Incident response plans - practice makes perfect! Takeaways from the Beltug N-sight: 11 December 2019


Security incidents and data breaches happen, despite our best efforts to prevent them. An Incident Response Plan helps ensure a smooth reaction, but what should it include, and how can you ensure it complies with the existing regulations?


In this session, we discovered two real-life cases that revealed the questions these companies considered when drafting their plans. We also received expert insight into creating a plan, and into the legal framework. Then we looked at the new technologies that will help fight the cybersecurity battles of the future.


The presentations from the N-sight are available for our members (after login).  Takeaways will be published soon.


Incident response and the three C’s


Not a flowchart, but more of a playbook: that is what Matthew Laurence, Global Incident Response Lead at F-Secure, wanted to share with the Beltug members at the start of the session.


The Verizon 2018 Data Breach Investigations Report revealed that the industry is still struggling to detect and respond to data breaches (slide 7).  On the other hand, this is not necessarily surprising, considering that:


  • Most organisations don’t have the resources to perform meaningful monitoring
  • Most organisations focus on the wrong things or get lost in all the noise
  • Even with an experienced threat-hunting team, attackers can still bypass/outpace with minimal effort.


But keep in mind, Matthew emphasised, that most organisations are taking so long to detect attacks that response is post-mortem: the attacker has already compromised the network and achieved its goals.


Matthew then gave us an example, in the real-life case of one F-Secure client, which experienced an unexpected double breach (slide 11).


Culture is key, he stressed! It’s an element that is so important, yet often forgotten, within organisations when it comes to incident readiness.  Strong leadership in a crisis is paramount. Have the plans in place and practice them. In the heat of the battle or in the fog of an incident, even 10% preparation is better than none.


What can you do right now? Before implementing any kind of detection or prevention technique, it’s important to think about what specific attacker behaviour you are trying to target.  Map your attacks! If it's high fidelity, do detection; otherwise, do prevention. Understand what hackers do or have done, to understand how to respond to it.


And don't forget about VUCA (Volatility - Uncertainty - Complexity - Ambiguity): think about failure and include contingencies in your plan.


Matthew wrapped up with three key words:  


  • Collaboration: understanding how we are going to communicate
  • Context: having the right data in place and framing it properly so key people can collaborate effectively to take control
  • Control: this is about the ability to take the right action, yet is often forgotten in an incident response plan. What risk mitigation can we do, what part of the organisation can we take down to reduce our burden (temporarily)?


Each of these must be mapped in your 3 key organisational layers: people, processes and technology.


Matthew concluded with the lessons learned from his earlier real-life example (slides 25-26).


*For even more background information, you can consult our Library, including the F-Secure paper 'Rethinking Response'.



The future impact of AI on cybercrime and the shift to self-learning and-defending networks


Our next speaker was Miguel Pieters, Cyber Security Specialist at Darktrace. Today's threats are no longer about a compromised e-mail or dodgy website, he explained. The attack surface has increased in both scale and scope, with technologies like IoT, Cloud, 5G, etc.


Everyone and everything is connected; we don't only have physical devices, we also have a virtual presence.  An example: many of us have a smart watch, yet which of us has sent a heads-up to the IT team that this smartwatch might connect to the corporate environment?


Artificial Intelligence can be the solution to battle future cyber-attacks. If you want to avoid finding yourself facing a well-thought-out, speed-of-light attack, a first step is building the security team’s trust in AI, which can provide precise, highly targeted and autonomous responses to cyber-attacks. One of our partners, Securitas, partners with Darktrace; through this partnership, they reinforce the development of cyber security solutions in the field of artificial intelligence.


Miguel gave a demo of the Darktrace solution that allows for autonomous incident response, built on AI technology.  This lets the IT team win time in the event of a ransomware or cyber-attack.



Case: A privacy incident - panic or control?


Then, we heard from 2 organisations about their real-life experiences with incident response planning.  Steven Verdonck, DPO at Brothers of Charity (slide 3), focussed on the privacy layer of incidents.


When talking privacy, it is important to know what exactly a privacy incident is (slides 4-6). For instance: it is only an incident if it is reported.  In this context, we need to understand why people refrain from reporting an event: due to lack of awareness, or because of the inconvenience or the potential damage to their own or their colleagues’ reputations…


Internal awareness campaigns are key to motivating people to report potential incidents.  Also, cherish your internal notifiers, be grateful for what they have to report and keep them posted on the follow-up.  Internal notification is always better than having external parties report an incident: clients, the DPA, etc.


Steven outlined 5 steps in privacy incident response planning:

  • Reporting
  • Assessment of the seriousness of the situation
  • Preventing the situation from worsening
  • Recovery and remediation
  • Avoiding similar incidents in the future

(slide 7-22).


In the first stage, reassure your staff that incidents will not lead to sanctions.  And keep track of all the reported incidents.


Don't gloss over your assessment step, Steven emphasised: it is important to know exactly what happened and how severe the consequences are, as well as which stakeholders are to be involved in solving the issue.


The final step is often the most important one: avoiding repetition of the incident! Analyse and install preventive measures.



Case: An Incident Response Plan based on SOAR (Security Orchestration, Automation and Response)


The Danone company is represented throughout the globe, with the sole exception of Antarctica, Steven Decanniere, Risk & Compliance Manager at Danone, began.  Danone's incident response planning framework has 4 stages:


  • Preparation
  • Detection & analysis
  • Containment, eradication & recovery
  • Post-incident activity


Steven emphasised that you can prepare all the plans you want: culture will eat strategy for breakfast.  Make sure your company culture has the right mindset.


When creating playbooks for potential incidents, Steven recommends that you:

  • Identify the triggers
  • Identify the end state
  • List all possible actions
  • Categorise actions as ‘required’ or ‘optional’
  • Group actions by Incident Response phase, activity, and/or function
  • Identify actions with prerequisites or specific ordering requirements
  • Build playbooks using only ‘required’ actions
  • Modify playbooks to include ‘optional’ actions where appropriate
  • For each action, indicate who will execute, any compliance issues, or other notes as appropriate


After walking us through Danone’s phishing playbooks, Steven shared his lessons learned:

  • Detection is difficult
  • It involves too much manual work
  • There is a high lead time between detection / response
  • There is a backlog of open incidents
  • When there is a lack of data, interpretation is made by an analyst


To improve the situation, Danone worked with SecureLink to further enhance phishing resilience and set up a proof of concept for SOAR (Security Orchestration, Automation and Response).


After a preparation and analysis phase, response automation is now used to protect the mail environment: similar fraud emails are blocked at the gateway and removed automatically (without human intervention) from all mailboxes.


Danone's observations following the proof of concept include:

  • Training and simulation give insight into user maturity
  • The phishing button simplifies user reporting
  • Improved detection of phishing enhances speed and quality
  • Time between detection and response is dramatically reduced
  • Harvested data can be used for the automation (SOAR)


This is only the start of the automation journey.  Several next steps are in the pipeline, including determining the need for an update of the strategy and/or an integrated platform.


Further information


If you need to report an incident, have a look at this page from the Center for Cybersecurity Belgium.  Beltug continues to confer with the CCB on how to increase awareness and remove barriers for our members.


Beltug also collaborates with the Cyber Security Coalition, which had already published an Incident Management Guide in 2016, with relevant and practical information on how to prepare, detect and solve these incidents within your organisation.

















Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login

>>> Back to overview