Building an effective Cyber Security Response team

There are numerous articles and guides on setting up a Cyber Security Response Team. Still, many professionals I meet are not clear on an appropriate model or approach in setting up and maturing the team. The reason, I believe, is the lack of relational value that can be associated with this process.

When we start something new, we always find opportunities to link it with something similar, to evaluate ourselves on the progress or the approach that we take. In building the cyber response team(s), we don’t have sufficient relational comparisons that we can use to structure our process as well as compare and measure our progress.

A football (soccer) fanatic myself I firmly believe there is a very good relation between a football team and cyber response team.

I may sound crazy to you --- read through to understand my thoughts!! 

We will start with the team formation first.

A football team needs 11 players. You can’t have the team full of Goalkeepers nor can you make up a team of strikers only. It requires a team made of specialists in different positions. The same applies to building a Cyber Response team ~ you need malware analyst, threat researchers, security analyst, technical writers, network specialists, system specialists etc.  

Let’s see the different specialist positions in football team and their relationship to a Cyber Response team

Positions:

1.  Strikers – They are the ones who raid opposition area and try to score goal(s). They are skilful in penetrating opposition defence. In times of heavy onslaught from opposition they fall back and support the defenders. During practice sessions, they play a key role in testing the defences of their team by simulating opposition raids, identifying weakness in the team defences and helping build a strong defensive posture.

This is similar to cyber threat researchers who penetrate dark web, hunt for threats that may impact the organisation and feed valuable pre-emptive intelligence to the cyber defence teams. They also perform RED team activities simulating Cyber-attacks and evaluating response strategies, thereby helping improve the organization’s defensive posture.

The threat researchers should be very agile, quick, ready to spot indicators. Their success can be measured by the amount of actionable intelligence they generate. It is akin to the number of goals scored by the strikers in football games. 

2. Defenders – They have to ensure opposition strikers do not penetrate their defence. They mark the opposition strikers, cover the goalkeeper, provide feeds to midfielders and at times also go in front to support their strikers. They have to be strong, responsive, heavy runners and more importantly work as a team in defending the goal post.

Cyber Defense specialist plays the exact role in cyber space. They are the ones who are responsible for managing intrusion prevention, Extrusion Prevention, EDR solutions, tools that are necessary to protect the environment from active threats. They are constantly fed with analysis reports as well as intelligence feeds from security analysts and threat researchers. They also play the role of Cyber Incident Responder and also do forensic investigations. They are the heavy lifters of the team responsible for bulk of the operational tasks

3. Midfielders – While other roles are important, the midfielders are the lifeline for the team. They control the tempo of the game. They are the unsung heroes, who assist strikers with goal scoring options, support defenders during opposition attacks.

These are the Cyber Security Analysts, who typically man the Security Intelligence/Operations centre. They intake intelligence feeds from threat researchers, events from security/other IT devices, parse, normalize, correlate to identify specific indicators that can be passed on to the Cyber Defence/Incident Response team for action. Their effectiveness is measured by the number of actionable events (without false positives) passed on by them.

4. Goalkeeper – The last line of defense for the team. A football team cannot get into field without a strong Goalkeeper. It is the only position in the team that is indispensable.

In cyber security parlance, these are the employees. They are the last line of defence. Goalkeepers undergo additional training to ensure they thwart any goal scoring attempts by the opposition. Similarly your employees need to be given sufficient training, awareness, education on their responsibilities in protecting our organization’s assets.

5. Captain – He maybe anyone from the above group, he is the one who is going to shepherd the team on the field. He is the leader the team looks up to for support, direction and motivation. He works to create a momentum in the game.

This is akin to the IR team lead. He is the one who directs the actions on ground. He plays to the strength of his team. He motivates the team, pushes the team to perform, defends the team during difficult times, leads the team from front.

6. Coach – The most important player who defines the team(s) success. He builds the team, moulds the team, trains the team, gives them opportunities, decides who would play on a particular day, constantly evaluates the team performance, strengths and weakness of each player, and more importantly monitors the team captain for his leadership role. He liaises with the senior management on strategic plans for the team, recruiting new members. He is the one who takes the ULTIMATE RESPONSIBILTY for the team success or failure.

This is the role of the Cyber Response Leader, a senior leader who is accountable for building a robust Cyber Response Team. He is responsible for choosing the composition, team structure, deciding on goals, training, KPI and KRIs. He is the Point of Contact for Executive Management.

7. Management – They are the owners of the club/team. They are the stakeholders of the team. They decide the league the team will play in, they are responsible for deciding the budget for the team, marketing, promotion etc. They choose the Coach for the team and depend on him to build a strong and competitive team that can help win the league they play in.

In Cyber-world these are the CxO’s and business leaders who play key role in strategizing an effective Cyber response team. They have vested interest in the success of the team. They constantly evaluate the team’s performance and also get inputs on the company’s cyber incident readiness state. 

8. Supporters/Spectators – The only reason the team plays competitive games is for the spectators to watch, enjoy and appreciate the game (not to mention the revenue). They are the foundational reason for the leagues to exist and for the teams to play. If the team does not play to their potential and continue to lose, the spectators will lose interest and may not turn up for the matches. This will result in lost sponsorship deals, loss in revenue and may even result in the closure of the club.

Similarly in Cyber world these are the investors/customers of the company, they expect their investments to be profitable. If the company encounters spectacular breaches/incidents it creates damage to reputation and investor/customer erosion. There have been cases where companies have closed due to such incidents.

Let’s now look at the key success factors for the team

1.    Know the league you are playing in – Understanding where you are playing is the most important criteria in deciding the kind of team who would want to form. If you are having your team registered in Indian Super League you wouldn’t want to spend a bomb shell recruiting Ronaldo or Messi.

Similarly you should know your threat profile and then decide on recruiting specialist as appropriate. If you are not facing threats that are grave and your business process is not adversely impacted by cyber threats you may not want to recruit “stars” to your team. It will be counterproductive for both ~ company may spend a bomb recruiting a “Star”; with lesser challenges and boredom setting-in the “Star” may soon lose interest and quit.

2.    Play to your Strength – If you watch football matches closely, you will notice each team has a style of play, Brazilians are known for individual brilliance, Spanish for one-touch game, Germans and Dutch for long passes. They are strong in their style and usually stick to their strengths. Whenever these teams change the style of play, they invariably end-up losing.

The same applies to an Incident Response team, once you setup the team, make sure you create a playbook and adhere to a model of response that suits your teams capabilities, management expectations and culture of the company. This will ensure actions are consistent, results are predictable and objectives are met.

3.    80% Training 20% Game – A professional footballer spends more than 80% of his professional life in the training ground and only spends 20% or less in a competitive match. This is a very critical success factor. There is no exception to any player irrespective of their stature. They have to mandatorily train with the team. This helps create team bonding, enables individual players to fine tune their skills, make innovative experiments to enhance their capabilities.

This is so true for an Cyber Response team also. Many a time the team waits for an incident to happen. An Cyber Response group should have a well-oiled program that will have round the year exercises for the team. They will get exception from the schedule only when there are real incidents to handle. This way the team is pushed into developing their skills, identifying and testing new methodologies, simplifying existing processes, supporting risk management efforts, performing simulated incidents, playing cyber wargames etc.

4.    You will fail at least once – Who can forget the 7-1 drubbing of Brazil by Germany in the semi-finals of the World cup, 2014. Neymar, the superstar and charismatic player was injured before the match; he along with the fans of brazil could only watch in tears their team being annihilated by the Germans in their own backyard. Fast forward to 2016 Olympic football finals, Neymar stepped up to take up the decisive penalty against Germany to score the winning goal crowning Brazil as the new Olympic champion.

Failure in one incident does not mean everything is lost, sure, there will be serious ramifications depending on the type of incident, but the key in times of failure is the lessons-learned exercise that will help understand the root cause of failure, make corrective actions, rebuild the team morale, raise again and succeed against newer threats.

5.    Leaders take responsibility – After the semi-final debacle, Brazil team underwent significant changes. The Coach and captain resigned, some of the senior players were dropped. If you notice, it is the leaders who take responsibility and own up to the performance. This helped the team build back from those bleak days and become the first team in the world to qualify for 2018 world cup.

More often than not, we see the junior folks getting hassled for the failure in handling an incident or preventing a incident. It’s the leaders who have to take responsibility, they should own up the failure and take actions that will benefit the team/company in the long run. The management should make the leaders more accountable for their action, at the same time they should give them the autonomy to build the team in their own style.

Evaluate your group and see if you can relate them back to a football team. If not, relook at the composition and function to see where corrections are needed to be made.