Incident Response Planning

Incident Response Planning


Something can and will go wrong.

At Ravinn we talk about Cyber Resilience above Cyber Security. Why? Because security can be a misleading term. It implies you are ‘secure’; the job is done, you have your controls in place, you have tools and even policies, but it is a single point-in-time mentality and forgets that the enemy has a vote. Thinking that you are secure is a bit of a Maginot Line – the threat will adapt and they will go around.

Cyber Resilience is a way of thinking that understands this and although preparation is key – you need the right balance of people, process and technology appropriate to your threat profile and organisational objectives – importantly you also understand that the environment will continue to change and so ensure you are prepared for cyber-attacks and even breaches.

That’s why Incident Response Planning (IRP) and preparation is an essential component of any effective cyber resilience strategy. With the mentality that something can and will go wrong, having a validated plan in place for when this happens will give you a critical advantage in handling the situation.

Preparing for incidents to keep Australian skies safe

Working with our partners on a program of work to upgrade the security operations of a major airline, Ravinn’s expertise in Incident Response was called upon to deliver an Incident Response Plan and supporting scenario-specific playbooks and then to test this all with a wargaming exercise. 

Integrated Incident Response – no one size fits all

An airline is a key part of Australian Critical National Infrastructure with multiple functional business areas from ground operations, maintenance, ticketing and loyalty to the aircraft and flight operations itself. When things go wrong with an airline, they can go really wrong. It is a great example that Incident Response planning is not a one-size-fits-all activity. 

Information Security is just one component of the organisation’s risk profile and as such, Incident Response for Information Security has to be integrated to the wider organisational crisis management and emergency response policies, processes and procedures. Ravinn worked closely with the airline’s security operations team to understand the organisation and iteratively develop an Information Security IRP (aligned to the NIST standard) that integrated with the wider organisational plans and processes, considering communications, roles and responsibilities, escalation protocols, support requirements and notification obligations.

What happens when…

An IRP could be considered as the ‘what’ to do when an incident occurs, but for specific (and predictable) scenarios you can look further at ‘how’ you will enact the response. This is where scenario-specific Playbooks come in. 

A Playbook is useful in a situation where the pressure is up; a cyber incident may have been detected and you’ve commenced your Incident Response process, but there’s lots of noise – employees want to know why they can’t access email, passengers want to know why they can’t see the flight details on the screens, dispatch can’t get flight manifests, so aircraft can’t take off and the CEO wants to know why the organisation is being mentioned on the news as a ‘victim of an ongoing cyber attack’…

When the situation is tense and there’s noise, bustle and a hint of panic, a playbook can be a handy tool to reach for to provide pre-planned and well considered steps to take for the situation you are facing. It should ensure you don’t have to think on the spot (though there will always be an element of needing this, as each situation will be different) but it should help ease the pressure, provide a guideline of actions to take, questions to ask, a reminder of who is responsible for what and enable an efficient response. 

For the airline in question, Ravinn developed playbooks for the most likely, and most dangerous scenarios including.

  • Data breach
  • Ransomeware
  • Insider threat
  • Business email compromise
  • Denial of service attacks
  • Social media compromises
  • Website defacement

Making sure it works

‘No plan survives contact with the enemy’ is a famous saying in the military, and it’s more than always a fair point. First of all, plans and playbooks need to be understood by all those involved; and in almost all cases, everyone in an organisation will have some form of responsibility when it comes to responding to cyber threats.  Plans and playbooks need to be tested so you can find gaps, resolve practical issues and continually improve them.

Ravinn put our military experience to great use by helping to develop, and then deliver, a wargaming activity to test the airline’s IRP and playbooks. With stakeholders from across the organisation, role players to represent the threat actor and with the Security Operations team at its heart, multiple cyber attack scenarios were presented to the collective. This enabled them to step through the IRP, and when the situation was understood, the playbooks, to see if they could collectively respond to the situation. With Red Moves (what the threat actor does) followed by Blue Responses (what do the good guys do), those involved greatly increased their understanding of how a response to a cyber attack would be coordinated, their part to play in it and the challenges that could be faced in doing so. 

From this base, further improvement could be made, not just to the Information Security IRP, but to wider organisational crisis management and business continuity processes. Staff gained practice and familiarity with the process; and importantly, the IRP and playbooks were validated as useful and effective tools for responding to cyber incidents.

Read the full airline case study here.

Work with Ravinn on your incident response

At Ravinn, we are proud of our military heritage and it just so happens that this gives us a major advantage in working with organisations on their Incident Response Planning, playbooks and wargaming. We’ve been in high pressure situations and faced complex, sometimes bizarre, scenarios. We understand how people act in a crisis, how effective communications should occur and how teams can be properly prepared for the worst case scenarios. Above all, we love thinking like the enemy to work out the many different, innovative and nefarious ways in which an organisation can be compromised.

We’ve worked with the military, airlines, hospitals, schools and small businesses to develop and implement Incident Response policies, plans and processes into their organisation. Get in touch to understand how we can help you prepare for cyber attacks.