An incident response plan typically involves some well-known steps. These generally require understanding what has happened, containing the incident and ensuring that communication plans are sound.
According to most best practice guides, there is a strong focus on the final point of “post-incident activity, analysis and improvement plans”.
The number of incidents continues to increase, however, with Check Point reporting that the average number of cyber attacks per organisation has reached 1,925 per week. While not every incident can be investigated, there is a need to respond faster and faster, and if the attack is affecting services, the victim needs to get back online – and ahead of the news cycle – as quickly as possible.
The human factor
Is there something missing here, though? As the focus is on the processes and technology, is the human factor being missed? What about the people who are involved and under pressure to get services back online, and work against the clock – are they taken into consideration?
It may be the case that this is what those who work in incident response are trained to do – their skills are in detection, remediation and/or containment, and they are simply doing their job – but a mental strain can exist in all pressured scenarios. However, a new framework, shared exclusively with Computer Weekly, has been introduced to better enable teamwork in cyber security incident response scenarios by drawing on four primary areas:
Collaboration: The effectiveness of team interactions.
Resilience: The ability to navigate disruptive events.
Evaluation: Competence in decision-making.
Workflow: The efficacy of team and task coordination.
Produced by RangeForce and MindScience, the Crew framework is described as “an attempt to redress this balance by bringing structure, clarity and measurement to the soft skills used in incident response”.
The idea is to highlight the four core competencies listed above, along with 12 contributing behaviours it deems to be necessary in a high-performing defensive cyber team.
The Crew framework identifies the competencies and behaviours required of an incident response team
Rebecca McKeown, founder of MindScience, says there is plenty of focus on technical skills in live instances and tabletop exercises, “but nobody ever really bothers talking about the soft skills side of it”.
She says most teams intuitively know that soft skills and teamwork should be part of the exercise, but they haven’t taken that thought any further. “Who actually knows what skills your teams have? Where is your strength? Where are your weaknesses? How do you measure it? How do you make decisions based on all of that?”
Anthony D’Alton, senior director of product marketing at RangeForce, says Crew intends to enable a security operations centre manager to evaluate who on a team can do what, and who needs to and who should be brought into play in certain parts. “I think there is a massive need for it. It’s not because of fear, uncertainty and doubt, I just don’t think anyone’s really put a finger on it before,” he says.
Standard of skills
D’Alton says the concept of Crew is to help teams understand what standard of soft skills they have, and then help them figure out what they need to do to improve. He explains that the likes of Mitre and Sans provide frameworks for technical skills, whilst Crew is doing the same for soft skills.
McKeown says if you’re able to use the Crew framework to measure your team’s efficiency, you’ll try it once, find it a bit odd, then try it again and the actions will start to become automatic. “So you’ve got that increase in the efficiency and effectiveness of the way you work as a team,” she says.
“The other difficulty with soft skills is that you’ve got to start using them to be able to progress. You can’t just go in, take a test, and then [expect to] be instantly better, because it’s a knowledge thing,” she says.
“It’s about how it works in practice. Even just highlighting the fact that you’ve got a team that’s really, really good at passing around details, they’ve got lots of situation awareness, but they might all actually think, ‘We don’t like making decisions without full information. We’re not very adaptable. We can’t be very creative and think about what to do with this information.’ Then that funnels down on where your skills gap is, and you can go away and remediate.”
The glue of the team
Also, an incident response scenario – be it a live instance or a rehearsal – is something you do as a team, and RangeForce says Crew is intended to be the “glue that holds all of the individual skills together”. The incident response effort is as a team, and you need to exercise as a team, not focus on the individual and the individual’s technical skills.
McKeown says that when a team is working well, everything just runs smoothly, but when it’s not working well, “things are just a nightmare for everybody”.
She believes that creating a “muscle memory” from rehearsal and knowing where the best soft skills lay when a real problem hits “takes away an awful lot of the friction, things that cause you stress and the things that make you have a less effective response because you already know who thinks what, what their way of thinking is, and who makes decisions quickly”.
Benchmarking against Crew will help determine who needs more information and who’s good at conflict resolution. “It’s all of those things that we know happen, but we don’t necessarily take much notice of,” she says.
Adapting to different problems
The consideration of these soft skills also needs to appreciate the stress that the incident response team may be working under. For example, do you immediately close down and isolate the incident, and do you make external announcements on a rolling basis, or as a final announcement once the incident is over?
McKeown says: “It’s about being able to adapt to be able to deal with all of those different problems, and all of those different people, and communicate it in a way that they understand.”
In D’Alton’s experience, CISOs always say that communication is the most important thing in incident response – specifically communicating how tasks are allocated. He says that all too often, “people just disappear off quietly into silos and try to solve problems” and that fragmented strategy goes nowhere near solving the incident as it’s occurring.
Why now?
So, why are soft skills being considered now? Yes, this is a pressured situation, and people working in these environments know that they need to act fast, and with the correct information, and may find colleagues who are not so comfortable with that.
D’Alton says that up to now, soft skills have just been an ethereal thing that people know exist, but it hasn’t been written down and structured somewhere. “Without having it captured and having each soft skill that you should be looking out for named, and put in a table, and giving you some guidance on what good looks like and what bad looks like, people just call them soft skills and paint them all with the same brush,” he says.
The intention of the Crew framework is to identify where soft skills are missing and how to measure the strength of a team
Ultimately, soft skills have often paled into insignificance compared with technical skills, as the industry’s focus is on what can be done, while human capabilities and their shortcomings have not been discussed. But this is changing, and the intention of the framework is to identify where skills are missing and how to measure the strength of a team.
Crew is far from the first guidance on how to deal with people involved in this scenario. ISO 22361:2022 offers guidelines on security and resilience and crisis management, for example.
So, how important are exercises to learn about teamwork? Speaking to Computer Weekly, Robert Hannigan, former director of GCHQ and now head of international business at BlueVoyant, says every company should be doing regular exercises, “which should involve all the key players” and ideally at least one member of the board.
“It’s very important to exercise because you don’t want people in the room for the first time after an incident. You want them to be familiar with each other, and what their role is, otherwise you get all sorts of disastrous consequences,” he says.
Hannigan admits that no exercise is going to be exactly like the real thing, but that doesn’t mean they’re not worth doing. “It’s about doubly planning for process, and the muscle memory and the knowledge, so that when it does happen, you can adapt.”
What we know now is that soft skills do matter. Regardless of training and muscle memory, incident response teams are humans and operate differently in this stressful environment. Being able to track and monitor those who thrive and those who need more coaching is an added bonus, and with better preparation comes better appreciation of how people operate.
