WHAT INSPIRES YOU, INSPIRES US.
Insights : Article

Cyber Incident Response and Little League Baseball: It’s all about the Follow Through

By   Isaac De La Garza

June 13, 2017

“Follow through”—we hear that phrase often in sports. For me, it was in youth baseball. I wasn’t a very good player, but the act of “following through” made the difference for me. I remember how awkward it felt to raise my right elbow while in the batting stance. This is where I learned to keep the bat off of my shoulder too. The most challenging for me was to pivot and rotate my foot. This is where you turn your back foot to compliment the swing so that you don’t fall down while taking a crack at the ball. Sequentially performing a variety of different mechanisms, regardless of making contact with the ball, that’s what we mean when we say “follow through.” I fell a lot at first, but by executing these individual movements, I was able to hit more than I fell by the end of the season. Good job coach!

In the realm of cyber security, “following through” before and after a cyber incident has a similar meaning: performing a set of mechanisms that improve your odds of preventing cyber incidents. As a computer incident responder, I am able to make observations on the processes that can help improve prevention percentages. Taking these observations, best practice models, real-world experiences and documented standards into consideration help people like me make educated suggestions, much like coaches do.

What You Need to Know

Information is valuable. To some degree, all information has a price. Whether it be to manipulate it, sell it on the black market, steal it or hold it for ransom, the data traveling through our networks is the target for hackers.

Preventing cyber incidents is definitely the goal, but the prevention-talk is commonly held out of context. Firstly, a cyber incident response effort can quickly shift out of focus when the response purpose hasn’t been planned and designed in-line with organizational goals. That means system down-time expectations and other cyber incident contingency plans have to be established. Confronting cyber incidents without this type of executive support is like taking the batter’s box away from home plate. In most cases this response model tends to focus heavily on a reactive approach to the incident, leaving to the wayside important investigative information that can be used to mature the response capability and instead focuses solely on bringing a system back online.

Secondly, think of cyber incident prevention as a defensive playbook. The more games you play, the thicker your defensive playbook becomes. Having a playbook doesn’t guarantee winning games, but creating a living and evolving resource such as a playbook enables confronting the opponent in an organized and systematical manner. Cyber incident prevention isn’t something you buy and plug into the network, it is an arsenal of knowledge that organizations grow and nurture into something consistent and effective.

Taking a Systematical Approach

Understanding that cyber attacks are never-ending and ever-changing, taking the “no downtime is acceptable” stance can be counter-productive for cyber incident response. Cyber incidents have many implications, some of them in the legal realm. Responding to cyber incidents systematically ensures that the appropriate actions are taken. Handling cyber incidents isn’t a simple process, but establishing a cyber incident response methodology will greatly benefit an organization no matter its size. While every organization is different, a successful model consistently addresses the following elements in one way or another.

  • Organize1 - Defining purpose, assessing downtime impact, establishing the right people and obtaining the proper policies and procedures for incident response establishes a firm foundation for maturing and growing cyber incident response.
  • Prepare2 - It is important to establish a pattern of preparation, not only so that the organization is ready in the event of an incident, but also ensuring that information systems, networks and applications are secured to standards.
  • Detect & Analyze3 - One hundred percent of all major cyber incidents start out as events on a system. Establishing proper reporting channels, and identifying common cyber incident information will enhance the defensive playbook’s effectiveness.
  • Contain, Eradicate, and Recover4 with a purpose - Ensure the appropriate actions are taken by considering the purpose set forth by the organization’s legal, business, and otherwise executive stance for containment, eradication, and recovery of systems.

The Follow Through

Performing all of these to some degree will help overall cyber incident response effectiveness. This last point is the “pivot and rotate” part of the swing. It is one of the most elusive aspects of incident response and the most often omitted.

  • Post-Incident Activity5 - Learn and evolve processes, configurations, and documentation to reflect newly learned information enhancing prevention capabilities.

Leveraging newly learned information and evolving all of these key elements is the follow through. Understanding the current capability, evaluating its current effectiveness, and obtaining a custom roadmap that defines development milestones is truly stepping up to bat. Just like you would take advice from your coach back in youth baseball, you can start to follow through by taking a free self-assessment today.



[1] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 6-19, 1. National Institute of Standards and Technology. 2012

[2] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 21-23, 1. National Institute of Standards and Technology. 2012

[3] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 25-33, 1. National Institute of Standards and Technology. 2012

[4] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 35-37, 1. National Institute of Standards and Technology. 2012

[5] NIST 800-61 Revision 2. Computer Security Incident Handling Guide. Pg 38-41, 1. National Institute of Standards and Technology. 2012

Http://dx.doi.org/10.6028/NIST.SP.800-61r2