Incident Response Communications – Have You Got It Covered?

Incident response communications are something that is often overlooked. Organisations already rely on sophisticated, integrated platforms such as Microsoft 365 with Teams, VOIP-based telephone systems etc., which have become transparent to the users and are taken for granted.

This is a follow-up article to It’s Tuesday and I think I have a computer virus….

Incident Response Communications

On Tuesday due to prevailing circumstances I ran an unannounced incident response training session – that story is here. One of the reasons I chose to do the training that day was that I knew the communications with our team would be difficult. The CEO was in Spain, two more team members were in a car on the way to Liverpool and as part of my incident response training scenario I was going to take Microsoft 365 and Teams out of the equation.

Microsoft 365 Email and Teams as a Target

These systems are targets for threat actors, as a set of compromised credentials will let them in and once in they can listen in and mess up your communications. So you need a plan. One upside to this, is that if the vendors of your normal communications channels have issues, you will have an alternative in your pocket.

Incident Response Communications - Have You Got It Covered? Cyber Awake
<em>Have your got an incident response communications plan<em>

Things we have in place…

  • We have sophisticated protection for the Microsoft global administrator accounts.
  • We operate a domain independent of our regular hosting platform. Its primary use is to host our Incident Response Status Page. It is simple, updates can be posted by our incident response communications officer during an incident from their phone. You can view it here:

Octagon Technology Ltd – Incident Response Status

  • We all know to use text messaging and calls.

The highlights of the incident response communications “hiccups” from the training

The headline was that we dealt securely with the incident scenario. But every plan can stand some tweaking.

  • The communications to Spain were not as simple as we had hoped. The team members with iPhones, who use FaceTime, had no problems but the two team members on Android phones had some issues. (And yes the Android devices are managed and kept secure.) We will be exploring some alternatives that cover both platforms.
  • We discovered a loophole with issuing new Microsoft 365 passwords. We will be introducing code word clearance as a solution – this is something I will also be introducing to our cyber security clients.

There were two further things but to share those would compromise our security… However, where these issues impact our cyber security clients, I will be sharing with them…

What’s Next?

So far only Martin and myself have discussed the training – the full debrief and incident response plan update is planned for next week. Plus Martin is going to write up his experiences of the training – so watch this space.

And what should you be doing next?

Testing your incident response plan.

You do have one, don’t you?


Clive Catton MSc (Cyber Security) – 
by-line and other articles

References

Johansen, G. (2020). Digital forensics and incident response: Incident response techniques and procedures to respond to modern cyber threats. Packt Publishing Ltd.

Further Reading

Ransomware – A Primer

Where do you keep that Incident Response Plan?

Featured image by Atul Choudhary

In text image by Alex Andrews