Incident Response at FIEGE Group

FIEGE Group is a specialist in contact logistics, digital services, real estate and ventures. With turnover of more than 1,9 bn € and more than 23.000 employees FIEGE’s strategy approach is to establish all key-functions in-house. For that reason FIEGE’s internal Cyber Defense Center (CDC) went live at the beginning of year 2022. In this article I would like to look back at the first 12 months of our work and share with you our learnings in order to support you in day-to-day business.

Information security is achieved through the combined efforts of a variety of professionals, from network security experts and penetration tests to regulatory and risk management specialists. Nevertheless, its’s the incident response process that seems to me to be the most significant part of all information security faceted. In the case of a deliberated hacker attack, it doesn't matter how sophisticated your compliance methodology is, it will only be a matter of minutes, and the steps you take must be very precise. As with real war (any book on the art of warfare from Sun Tzu to contemporary military tactics textbooks will tell you this) precaution is decisive.

If you are going to launch your own Cyber Defense Center (CDC) or Security Operations Center (SOC) with a SIEM-technology as a core element, here are my observations on this:

1. You have to establish basic IT controls first. Don’t start with buying fancy shit before you we will be able to maintain your CMDB, change management routine and last but not least – patch management! Many of the European middle-size companies are just not ready for a SIEM. Please do all those boring things upfront, otherwise you’ll get no added value from your advanced security technologies.

2. Please don’t neglect the expectation management! You need support from your Executive Board and you have to outline the goals of your CDC in advance. A proper incident response unit requires a lot of resources and organization shall be capable of providing them. Make sure you really have your CEO’s commitment before you start. Outline your plans in written and let Executive Board enforce it.

3. Threat Intelligence is the key, you need to be one step ahead of your adversary. Gain clear understanding of your attack surface and possible attack vectors. Use all kinds of cyber threat intelligence from open source information and CTI vendors to darknet markets monitoring and IOCs applied to relevant cyber kill chains. Mind your subsidiaries, external interfaces and VPN access for Third Parties, internal and external threats.

4. Cyber Security Threat Detection: the problem you’ll be facing is not the hidden hazards (if you did the previous point right), but the huge amount of alerts and vulnerabilities you will get. The art will be in prioritizing and identifying false positives. Moreover, you will need business support for handling the findings in a timely way. The most obvious example is downtime due to patches you might request in case you don’t have zero downtime patching (ZDP) in place.

5. A security breach can result in a crisis for the whole company, that’s why you have to establish communication channels with all your stakeholders, e.g. legal department, insurance manager, operational units in the field and Executive Board. You need especially a “wake the president” function, a threshold value (money, business downtime, major compliance breach – whatever) from when CEO is involved. Communication with the customer is another sensitive issue, mostly possible only with the approval of the Board.

6. Realizing your limits is the key to success in the final phase of the incident response process. Let's assume the worst: you have ruled out false positives and come to the conclusion that there is a real, well-designed and prepared cyberwar being waged against you. In this case you have to decide whether you have already experienced such type of attacks or not. In the first case, you will have scenarios that have already been tried in practice and you can manage it on your own. If the opposite is truth, you shall immediately involve your service provider with required expertise.

Of course, the real concept of company’s readiness for a cyber attack is multi-layered. You need a interface to your Business Continuity Management (BCM) plans to keep your operations ongoing even during the crisis. You need a risk management program as a prerequisite for a cyber incident response activities. After the incident several lessons learned sessions shall be performed. It’s important to check the past incident from the outside. The lessons learned sessions should not be conducted by the same persons who were directly involved in the mitigation routine. The incident manager who was in charge will never see the elephant in the room. If you have built your incident response in accordance with three-lines-of-defense model, so maybe the head of the second line will be the right person to evaluate the enhancement measures for the next time.

A journey of a thousand miles begins with a single step © Learning by doing is the only one approach that works. You shall just start making your organization ready, it’s the most important mission of each and every CISO. Many aspects were left out of this article, unfortunately we did not talk about the blue and red team confrontation. But I nevertheless hope that my article may have been useful to someone who is just planning to start their own CDC.