In Times of Crisis: Focus, Plan, Ask for Help

Every pilot learns the mantra "Aviate. Navigate. Communicate." during their initial flight training. Easy to remember in a crisis - for example, should an engine suddenly go quiet - it is intended to remind the pilot of the order of priorities required to execute an optimal recovery.  

At its core, incident response is crisis management. MOXFIVE observes that when organizations initiate a response by recognizing the crisis-like aspects of the situation, the response goes more smoothly. Internal and external stakeholders have the awareness they need to properly do their jobs. Teams can more effectively share the load and reduce burnout. Blood pressures lower. To gain these net positive returns, we’ll breakdown the pilot’s mantra.

Aviate.

First, and in every moment, fly the plane. If you get distracted by other tasks, and as a result end up in a spin, the situation does not improve.  

Back on the ground at the outset of an incident response, it is critical to take control. Start by establishing clear leadership and a management structure over the incident response process. Empower the "doers": those tasked with rubber-meets-road tasks ranging from developing communications plans, to performing forensics, to restoring servers. Shield them from the distractions that invariably knock on leaders' doors, for example meetings with legal counsel and requests for updates from the board of directors.  Key activities that should be done include:

• Identify the incident coordinator and project management team.
• Identify clear lines of communication so that information can flow up and down the chain.
• Do you have visibility and control across your systems? If not, now it is a high priority to implement.

Navigate.

Once the aircraft is under control, determine where you intend to go. Always be going somewhere.  

Have a plan. If you're reading this post and do not already have disaster response, business continuity, and incident response plans that are customized to your organization and have been recently tested, add those to your list of to-do's.   

Once in the thick of it, prioritize your response activities - aviate, navigate, communicate. What is the critical path to restoring the systems upon which others depend, for example, Active Directory? What is the next most important application to restore? Does that application have dependencies? Below are a few tips that can help you be more prepared for responding to an incident:

• Form relationships with outside providers - outside legal counsel, forensic investigation firms, recovery-focused firms
• At least annually, execute a tabletop exercise that simulates a realistic intrusion and the associated response activities
• Understand what systems are critical to your most important revenue-generating activities, and what infrastructure those depend upon

Communicate.

Back in the air, communication is the final task to be performed only after the other two tasks are under control. Once the aircraft is stabilized and headed to an emergency landing site, the pilot communicates to ask for help and let others know the plan. When air traffic control (ATC) is informed of an in-the-air emergency, they immediately prioritize the emergency aircraft and activate a vast array of resources to help. A prepared pilot will already have the radio tuned to the necessary frequency to make that call with a push of a button.

Like the wise pilot who asks for help, organizations should not feel like they have to ‘go it alone.’ Establish relationships with cyber counsel, with forensics firms, and with other service providers to be ready for the day when you need their help.  

When an incident response scenario arrives, execute your communications plan. Develop this ahead of time. Consider what information your leadership will need when faced with an IT crisis (it’s in your IR plan, right?). Also account for the information that important stakeholders like customers and partners will need. Consider the following when planning a communication strategy:

• Engage communications specialists to plan external messaging
• Separate sync meetings based on audience, sharing the appropriate level of information at each
• Avoid diverting into the weeds during executive status updates – keep leadership focused on big picture items
• Track technical details using a single source of truth, updated by all team members, to avoid incurring process inefficiencies  

Take control.  

One of the reasons that scheduled commercial aviation is so incredibly safe, measured in accidents per mile travelled, is the level of rigor that the entire process is subjected to. Airplanes and their complex subsystems are frequently inspected. Pilots are tested on their flying skill and knowledge of emergency procedures.  Lesson learned: consult experts (mechanics, flight instructors) and follow their advice.

If you’re not experiencing an incident today: congratulations – you have the benefit of clarity and a lack of time pressure to plan ahead and avoid chaos at a later point. MOXFIVE can help you proactively plan to minimize the impact of cyber attacks. We bring the benefit of helping thousands of organizations work through incidents ranging from state-sponsored ninjas to ransomware-wielding extortionists.  

The author earned his Private Pilot Certificate in 2013 and has enjoyed exploring the skies of sixteen states.