Being a Range Master here, I’ve probably seen more teams react to breaches than even the most weathered cybersecurity practitioner.
Over the years, it has become clear to me that two factors heavily influence the success of incident response.
First, is the ability of individuals to use tools in anger. This is not quite as clear cut as it may sound. Security tools are a learned skill - but add a ticking clock, an evasive adversary and the glare of a senior stakeholder - and I have seen even the most experienced freeze.
Second, is teamwork. Better soft skills act as a force multiplier for defensive teams - not just improving response to one incident - but all.
Security leaders recognise this, but, lacking the ability to structure and develop teamwork, often don't understand the specifics. For this reason, I thought it useful to break down some of the common soft skills at play in an incident:
- Leadership. Without a leader, response quickly loses focus. Lacking clear direction it’s not uncommon to see whole groups disappearing for long periods of time to work on completely the wrong areas. The same can be said of individuals. Occasionally, we will see one team member try to do everything by themself. Naturally, this lengthens processes and tasks and, ultimately, prolongs detection and response times.
We call this ‘rabbit-holing.’ Threat actors even use this to their advantage - misdirecting groupthink with false flags.
Clear leadership negates all this with focus, structure and direction. It dissolves silos to prevent rabbit-holes and tasks can be prioritized and delegated to the team member with the most appropriate skill set.
- Communication. Poor communication typically has two impacts. First, a lack of talking, or typing, sees the dreaded rabbit holes creep back in as individuals go off-grid and act alone. Second, the whole point of having a team responding is being able to draw on a diverse range of skills, experiences and opinions. Without communication, this is lost. Your response is limited and problem solving is strangled.
Good communication has outcomes for both incident response teams and the wider business. For those on the front-line, it removes duplication of effort by providing clarity, unlocks a diversity of skills to aid problem-solving and breathes leadership into a crisis. For the business, it ensures clear updates for senior stakeholders and removes unwanted interference in an already highly pressured situation.
- Delegation - Delegation has an unhealthy ‘passing the buck’ reputation. However, in an attack, knowing who to delegate tasks to, and when, is vital to ensuring progress.
Too often we see individuals trying to do everything themselves, despite either being already swamped, or not having the skills to complete the tasks as well as another person. One particular exercise springs to mind where a team member was trying to de-obfuscate a malicious script for quite some time. When they finally admitted to being stuck, another individual, with no previous visibility of the threat, was able to complete the task very quickly. Knowing when you need help is a strength.
- Prioritization. This is another big one. Poor prioritization can have a big impact on how an incident develops.
In our exercises, users have to detect, disrupt and defend against an attack - yet it always amazes me how often teams over-weight the detection phase. For example, when a team finds an actionable IoC, they should take swift action to disrupt this specific threat. Despite this, more often than not, they find and log the threat - but then continue to investigate other IoCs, rather than dealing with the immediate risk. A quick reminder of the priorities here could stop a known threat from spreading.
In summary
This is just a brief sojourn into the fascinating world of soft skills in incident response. There are so many more to be aware of, but, get them right, and your whole response is uplifted.
Building soft skills requires regular exercising, something time and resource constrained defensive team leaders have previously struggled to deliver. If this is you, we can help. Qualifying organizations can even get a free exercise here.
Maybe I'll see you in the range.
