Skip to main content
Security and resiliency

Incident response and incident recovery: simply better together

Article 19 Apr 2024 Read time: min
By: Andy Valentine

As the business world goes increasingly digital, cybercriminals have homed in on the most effective way to extort companies: ransomware.

I see the work of most digital forensic teams now focused on this type of devastating attack, and that focus is only increasing. Ransomware attacks jumped by 73% between 2022 and 20231. I remember grappling with a more diverse array of corporate-directed cybercrime a decade ago. 

The rise of ransomware indicates that cybercriminals have found a powerful, efficient way of hamstringing corporate operations, which means that digital forensics teams need to be powerful and efficient in response. Siloed, disjointed incident response and incident recovery processes won’t cut it in this environment. Yet, it’s still too common for these teams to lack a shared set of understandings, approaches, and goals to coordinate their efforts.

Let’s look at how incident response and incident recovery teams can work together and ensure that all stakeholders play a role in the incident lifecycle.

Incident response vs. incident recovery

During and after a catastrophic infrastructure incident, two essential processes must occur: an investigation into what exactly occurred and how it happened, and the recovery of the compromised digital environment, sometimes by rebuilding it from the ground up.

The former—incident response—looks to determine the particulars of the problem, such as how bad actors infiltrated the digital environment, how they moved through it, and what they stole. The latter—incident recovery—is about bringing organizations back to working order as quickly as possible after an incursion has knocked them out.

The divergence of these two workstreams often complicates the process of bringing an organization back to strength after an incident. These two teams typically operate in silos and are directed by differing governance layers—but the separation can cause functional problems as the teams may accidentally work at cross-purposes.

When incident response and incident recovery teams cooperate, they coordinate efforts and share information to enact a more effective approach to managing security incidents.

Coordinating the incident lifecycle

In one example, with a customer in the retail sector, lack of communication between the incident response and incident recovery teams stymied the response team in accessing an image of a particular server that a bad actor had infiltrated. By the time the response team requested the image, the recovery team had already restored the compromised server to its original state, accidentally destroying vital information about how the incident occurred.

When incident response and incident recovery teams cooperate, on the other hand, they coordinate efforts and share information to enact a more effective approach to managing security incidents. By working together, these teams can minimize disruptions, expedite recovery, enable continuous improvement and maintain stakeholder confidence throughout the incident lifecycle.

Addressing the needs of diverse stakeholders

Coordinating incident response and incident recovery under a single governance layer requires working with a wide range of stakeholders with different priorities within the process. Specifically:

  • C-suite executives are primarily concerned with getting operations back up and running as quickly as possible
  • Customers want quick recovery and assurances of data security
  • Lawyers want insight into the scope of exposure, enumerated records, understanding of liability and notification requirements
  • Law enforcement wants attribution
  • Digital forensics and incident response teams want to understand the details of the incursion, as well as indicators of compromises, and vulnerabilities and exploits

Keep in mind that the stakeholders may have different timelines based on divergent priorities. One example was a data breach event I helped address at a chain restaurant group. Threat actors had inserted malware in the back-of-house system and were capturing credit card data on the swipe. The company’s executives were primarily concerned with getting operations functioning again as soon as possible. That happened rapidly, and the executives’ role in the incident was effectively over. Meanwhile, the lawyers had a drawn-out process to discern the extent of the damage and act to mitigate legal exposure. Months after the incident, litigation support was ongoing.

A data breach coach can help coordinate response and recovery efforts.

The role of the data breach coach

Managing stakeholders that have different needs and different timelines takes diplomacy and finesse. For most of my career, I believed incident response and digital forensics were overwhelmingly technical jobs. I’ve realized that they are only, say, 60% technical, with the other 40% dedicated to managing stakeholders’ needs diplomatically and delicately.

To help facilitate this process, there’s a career track that didn’t exist 10 or 15 years ago: the data breach coach. Data breach coaches help a company that has experienced an incident to coordinate response and recovery efforts and ensure it complies with state regulations about notifying customers of data compromise.

Typically, an insurer will assign a breach coach to manage the insurance company’s relationship with the insured and all the stakeholders, such as the third-party legal counsel and the technical company conducting the investigation or recovery. Companies can also hire breach coaches independent of insurance involvement. In situations where there’s no breach coach, this coordination role falls on the lead investigator for the incident response team.

The most effective way to conduct this coordination is to have all stakeholders gather in the same meetings to coordinate the process and assert their needs. For a short period, this may require a daily stand-up meeting. Meetings may become less frequent over time.

Three things companies can do to prepare

  1. Make a customized plan
    Developing a customized, vetted plan for incident response and recovery is the first step a company should take in preparing for a potential incident. Companies often have some sort of plan on file since this is part of many compliance requirements. But plans that are in place simply for the sake of compliance tend to be generic and not very actionable.

    For the plan to effectively guide response and recovery, stakeholders should customize it with deep specificity, down to inserting the names of the individual (such as “Dave,” not just “IT technician”) who will be called on to play each role. 

  2. Test your plan with a tabletop exercise
    Once a company has a customized plan in place, the plan should be tested. Do a tabletop exercise in which all stakeholders gather to conduct a mock scenario throughout an entire day, if possible. At intervals throughout the day, narrate events as they would likely unfold.

    For example, a medical practice may simulate what to do after learning that patient records have been compromised. The stakeholders decide what they will do based on the plan and direct the action that each individual should take. A few hours later, they must act out how to proceed when they learn that the bad actor is asking for a ransom.

    In walking through this progression, they will get important insight, such as whether their plan is detailed enough, which data is needed for each action, and when they should involve law enforcement.

  3. Think through when to call in outside help
    Companies that have gone through the above steps may be able to handle various cybercrime incidents without outside assistance. But it’s a good idea to have a trigger in your plan for when to call in third-party aid that can provide more advanced technical expertise. For example, internal technical capacity may be outstripped by a situation in which legal stakeholders need technical proof of which data has been compromised.

    Cooperation between incident response and recovery teams matters more than ever in the face of increasingly frequent and high-stakes cybercrime. Planning for the needs of all stakeholders within the incident lifecycle is the best way to ensure an effective, robust response when the worst occurs.


    Andy Valentine is Vice President of Incident Response for Kyndryl