Rapid response to IT or security incidents, like a muscle, flexes and strengthens over time.
On a Saturday morning, Dec. 12, 2020, SolarWinds VP of Security Tim Brown got a call from then CEO Kevin Thompson. Cybersecurity provider FireEye had just put out some information they needed to take a look at.
"Normally what happens is when we get an issue you have to take time to discover whether it's real," said Brown, who added CISO to his title this year. "I got on the phone with the CTO for FireEye, and basically they gave enough information for us to determine it was real very quickly."
What had just transpired was a global intrusion campaign, which took hold of SolarWinds' Orion business software updates and used it to ship a malware strain called SUNBURST in a massive supply chain cyberattack. From then on, it was all hands on deck.
A week of "20-hour days" followed, as the organization had to assess and try to mitigate the effects of a cyberattack with wide-ranging implications, from an engineering, IT and communications standpoint.
Preparation is key for businesses wanting to build rapid IT response capabilities, according to executives and analysts. Companies must battle through costly cyberattacks, provider outages and internet woes, setting up teams to quickly manage through tech issues can be a major upside for organizations, and ultimately help with business continuity.
The best defense to IT troubles is a good offense, said Brady Brim-DeForest, CEO of Theorem.
"The most important thing that an IT organization can do, or that a rapid response team can do, is to ensure the right level of advanced preparation," said Brim-DeForest. For cybersecurity preparation, a red team attack simulation "on a completely need-to-know basis," will help businesses assess their ability to quickly recover.
According to Brim-DeForest, the benefits of red team exercises to the tech organization include:
Increases situational awareness
Focuses on a culture of advanced mitigation
Allows the organization identify the biggest potential stumbling blocks
For Brown, what helped SolarWinds navigate an attack of this scale was having previously established roles, leaders and a plan in place. "It really allowed us to move quickly, each [team] having kind of a separate focus," he said.
Training for speed
As ransomware attacks become more sophisticated, rapid response teams are becoming more critical. Data shows attackers are able to surpass perimeter defenses in about half of ransomware attacks.
Timing is crucial during an attack, according to Zarmeena Waseem, director of cybersecurity education at the National Cyber Security Alliance.
"If you've ever been a support professional, which I have, and you've managed outages and things of that nature, you have to know that timing is everything, and you have to work quickly and efficiently," said Waseem. Every minute a system stays compromised could mean more damage to a company's assets, data and reputation.
Think of a "call list" as a basic element of response, said Brown. Having emergency contact information and having preparedness to get everyone together in a war room can give a business the chance to efficiently make urgent decisions.
The urgency of reacting to cyberattacks cannot be overstated. Gartner projects that by 2025 threat actors will have compromised operational technology to the point of being able to injure or kill people.
Preparedness means teams can trust muscle memory, so that "when something goes wrong, you're not scrambling and flipping through binders; you actually know exactly what to do," Wasee said.
In a moment of crisis and pressed by urgency, it's easy for tech response teams to overlook the basics.
"That's everything from what to do from a user provisioning and permission perspective, to network isolation and segmentation so that you can contain an attack in a certain segment of your network," said Brim-DeForest.
Companies aiming to increase their speed can also take a scaling approach, or learn from smaller incidents to model how to act when a more complex problem arises.
A lost laptop or an inadvertent data leak can be an exercise that helps build muscle memory and creates structure for larger problems, said Brown. "In these types of incidents where everything is going a little bit crazy, that structure really helps you define what needs to get done."