Given today’s escalating and evolving risk landscape, cyber risk is top of mind for enterprises of all sizes and across every industry, leading to a steady increase in more sophisticated, centralized and optimized cybersecurity tools. According to a recent Gartner report, by 2022, 50% of all security operations centers (SOCs) will mature their security platforms to incorporate integrated incident response, threat intelligence and threat hunting capabilities, up from less than 10% in 2015.1 Not only is it important to proactively prepare for incidents in order to avoid them, but it is also critical for companies to return to business as usual as quickly, smartly and securely as possible. These six steps are key incident response considerations that will help you reach more immediate and thorough resolution.
1. Look at the anatomy of your attack
One of the most important things you can do after a technical incident has occurred is to understand it from the highest level and with as much clarity as possible.
After an incident, people love to get their fingers on a keyboard. They’re like kids with fun new gadgets, eager to find information that will help them “fix” their situation. However, this is not the most efficient way to begin an incident response engagement. As your first responders embark on their post-incident investigation, they should encourage everybody on the scene to take a step back. At this initial point, they should not be mitigating anything. All they should be doing is trying to understand their adversarial situation. Are they dealing with an internal or external bad actor? Is the incident accidental or a more complicated situation that requires detailed forensics?
You will want to look at the characteristics of the data, as they can often guide you toward a more streamlined and controlled resolution. Information such as the company’s association to the person or group responsible may be very important. Are there pre-described softwares or remedies that you can quickly propagate? It’s important to determine how deeply you need to dive into the organization to discover the depths at which the technical incident has occurred and determine how the breach will impact the company’s precious data.
You will also want to determine if the incident involves lateral movement. Lateral movement (or spread of the incident) can often be even more damaging. Nearly 60% of attacks now involve lateral movement, which means bad actors aren’t only going after one component of an organization. They’re getting in, moving around and seeking as many targets as they can reach.2 Incident response involves looking deep and wide and then deeper and wider. It is a methodical process that requires careful examination of your data across all of your endpoints.
2. Plan and prepare
When it comes to incident response preparation, you will want to be sure you include more than just your IT and security personnel. Decisions may potentially need to be made right away—beyond merely stopping a technical incident—which is why you will want to involve other company stakeholders, including your CFO and CIO.
One of the best ways to prepare your first responder team is to run a series of tabletop exercises. These exercises have evolved over the years to become as sophisticated and surreptitious as your threats. Five-to-ten years ago, tabletop exercises involved sitting in front of a whiteboard or a PowerPoint presentation and asking your first responder team to name the type of technical incidents your company might face. For instance, you might have an employee exfiltrating data on a USB drive. And then you might go through a scenario involving ransomware or denial of service. Early tabletop exercises were often boring and ineffective because they did not allow response teams to feel any sense of urgency that would occur during an actual event. Today’s tabletop exercises involve actually creating a real-life situation in a controlled environment. During these engagements, your designated first responder team will be responding to a very realistic simulated event—often under the guidance of highly-trained cybersecurity advisors.
Your first responder team, and various parts of your organization, will be unaware that the event is simulated, while others within your company will know the truth. This is not meant to “trick” your first responders. It is simply meant to prepare them in all the ways they will need to be ready should an actual technical incident occur.
3. Take time for preservation
During the initial stage of an incident, it is important to respond in a timely way. However, it is equally as important to take control of the aspects of your investigation that will preserve potentially relevant data. This might mean carving out an extra 20 minutes to image data you find or taking time to look at impacted servers. Not all technical incidents lead to forensics investigations or litigation, but when they do, you will want to be sure the actions you take—and the data you find and preserve—are defensible in court. It’s important to remember that you will need to adhere to national policies and best practice guidelines to ensure evidence admissibility. Digital evidence can be changed easily and altered if not handled properly. That is why it can be helpful to engage professionals who are highly trained and expertly certified in these areas. Digital collection not only involves technical knowhow, but it also requires knowledge around the laws pertaining to the found data.
4. Maintain discrete workstreams
In addition to preserving the data or digital evidence properly, you will want to maintain separate workstreams that include both deep and lateral mitigation.
Initially, you will want to isolate the affected area(s) the best way you can so you are able to mitigate any potential expansion, or spread, of the technical incident. You will likely need multiple workstreams—each laddering up to the first 30 to 40 minutes after the event. Some areas may take several hours to investigate. Others could take a day or longer. Once you have identified separate workstreams and mitigated the spread of risk, you will need to go deeper. This may be the time to run dark web searches to see if you recognize any connection to your company’s incident. Search for clues such as:
Once you gather more knowledge, you can conduct interviews with strategic members within the organization—HR, compliance, accounting and sales. Here, you may discover critical pieces you missed during the initial phases of your investigation.
Knowing the answers to some of those questions will help you determine the key “lessons learned,” which can lead to generating policies, procedures and recommendations to ensure this type of technical incident will not happen in the same way again.
5. Be proactive whenever possible
Even though it may sound counterintuitive, the more proactive you can be with incident response planning, the better. You may want to encourage or even mandate a regular cadence for communications between HR, legal, compliance and IT. Why? HR has pertinent employee information that could potentially lead to an incident. They know who is getting married, who got divorced, who didn’t get the raise they’d hoped for, etc. IT knows who has access to applications at specific levels and who is habitually breaking their computer or logging in from places outside the organization. Legal has deep and broad knowledge around data protection requirements, as well as data identification and practices the company should follow. And compliance is well versed in policies. They know who can plug in a USB, or copy data onto their OneDrive, etc. When these departments communicate regularly, there is an important exchange of information that supports a proactive approach at the highest level.
Having a topology diagram can also help foster proactivity. This will show you where your company’s standard servers, storage, applications and databases reside—and what type of data is housed within each area. Providing the appropriate level of protection for the most valued data and accepting the associated risk on all other repositories, will help you prioritize what to protect and how.
6. Look to certified experts
Engaging an organization with skilled, trained and vetted first responders can be a helpful way to secure your organization. You can also rely on such an organization to provide your designated first responder team with essential training. Working with a team of expert security consultants can help you identify potential risks, rate the importance of those risks, and mitigate risks wherever possible.
By boosting your incident response planning and preparation, you are strengthening your company’s security posture and ensuring a return to business as usual ASAP should an incident occur.