Cyber Crisis Response

Leveraging the SONAR Method™ to Accelerate Response and Recovery

Andrew and Chris worked together at a leading cybersecurity company. They successfully employed the concepts described in The SONAR Method™ framework to assist major clients in responding to and recovering from a cyber crisis. We organized the book into six sections, including a section to define a crisis and then the five phases according to The SONAR Method. This book reflects our experience using this method. The six sections are as follows:

Section 1 – Defining a Cyber Crisis (Chapters 1-5) – defines fundamental concepts underpinning crisis response, including a cyber crisis definition and defining crisis parameters. This section also provides an overview of the threat landscape and some essential guidance for organizations that want to build crisis response capabilities.

Section 2 – Stabilize (Chapters 6-9) – shows how to stop the bleeding so you can properly activate the Crisis Response Team. This phase focuses on the initial decisions during a cyber crisis to contain an event and prevent its exacerbation in your IT environment. We discuss how to stabilize the initial chaos when a crisis event occurs and get the situation under control. However, stopping the bleeding is just the first step in the response process.

Section 3 – Organize (Chapters 10-15) – demonstrates how to organize a crisis response, including setting up technical and business teams, the role of executive management in the response process, crisis management and coordination, and response planning and execution. We conclude this phase with an overview of breach response investigations and remediation and recovery considerations.

Section 4 – Negotiate (Chapters 16-19) – reveals how to negotiate with key stakeholders, especially with conflicting priorities and activities. This section also touches on negotiation with a threat actor and aligning responses to business priorities to ensure everyone works in concert towards the same goals. In the Negotiate phase, you sit down with other leaders behind closed doors and agree on concrete actions to control the crisis.

Section 5 – Articulate (Chapters 20-25) – As part of the Articulate phase, you must communicate decisions and actions to internal stakeholders, provide clear direction, articulate roles and responsibilities, and ensure everyone is marching in the same direction. Furthermore, you must also communicate with external stakeholders where appropriate. Otherwise, a negative perception will amplify the crisis and cause your organization a Public Relations nightmare.

Section 6 – Remediate (Chapters 26-30) – The last phase in The SONAR Method framework is to remediate the compromised network and recover your systems to an operational and secure state. This part will guide you through considerations and approaches to eradicating the threat actor from the compromised network and securely recovering systems so the actor cannot easily return to continue their operations.

Note that the Remediate part of the SONAR framework is an overarching term encompassing the remediation of security weaknesses that led to a crisis, system restoration, and recovering the impacted environments to an operational state.

The framework may appear linear at first. However, you should use it iteratively and incrementally when responding to a crisis.

Crisis response is often a messy and convoluted process. The purpose of this framework is to provide you with a structure and guidelines to handle a cyber crisis event. However, feel free to tailor the framework to your response needs. Apply your judgment and critical thinking and leverage the framework based on your unique context.

Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.