Within the incident response (IR) team, you establish the authority to make decisions and report accurately to minimize incidents, reducing the attacker’s active “dwell time” within the network and ensuring you can restore operations following an incident. Assembling a team with the best skill sets can be one of the most challenging tasks. There often can be a shortage of personnel to choose from when it comes to qualified employees within organizations, particularly because these teams need to be balanced with technical, communication and problem-solving skills. If you’re not 2020 ready, you need to act now to be prepared for 2022 and beyond. So, where do you start?
Steps to Building Your Election Incident Response Team
1. Define the budget to staff the team adequately. No later than a year out from the election, start planning for realistic staffing requirements. Many IT organizations do not have enormous budgets to throw at problems, particularly for election support. Meet with budget managers to develop an event budget for building the team, necessary tools and required training events. Maintain constant communication with the budget managers for changes in funding.
2. Staff your team based on skill sets and roles. When building teams, establish cohesion by clearly defining roles and responsibilities:
(a) Team Lead: Well versed in overall team operations, the team lead formulates contingency plans for back up roles and decides what the IR teams can act on based on internal guidelines. Makes sure the team understands the assets, threats, vulnerabilities, risks and countermeasures.
(b) Incident Manager: When a serious incident occurs, the incident manager communicates to higher authorities the incident severity for appropriate attention and summarizes findings to send in a Cyber 9-Line reporting format.
(c) Three-Tier Support System: Compiled threat gathering, internal and external, the tiered response model allows personnel less experienced with incidents to respond to low severity incidents, which start with Tier-1. This is followed by Tier-2, which reviews Tier-1 work to escalate. Finally, Tier-3 is the highest escalation level. Incident responders within Tier-3 are well versed and possess skills such as networking, scripting, malware analysis and digital forensics, etc.
(d) Technical Lead: The technical lead understands tools, tactics and procedures (TTPs), and how they can be leveraged against the network. Possesses the ability to explain technical terms in layman’s terms to less experienced team members.
(e) Legal Council: Legal council is a member of the legal team who advises on the disclosure of breach incidents to know their left and right limits within the laws and legal guidelines.
(f) Knowledge Management Lead: The knowledge management lead manages digital procedures, tools and applications, and documents critical steps for better lessons learned. Facilitates the movement of information internally and externally for a smoother transition of information.
3. Define critical asset lists. Define what systems may contain sensitive data, such as Personally Identifiable Information (PII), and breach notification requirements. Ensure these systems are hardened and up to date at all times.
4. Develop tools. There is an old saying that an incident response team is only as good as the tools it can utilize to collect and analyze. Establish a list of tools that will make the organization successful, and ensure the team is properly trained on the tools. Include tools such as software for forensic data, security onion and “go bags,” which can be quickly shipped and operated in more austere locations.
5. Formulate guidelines for external help. When building an IR team, if you cannot pull in experienced in-house talent, then establish procedures to pull in external assistance to augment in-house capabilities. If adequately coordinated, interagency support can be established.
6. Practice, practice and practice. To make IR teams, practical tabletop exercises (TTXs) need to be implemented to establish response times, shape competency, build trust and familiarize team members with the latest tools. The more a team practices TTXs and cyber-disruption response plans involving outside agencies, the more they can establish defined playbooks, understand cascading impacts, report, define trigger points and build confidence.
Threat actors are often well-equipped and deeply financed state-sponsored actors from Russia/Eastern Europe, Asia-Pacific (China) and the Middle East. These advanced persistent threats (APTs) have been planning and performing cyberespionage, and are working around the clock to compromise data and breach our election system. The ultimate goal is the weaponization of our entire election process. What is our level of preparedness? Are we ready for the possibility of ransomware corrupting voter databases, or the tampering with voting machine hardware to alter vote totals in favor of either candidate, and delayed mail-in ballots?
From a cybersecurity perspective, we have to perform our due diligence to harden the election infrastructure security. We have to try every possible course in the name of incident response to solidify the American people’s trust in the upcoming election. That begins with building a strong incident response team.