More

    Ten Rules for the Cyber Incident Responder

    For the past 15 years, Ryan Vela, regional director of Cybersecurity Services at General Dynamics Fidelis Cybersecurity Solutions, has been involved in cyber incident response in both the public and private sectors. While serving as follower, leader, coordinator, liaison, consultant, and advisor on countless small, medium, and large incidents, he has come to learn that there is a small set of rules that apply to every single incident response and to every single person serving as part of an incident response team. If you are a cyber incident responder, then you may know all of this already. However, he will explain why these 10 rules are necessary.

    The Incident Responder’s 10 Rules

    1.    Do no harm.

    2.    Always act ethically.

    3.    Always act and present yourself professionally.

    4.    Always maintain operational security.

    5.    Never release confidential information.

    6.    Always take notes.

    7.    Always gather and analyze all facts before reporting a conclusion.

    8.    Always pursue first-hand information.

    9.    Never assume you have all of the data.

    10.    Do not fear the unknown.

    Ten Rules for the Cyber Incident Responder - slide 1

    Click through for 10 rules that should be adopted by all cyber incident response team members, as identified by Ryan Vela, regional director of Cybersecurity Services at General Dynamics Fidelis Cybersecurity Solutions.

    Ten Rules for the Cyber Incident Responder - slide 2

    Do no harm

    Do not perform any action or cause inaction that will cause injury or endanger the life of another
    human being. As a second priority, do not perform any action or cause inaction that will lead to risk of harm to animals, the environment, or property. The act of doing or not doing harm is often considered in terms of legal acceptability. While the laws of the jurisdiction are important, they may not protect all of the people all of the time.

    Ten Rules for the Cyber Incident Responder - slide 3

    Always act ethically

    Act in a manner that is good and just. In deciding how to act, use empathy to place yourself in another affected person’s shoes. Be honest, respectful, and open to alternative opinions on ethical outcomes.

    Ten Rules for the Cyber Incident Responder - slide 4

    Always act and present yourself professionally

    Do unto others as you would have them do unto you. If you expect to be treated as a professional, then treat others professionally. Likewise, present yourself in a manner befitting someone who is worthy of respect.

    Ten Rules for the Cyber Incident Responder - slide 5

    Always maintain operational security

    Do not allow unauthorized people or tools to gain visual, physical, or auditory access to case data. Do not leave documents, notes, or drawings open for unauthorized viewing. Properly encrypt communication, data in transit, and data at rest. Secure all data in a controlled manner when not in possession. Ensure that colleagues are following proper operational security.

    Ten Rules for the Cyber Incident Responder - slide 6

    Never release confidential information

    Loose lips sink ships. Do not talk about what work you are doing to anyone who has no need to know – releasing information about an incident can tipoff adversaries and move the cyber event into a less controlled situation. Additionally, releasing information to the public arena can hurt an organization’s reputation and brand.

    Ten Rules for the Cyber Incident Responder - slide 7

    Always take notes

    Be effective and efficient when taking notes. Ensure that your notes are accurate. Mark conjecture as such. Mark notes with dates, times, persons involved, locations, and other relevant data to place the notes into context.

    Ten Rules for the Cyber Incident Responder - slide 8

    Always gather and analyze all facts before reporting a conclusion

    Obtain as much data as possible when performing analysis. Analyze all data as thoroughly as possible before reporting a conclusion or expert opinion. When reporting a conclusion with partial data or analysis, then caveat the report appropriately to state that not all data was gathered or not all analysis was completed.

    Ten Rules for the Cyber Incident Responder - slide 9

    Always pursue first-hand information

    Always attempt to corroborate facts with first-hand information. After an acceptable attempt to obtain first-hand information is made, and it is unavailable, then accept second-hand information as a substitute. Mark all second-hand information as such.

    Ten Rules for the Cyber Incident Responder - slide 10

    Never assume you have all of the data

    Attempt to be as holistic as possible when answering a question or arriving at a conclusion. Appropriately balance accuracy and precision when collecting and analyzing data. Present answers or conclusions with the scope of the amount of data collected and analyzed.

    Ten Rules for the Cyber Incident Responder - slide 11

    Do not fear the unknown

    No one knows everything. It is okay to ask for help. It is honorable to admit when you do not know something. Do not allow lack of knowledge to lead to lack of confidence or procrastination. Seek second opinions and ask advice on an approach to solving a problem. Balance seeking advice with timeliness.

    Latest Articles