Today, we will discuss "Global Incident Awareness". I will split this topic into two parts: First of all, if you are part of an organization with offices in multiple countries, what resources do you use to understand how to deal with incidents in various areas of the world, and are there any particular tricks you use to communicate and stay in touch? Secondly, what tools / websites do you use to stay in touch with the world around you. This includes incidents outsides of cyber space that may affect your network operations (earth quakes, political unrest ...).
As before, please use our contact page to submit your suggestions. I will update this page a couple times today as submissions are received.
Reader Liam wrote in with the following recommendations for a global organisation:
One of the first tasks that we had performed was to conduct a global skills assessment for each country in the areas of computer forensics, malware analysis, incident response, etc. This information was used to define a core group of subject matter expert contacts from each region that participate in regular mock incident exercises and training scenarios focusing on sharing best practice ideas allowing us to move away from teams working in silos where there is no effective process of data capture and sharing of best practice or the opportunity to learn from mistakes in a blame-free environment.
For global communications we are using an incident paging service for instant global communication relating to incident notification. Early on in the mock incident exercises, we discovered that using a crisis line proved difficult for many of the team members in regions that do not have access to dial international numbers from their home or mobile. It was also noted that the level of participation on the calls was somewhat limited due to possible language barriers and cultural differences. We were successfully able to address these issues by using web conferencing from WebEx which was already used by the company for conducting regular web meetings.
Using web conferencing communication quickly removed the difficulties with conducting the phone calls and provided a few other benefits such as:
- The website which is accessible from any internet connection provides a chat option that makes it easier to communicate with each other preventing background noise, dropped calls, poor connections and possible language barriers.
- The limited participation on the phone calls was greatly reduced when using the chat option as participants were more open to contributing.
- The ability to share/view the desktop of the impacted regions made it much easier to understand what the details of the incident were.
- The chat option provided a simple archive/transcript of events and ideas that can be used for follow up and during the lessons learned phase.
- sessions can be set up in a matter of minutes and allow you to view who has joined the conference, preventing the confusion that can occur with a telephone crisis call with trying to conduct a periodic role call to see if certain individuals have joined.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
I will be teaching next: Intrusion Detection In-Depth - SANS Boston Summer 2019