5 Decisions to Make Now for a Successful Cyberattack Incident Response

Picture a great fortress built into a mountain pass

Within it are some of the most advanced defensive weaponry ever devised, an armory capable of bringing even the strongest army to heel. There’s just one problem: No one has bothered to establish a clear chain of command.  

When the fortress comes under siege, the soldiers descend into chaos in moments. It doesn’t matter that they have better technology or that they know how to use it. Without leadership, they cannot mount an effective response.  

Experiencing a cyberattack is an immensely stressful experience, ripe for disorganization. And although having a technical response plan is all well and good, many businesses fail to account for something equally critical. When their business is under fire, who’s responsible for pulling the trigger on response and remediation efforts?  

This is the question I sought to answer in a recent episode of the Hybrid Identity Protection podcastDefining the Decision-Making Process for Cyberattack Incident Response,” featuring Accenture Senior Security Manager Benjamin Cauwel. Make the following five decisions now for a successful incident response in the event of a cyberattack. 

1. Define a plan before you need one 

Some people are completely unflappable, the dictionary definition of grace under fire. For most of us, however, the sheer stress of a cyber incident can and will lead to mistakes. It’s better that we’re able to simply turn off our brains and follow a simple, step-by-step process. 

Understandably, trying to chart that process while ransomware is rampaging through your network is a recipe for disaster.  

“Just like on the technical side, you don’t start inventing this stuff when you’re under attack,” Accenture Senior Security Manager Benjamin Cauwel explains. “You have to define this when everyone is nice and calm, and it’s something everyone has to agree upon. Once everything is validated, stamped, and defined, there’s only one clear process to follow.”  

2. Establish a chain of command  

Especially in large or multinational businesses, it can be difficult to determine how the organizational structure applies during an incident. A business may consist of multiple groups, several countries, and several entities within each country. What can a business do when its headquarters is in a completely different country and time zone from a segment that’s under threat?  

When defining this chain, you must account for factors such as time zones, languages, and cybersecurity legislation because all of these will play a part in your response.  

“You have to establish a responsibility assignment matrix,” says Cauwel. “Who’s making the decisions? Who’s accountable, who’s contributing, and who’s informed?”  

“You need to define different scenarios at different levels, ranging from attacks that impact a single entity to those that impact multiple countries,” he continues. “You basically map things out depending on the type of the attack and the scope of the attack.”  

3. Maintain external lines of contact 

Most of us probably remember the October 4, 2021, outage of Facebook parent company Meta. During that incident, the company’s employees were effectively cut off from one another. All the company’s internal communication tools were reliant on the infrastructure that went down. There’s a lesson to be learned here. 

Namely, if your incident response plan requires internal communication, make sure you’ve also defined a platform you can use that’s independent of your own infrastructure.  

“I always call Active Directory tier zero or ground zero,” notes Cauwel. “It’s the base of all your infrastructure, and if that base were to come down, everything collapses with it. That includes internal communication tools. Most companies don’t consider that and just assume they’ll be able to collaborate via email and the like.”  

“During a cyberattack, you also don’t know if your communication tools are compromised,” he adds. “So even if they’re online, they might not be safe to use.”  

4. Expect plans to change 

No incident, no matter how complex, proceeds in an orderly, completely predictable fashion. Even if you’ve gamed out the best-understood or likeliest disruptions, there’s no guarantee that you won’t encounter something unexpected. In this scenario, whoever’s at the top of the chain of command must decide how to proceed. 

A preexisting plan provides an invaluable framework for that decision.  

“On the technical side, you need to have listed business impacts for each remediation action,” says Cauwel. “That way if an organization needs to adjust its response, the person responsible for making that decision can be given a clear idea of their options, as well as the pros and cons of each. They know their choices, but which one they choose to act on is ultimately up to them.”  

5. Understand that “no decision” is a decision 

“Some people don’t want to be decision-makers,” Cauwel explains. “They don’t want to be accountable for anything. Even if you explain everything to them and they fully understand what you’ve described, they still refuse to act.”  

But as the old maxim goes, refusing to act is still a decision. It’s one that wastes both time and money and leaves your organization potentially unprepared to respond to a cyber incident.  

“It’s the worst behavior possible,” Cauwel continues. “When you reach a certain level in an organization, it’s your job to be accountable. Even the best-defined emergency procedures are useless if you don’t follow them.”  

Process and technology are two sides of the same coin 

In every incident, there are two levels of response. The first level is the chain of command. An organization’s leadership must establish a RACI matrix, workflows, and collective agreement on who is responsible and accountable in any given circumstance.  

The second level is the technical side. It’s guidance for IT and security teams on what actions they must take. It’s information on the available remediation methods and their impact. 

You cannot have process without technology, and vice versa. Technical measures need to be backed by processes, and processes need technical measures to enact.  

“Incident response isn’t just about technology,” Cauwel concludes. “It’s largely about human interaction. When things go wrong, both sides must be functional and thinking straight in order to remediate everything and come back to a working situation as soon as possible.”  

Want more tips on incident response planning? Check out the full podcast, as well as my other conversation with Ben: “What to Do Before, During, and After a Cyberattack with Ben Cauwel of Accenture” 

About the Author

Sean Deuby is Director of Services at SemperisSean Deuby brings 30 years’ experience in Enterprise IT and Hybrid Identity to his role as Director of Services at Semperis. An original architect and technical leader of Intel’s Active Directory, Texas Instrument’s Windows NT network, and 15-time MVP alumnus, Sean has been involved with Microsoft identity technology since its inception. His experience as an identity strategy consultant for many Fortune 500 companies gives him a broad perspective on the challenges of today’s identity-centered security. Sean is also an industry journalism veteran; as former technical director for Windows IT Pro, he has over 400 published articles on Active Directory, Azure Active Directory and related security, and Windows Server. He has presented sessions at multiple CIS / Identiverse conferences. 

Featured image: ©Alex