In our Top 3 Most Critical Ways to Prepare for a Cyber-Security Incident blog, we covered three key factors to consider when preparing for Incident Response activities. They are:

• Management buy-in
• An indecent response plan
• Telemetry

In this post, we will cover three additional factors:

• The asset inventory
• Tabletop exercises
• Logs

An up-to-date asset inventory

Key objectives in every IR are to identify how a threat actor gained their initial foothold, and establish which hosts are compromised. This will help the IR team qualify and quantify the breach, prioritise containment actions, and recommend steps to eradicate the attacker from the environment.

Our experience shows that most organisations do not have an up-to-date asset inventory, lacking a formal process for updating the asset inventory after changes in the environment. We commonly experience situations where:

• The provided network diagram does not represent the current status of the network infrastructure. Instead, it reflects a future state or one of months or years ago.
• IT teams don’t properly document legacy systems with unpatched vulnerabilities in the list of currently active systems in the IT infrastructure.

Of course, in larger organisations hosts get added and decommissioned on an ongoing basis, making it difficult to provide an up-to-date asset inventory. But it is better to have one that is as close to the current state as possible, then not to have a proper process to maintain one at all.

Shadow IT, where departments or individual employees set up their own infrastructure to meet their objectives, poses another major challenge in maintaining an asset inventory. Some examples are:

• A team that installs a wireless access point with easy to break security controls, without informing the central IT department.
• Unhardened testing environments that are connected to the Internet by third parties or internal employees, exposing credentials.
• Third-parties having undocumented, or unhardened remote access.

In the event of a major breach, everyone is under pressure to help contain the breach as quickly as possible, so having an up-to-date asset inventory is something you want to prepare ahead of identifying a breach.

In a nutshell, if you don’t know what hosts or network devices you have and what is stored on them, it is difficult to conclude an IR with the confidence. The attacker may have other easy ways back into the environment unknown to you or the IR team, even if the primary entry point has been identified.

Tabletop Exercises

Tabletop Exercises (TTX) are discussion-based simulated scenarios where the participants are required to play through their roles as if it were an actual incident. By discussing the scenario in advance, CISOs and other IR team members can identify flaws or gaps in the organisation's response readiness and make improvements.

Tabletop Exercises are an excellent way to test the Incident Response Plan (IRP), make sure that all key stakeholders are aware of their responsibilities, and what type of decisions they will need to take in the situation of an actual incident.

By going through a realistic attack scenario, where the TTX leader injects new facts that continue building the pressure, areas for improvement of the plan will surface.

Communication lines, decision points and decision authority are best tested ahead of an actual incident. Especially in large organisations where key departments may be more siloed, a TTX often proves invaluable.

The biggest benefit of a TTX is that it starts creating muscle memory because it forces the stakeholders to jointly start thinking about the best course of action to take when a certain scenario needs to be addressed, by identifying the gaps between documented responses and actual actions taken.

Logs

Last but certainly not least is the importance of having logs. Detailed and relevant logs need to be collected for all key assets. These logs need to follow a consistent format, and if at all possible, they need to be sent to a central location for correlation, or at the very least, safe storage.

Your business-critical services, servers and Internet-facing systems are the most vulnerable to attack. They are usually referred to as crown jewels. For your crown jewels, make sure that the following recommendations are followed with regards to logs:

• Relevant logs are being written.
• The logs are properly configured and formatted, and include key information that is easy to analyse.
• The logs are centrally stored and correlated, or at least backed up on a different system, so an attacker can’t easily tamper or delete them.
• The fields are consistent across server types. For example, the fields logged by different web servers of the same type should be consistent across all web servers.
• All systems synchronise their system time using a Network Time Protocol (NTP) server.
• The retention period of logs should be good enough to support an incident investigation. A minimum of 180 days is recommended, if possible.

The great thing about ensuring the presence of well-formed, properly time-synced logs is that it is not expensive to set up.

Even if the only action you take after reading this article is preparing an inventory of your key servers, services and workstations and ensure that proper logs are being written and stored, you will greatly benefit from this during your next security incident.

In a future blog, we will cover the differences between an IR in an OT (Operational Technology) context compared to an IT context.