams to easily see and understand what playbooks they're running, who is responsible for what, steps that have been taken (and still need to be completed), and more. They can communicate with one another via real-time collaboration and chat tools integrated with their toolchains, remaining well-informed throughout the entire incident response process.
CISA playbooks also outline the steps agencies should take in the event of a breach—identifying anomalous activity, root causes, and so forth. But who is responsible for these tactics? How do they know when it's their turn to act, or what their individual responsibilities are? In a digital, shared system, keywords can be used to trigger alerts that go out to each person in the response chain. For instance, the keyword "#security-critical" could set off a series of alerts to the first wave of incident response managers, telling them what to do—and when to do it.
Using retrospective intelligence to learn from and prevent future cyber attacks
Teams also have the ability to retroactively assess the success of their responses. Unlike the scrambling that takes place in a disparate, point solution-based environment, teams will have the time to carefully dissect the incident.
By reviewing timestamped activity and replaying incidents in their entirety, teams can get a better sense of what went well—and what did not. These learnings can be used to make continuous improvements to agencies' incident response initiatives. The ability and time to perform in-depth forensics will serve them well by allowing them to get ahead of future threats.
Set up technical teams for success
Implementing these recommendations can also help agencies attract, train and retain talent by giving them the tools and processes they need to succeed. Developing a shared incident response system signals the agency has taken the time to map out a strategy while supporting an integrated, intelligent approach signifies a commitment to innovation and simplicity.
All combine to make a modernized incident response environment that can help agencies keep employees happy while addressing CISA's playbooks and the Biden administration's mandate. Both are substantial steps in the right direction when it comes to cybersecurity. With the right tools and a mature process to back them up, federal agencies should be better prepared for future incidents.