How to Strengthen Incident Response Plans

Scattered Spider just rewrote my ransomware playbook. They didn’t just break in. They didn’t just move laterally. They fought back. Incident response started closing doors and Scattered Spider pried them back open, countered security moves in real-time, and actively sabotaged the organization’s operations on their way out. This isn’t the future of ransomware. It’s here. A few painful lessons: - Social engineering is faster than brute force. Scattered Spider impersonated a CFO and convinced the help desk to reset MFA.. and it worked! - Over-privileged executive accounts remain soft targets. They offer maximum access and minimum resistance. - Cloud misconfigurations and virtual machines are blind spots. The attackers moved through virtual desktops, spun up new machines, and operated without endpoint detection visibility. - Persistence matters. Even after discovery, the attackers leveraged administrator-level control to claw back access and delay eviction. - Real-world tug-of-war is now part of the threat landscape. They weren’t afraid to burn the environment down. Here is how we (Incident Response) can start to prepare: - Strengthen identity verification, especially for help desk resets. Voice-based verification is not enough. - Audit executive accounts for unnecessary privileges. Just because it’s the CFO doesn’t mean they need domain-wide access. - Segment and actively monitor your virtual environments. Treat VDI and VMware ESXi like critical infrastructure. - Plan for post-discovery adversaries. Assume they’ll fight to stay. Build recovery and containment playbooks for hostile evictions. Scattered Spider showed us what the next generation of attackers looks like. They don’t just steal data. They disrupt. They linger. And they’re watching how you respond. You get what you rehearse, not what you intend, start rehearsing now.

You’re the newly hired Compliance Lead at a fast-growing tech startup. Two weeks into your role, you discover that the company has no formal incident response plan in place, even though it recently experienced a ransomware attack. Leadership is concerned but doesn’t know where to begin, and employees are confused about their roles during an incident. Your CEO asks you to draft a basic Incident Response Framework and outline the top 3 immediate steps the company should take to prepare for future incidents. - What would your first draft framework include? (Hint: Think of NIST’s Incident Response Lifecycle – preparation, detection, analysis, containment, eradication, and recovery.) - How would you ensure team alignment across IT, legal, and operations? (Hint: Consider regular tabletop exercises, clear role definitions, and a central incident communication channel.) - What tools or processes would you recommend to track and report incidents effectively? (Hint: Look at tools like Splunk for monitoring, Jira for tracking, and SOAR platforms for automation.)

Emergencies are unavoidable—fires, floods, shootings, cyberattacks. The only thing worse than an emergency is being unprepared for it. Just ask yesterday's "Worst Employer" nominee. A well-crafted Emergency Action Plan (EAP) keeps everyone safe and your business running. Here's 10 things to consider in creating one: 1./ Assess Your Risks Identify the emergencies most likely to hit you—whether natural disasters, workplace violence, or data breaches. Prioritize based on impact and likelihood. 2./ Get Employee Input Your employees are on the front lines and often spot risks management misses. Including their insights builds a better plan and fosters buy-in. 3./ Assign Clear Responsibilities Who calls 911? Who initiates evacuations? Everyone should know their role before an emergency strikes to avoid confusion in the heat of the moment. 4./ Map Out Evacuation Plans Chart exits, evacuation routes, and assembly points. Make sure everyone can evacuate safely, including employees with disabilities. 5./ Establish Communication Channels Use multiple methods—emails, texts, and phone trees. Keep clients, vendors, and other stakeholders informed, too. 6./ Stock Emergency Supplies First-aid kits, fire extinguishers, and flashlights are must-haves. Regularly check supplies so nothing fails in a real emergency. 7./ Plan for Business Continuity Know which processes must keep running and how to do it—whether remote work, cloud backups, or backup vendors. 8./ Stay Compliant Verify if OSHA or other laws require specific elements in your plan. Non-compliance can mean fines. 9./ Train, Drill, and Support Your Team Hold regular drills, offer training refreshers, and provide mental health support after stressful events. 10./ Debrief, Report, and Improve After every emergency or drill, debrief with your team. File necessary incident reports for OSHA or insurance. Assign someone to review and update the plan regularly. Emergencies aren't predictable, but your preparation should be. A well-thought-out EAP protects your people and helps your business bounce back as quickly and easily as possible.

Incident response tabletops and free throw practice... I still remember my high school basketball coach making us shoot free throws at the worst possible time... you know, right after full-court sprints, dripping with sweat, legs like jelly, heart pounding in our ears. Why? Because that’s what the game demanded. You don't shoot free throws in a vacuum. They happen after you've been bodying up defenders, sprinting in transition, making split-second decisions and often after a bad call or a costly turnover. You’re not fresh. You’re not focused. You're human. And the shot still counts. Now think about the last time your organization ran an incident response tabletop exercise. Let me guess... it was scheduled weeks in advance, everyone showed up with a coffee and a charged laptop, ready to "war game" the scenario in a controlled, distraction-free environment. That’s not how incidents work. Just like those free throws in the fourth quarter, real incidents hit when you’re tired, stressed, and juggling a dozen priorities. You’re mid-release. The lead engineer is out sick. Legal is in a negotiation. The chaos isn’t the exception, it’s the context. But we practice incident response like it’s a boardroom drill. That’s a mismatch. It’s like practicing clutch free throws in a quiet gym after yoga. You might look great in training, but the game will break you. What if we rethought tabletops the way my coach rethought free throw practice? Surprise timing: Don’t schedule it. Drop the scenario into Slack during a sprint review. Or in the middle of the monthly all-hands. Or when the entire team is at the RSA conference... Inject fatigue: Run it during the tail-end of a product launch cycle. Make the team context-switch from a real-world task. Create tension: Add distractions. Make people use the actual comms channels they’d rely on. Introduce uncertainty: some information is incomplete; some actors go silent. Track response time, decision quality, communication clarity. Debrief like you just lost the game on a blown play. From my experience, practicing under pressure builds muscle memory. The goal isn’t to simulate a perfect response, it’s to train the reflexes, the communication patterns, the trust in each other when things are at their worst. That’s what makes the best teams win under pressure. So, the next time you're planning an IR tabletop, ask yourself... Are we shooting free throws after wind sprints? Or are we fooling ourselves into thinking that calm, quiet practice will prepare us for the real game? #ciso #IR #basketball #tabletop

Hope is not a plan. Don’t plan for what’s easy—plan for what will break you. When it comes to emergency management, my philosophy is simple: Think Big. Go Big. Go Fast. Be Smart About It. This isn’t theory. It’s what works when everything else is falling apart. 1. Think Big Plan for the disaster you can’t handle—not the one you can. Too many plans are written for the expected. You’ve got to plan for the event that could crush you. If you only plan for the average storm, the big one will wipe you out. But if you plan for the worst, you can always scale back. Example: If a Category 5 hurricane is possible, don’t base your plan on a Cat 2. Assume the power's out, roads are gone, comms are down, and you’re on your own for days. Can you still operate? 2. Go Big Lead with overwhelming force. Don’t wait to be asked. Disasters move faster than bureaucracy. By the time the official request comes in, it may already be too late. Don’t wait to assess. If it’s bad, move. You can always scale down. You can’t recover lost time. Example: If there’s a fast-moving wildfire or flash flood, surge fire crews, helicopters, trucks—before the paperwork. You can send them home later. But you can't rewind the clock. 3. Go Fast Speed beats perfection. Move now—adjust later. You’re never going to have perfect situational awareness. Waiting for full clarity gives the disaster time to grow. In a crisis, the biggest risk is moving too slow—not making the wrong move. Example: Don’t wait for a confirmed casualty list before launching search-and-rescue. If people are trapped, get boots on the ground. Speed is life. 4. Be Smart About It Use your experience, your partners, and your data. Throwing resources blindly isn’t leadership. You’ve got to think while you move—use what you know and who you trust. You don’t have unlimited fuel, people, or equipment. Make every action count. Example: Tap mutual aid early. Bring in the private sector. Use volunteer networks. This isn’t about control—it’s about coordination and impact. Putting It into Practice Exercises: Don’t run easy drills. Stress the system. Break it. That’s how you find the gaps. Policy: Build in logistics and authority for early action. If you’re waiting for approvals, you’re already behind. Messaging: Be clear. Be fast. No sugarcoating. Culture: Build teams that move fast, take initiative, and trust each other. Bureaucracy kills momentum. Bottom Line Disasters don’t care about your process. They don’t wait for consensus. You either act—or people die. So: Think Big. Go Big. Go Fast. Be Smart About It. That’s how you save lives.

Kelly McKinney asked Chat GPT to provide a Crisis Management Algorithm. I added the exact prompts into MS COPILOT. Here are the results. Blue Sky Phase (Pre-Crisis) 1. Crisis Envisioning and Planning   - Identify Potential Crises: Natural disasters, cyber-attacks, health emergencies, etc.   - Assess Resource and Consequence Challenges: Information flow, available resources, possible impacts.   - Draft Possible Scenarios: Create a library of realistic crisis scenarios. 2. Team Identification and Convening   - Identify Key Individuals and Groups: Roles such as communication, logistics, medical, security.   - Recruit Additional Members: Based on specific crisis needs.   - Schedule Training Sessions: Immersive crisis scenario simulations. 3. Development of Crisis Response Plan   - Establish Tactical Operations: Identify parallel and simultaneous operations.   - Assign Leads for Each Operation: Designate responsible individuals and groups.   - Create Flexible Response Guidelines: Document detailed yet adaptable procedures.    4. Team Readiness and Monitoring   - Establish 24/7 Monitoring: Set up systems to keep watch for any crisis signals.   - Information Gathering Systems: Develop methods to collect and assess initial signals.   - Crisis Simulations and Drills: Regularly conduct practice scenarios. Gray Sky Phase (During Crisis) 1. Signal Detection and Assessment   - Monitor Signals: Continuous observation of potential threats.   - Immediate Response: Gather detailed information upon detection of a signal.   - Initial Assessment: Evaluate if the signal could lead to a crisis. 2. Incident Management Team Notification and Activation   - Notify Incident Management Team: Use all available means (email, text, etc.).   - Convene Incident Management Team: Ensure team is quickly assembled.    3. Emergency Operations Facilitation   - Operations Meetings:     - Initial Briefing: Share situational awareness.    - Status Updates: Regular reports from individuals and groups on their operations.    - Address Issues and Needs: Identify obstacles and unmet needs, propose solutions.   - Tactical Execution: Oversee and support the execution of emergency operations. 4. Continuous Review and Adaptation   - Continuous Monitoring: Keep assessing the situation and adjusting the plan.   - Coordination and Communication: Ensure seamless coordination among team members.   - Resource Management: Efficiently allocate resources as per needs.   - Documentation: Maintain detailed records of decisions and actions taken. 5. Crisis Resolution and Debriefing   - Crisis Resolution: Keep operating until the crisis is resolved.   - Post-Crisis Review: Conduct a thorough review to identify lessons learned.   - Update Crisis Management Plan: Incorporate improvements based on the review. By following this algorithm, your crisis management team can efficiently manage crises, ensuring preparedness before they occur and effective action during their occurrence.

Detection is NOT the first stage in incident response. It’s Preparation. Sure, you probably need a policy to drive things, but ideally, you want to start with training. Only a trained workforce can detect, and/or respond to an incident. But more importantly, the response team’s training cannot be stagnant, it must evolve, over time. Start with: — a Checklist (where every member is given a checklist of their expectations should a breach occur. You familiarise the team members with their task here), then move to — Table-top exercises (where everyone sits around a table and reads — to other team members — their expectations/duties when a breach occurs), then — Simulation tests (here, the papers are taken away. The team members must develop and practicalize an appropriate response to a moot breach scenario which is actually tested for its effectiveness); then, you may do — Parallel tests (here, members are taken to an alternative site to actually practicalize and effect their developed incident response, on-site), and, if you’re lucky, do a — Full-interruption test (might not be possible/approved by management because it means putting the business on hold. This is the height of incidence response training because members' responses are tested live on business operations). Whatever you do, you cannot stop at a tabletop exercise without doing some simulations.

In a recent discussion, the topic of event response in process environments came up. The group was a mix of IT, OT, and engineering roles and backgrounds. There was good input, with some 'IT-centric' perspectives, based on existing IRPs in place, focused on network security, isolation, segmentation, logging, SIEM, SOAR, EDR/MDR, SOC, IDS, IPS, etc. We widened the aperture, looking beyond Ethernet-connected devices like PLCs, HMIs, and Windows-based workstations and servers, addressing vulnerabilities and failures within the physical layer—field devices, instrumentation, and serial and industrial protocols (Modbus RTU, RS-485, HART/WirelessHART, PROFIBUS, and PROFINET, etc.) integral to safe and reliable process control. The significance of these layers can be common shortcomings in existing IRPs where security, IT, OT teams, asset & process owners, must converge in development of adequate response planning. Field devices (transmitters, actuators, sensors, and valves) and serial protocols represent the primary interface between digital control systems and the physical process. A failure or compromise at this level may not be detectable by conventional IT cybersecurity monitoring tools, more importantly can have cascading impact that takes place rapidly, degrading safety and reliability proportionately. Field-level anomalies frequently trigger, as mentioned previously, cascading impacts across multiple system layers. For instance, a malfunctioning RTD sensor feeding incorrect temperature values into a PLC could propagate through PID loops, triggering alarms or auto-shutdowns across unrelated systems. IRPs should consider PHA, SIS, process flows/lockouts, fail-safe, restoration sequencing/timing of process state. Resilience requires acknowledging the physical realities of field-level instrumentation, integrating vendor or component-specific tools and diagnostics, and aligning incident response with the deterministic and safety-critical nature of industrial processes. By addressing these gaps, engineering personnel, asset and process owners, in partnership with IT and security recovery teams ensure faster recovery, safety, productivity, and reliability, in the face of both cyber and physical disruptions.

Help! I’ve been breached 🚨   You’ve been breached. It’s the moment every IT professional dreads. But instead of spiralling into panic, let’s tackle this head-on with some strategic tips that I’ve picked up during my time in the industry.   Step 1: Assemble Your Response Team ⚔ Activate your incident response team immediately. This includes your IT experts and legal counsel. Having a well-prepared plan isn’t just useful; it’s essential.    Step 2: Engage Forensic Experts 🔎 Bring in an independent forensic team. These digital detectives will help you understand the extent of the breach and gather critical evidence without contaminating the scene. Think of them as the CSI for your data-center.   Step 3: Contain the Breach 💢 Isolate affected systems to prevent the breach from spreading. However, avoid shutting down machines until your forensic team arrives, as this could destroy valuable evidence. Change all passwords and review access logs to cut off unauthorized access.   Step 4: Notify Legal and Regulatory Bodies 📜 Contact your legal team to guide you through compliance and potential legal issues. Depending on the data compromised, different regulatory bodies may need to be informed. Adhering to state and federal notification laws is crucial to avoid further complications.   Step 5: Communicate Transparently 👓 Develop a clear communication strategy to inform all affected parties, including customers, employees, and stakeholders. Provide accurate details about the breach, the steps being taken to address it, and how it impacts them. Honesty and transparency are key to maintaining trust.   Step 6: Strengthen Your Defences 💪 After managing the immediate crisis, review your security measures thoroughly. Implement stronger protocols where vulnerabilities were found. Regular training for employees and continuous monitoring of systems will help safeguard against future breaches.   By following these steps, you can manage the crisis and emerge more resilient and better prepared for the future.   Want to speak further about this topic? I am looking for CyberSecurity professionals and would love to connect and speak further! 💻🔐. #cybersecurity #breach #toptips

This pyramid model represents escalating levels of defense that move beyond basic detection and reaction: - Know yourself, know your enemy: Inventory your assets and understand potential threats. Identify and document all your assets (devices, systems, data) to understand what needs protection. - Detect and analyze: Having visibility across your assets means collecting sufficient data (logs, network traffic, etc.) to monitor activity and detect anomalies. - Triage and validate: Assess and categorize security alerts, considering their fidelity to prioritize response efforts. - Hunt proactively: Don't wait, actively search for hidden adversaries. This is about actively searching for hidden threats or adversaries that may have already bypassed your initial defenses and established a foothold in your systems. - Real-time Monitoring: During an active intrusion, you need the ability to track the adversary’s movements in real-time to understand their actions and minimize damage. - Collaborate for strength: Working with trusted partners (e.g., industry peers, security researchers, law enforcement, et al.) allows you to share threat intelligence, coordinate responses, and disrupt larger-scale adversary campaigns. Credit goes to Matt S. for this model -- https://lnkd.in/e7MJQfJ #cybersecurity #networksecurity #datasecurity #informationsecurity #threathunting #incidentresponse #secops #securityoperations #cyberdefense #cyberthreatintelligence #riskmanagement