Top 3 Most Critical Ways to Prepare for a Cyber-Security Incident16 Nov 2020 | Andreas van Leeuwen Flamino and Kamal Ranjan
Most companies need third-party professional help to respond to a cyber-security incident effectively. However, it is challenging for most to identify a trusted organisation with a qualified team of experts who can react appropriately whilst protecting sensitive corporate and attack-related information. At Digital14, we have a strong team of IR consultants that is called in to lead IR engagements on a regular basis. Our IR retainer clients have a hotline they can contact, and we get called many times each year. As such, we have plenty of experience to draw from.
Getting the following three factors right makes the difference between a quick resolution and eradication, and a longer, costlier IR without a satisfactory resolution.
Overall, the most critical factor is C-level executive buy-in to support an IR. This is crucial because we often encounter situations where security leadership, including the CISO, technical team leads, and administrators are hesitant to provide us with a properly filled out IR scoping questionnaire. The IR scoping questionnaire is the single most important document, allowing your team the opportunity to share the most relevant details ahead of the project, and enabling the IR team to draw up the most effective plan of action quickly.
With C-suite cooperation and support, the rest of the organisation will provide the IR team details without typical hesitation and delay, allowing them to go to work using the most efficient approach. The best thing about this, it doesn’t cost any money.
In the case where you need help in gaining management buy-in, we can assist you. Depending on your current needs, we can either help you with an Incident Response Readiness engagement, and Incident Response Plan or Table Top Exercises, involving all relevant stakeholders while preparing your organisation for an effective IR. The outcome of these exercises is usually a fully supportive C-suite and board.
Benjamin Franklin was quoted, “If you fail to plan, you are planning to fail”. This is absolutely true with Incident Response. A solid and up-to-date Incident Response Plan (IRP) documents the phases of an incident response lifecycle. It requires looping in the relevant stakeholders to agree on:
Once an incident takes place, all stakeholders can refer back to the Incident Response Plan and follow the guidelines relevant to their roles.
For improved preparation, your Incident Response Plan must be tested periodically in the context of a tabletop exercise. This allows the organisation to progress from a plan to building muscle memory.
Another vital area for effective IR engagements is having enough visibility of host and network data. In many organisations, this is still lacking, leading to many hours being spent on manual analysis on a host-by-host basis.
For host data, many great EDR technologies in the market will provide your internal security staff and external IR teams the ability to effectively poll every host for key information that is essential for an effective IR.
For network data, we recommend implementing a Network Security Monitoring (NSM) solution at the very least, which captures metadata and stores it for an extended period. This is relatively inexpensive to set up and will prove invaluable when the IR team is tasked with investigating a breach and may need to dig into historical network events.
Deploying the right host and network telemetry solutions will require some planning, effort to roll out, and does cost money. But if you have been breached before and have lost important business-critical information and money as a result of the breach, making investments in telemetry may become a lot easier to justify.
Digital14 can assist you with recommendations, design and implementation of the right telemetry solutions for your organisation. We can also run a one-time or continuous threat assessment for you. In such engagements, we bring our own telemetry tools, and you can get a firsthand perspective on the types of threats that are already present in your infrastructure, and how a telemetry solution can help you identify them.
Of course, there are many more factors that can greatly improve efficiency during an Incident Response. Our next three factors are: up-to-date asset inventory, logs, and tabletop exercises.
I’ll jump into these in more detail in a future post.
Connect with us