Responding to a critical cyber incident can be an incredibly stressful and intense time. While nothing can fully alleviate the pressure of dealing with an attack, understanding these key tips will help give your team advantages when defending your organization.
When an organization is under attack, every second matters.
There are a few reasons why teams may take too long to react. The most common is that they don’t understand the severity of the situation they find themselves in. That lack of awareness leads to a lack of urgency.
Attacks tend to hit at the most inopportune times: holidays, weekends, and in the middle of the night. Since most incident response teams are significantly understaffed, this can understandably lead to a “we’ll get to that tomorrow” attitude. Unfortunately, tomorrow may be too late to do something to minimize the impact of the attack.
Overwhelmed teams are also more likely to react slowly to indicators of attack because they suffer from alert fatigue. Signals get lost in the noise. Even when a case is initially opened, it may not be correctly prioritized due to a lack of visibility and context. This costs time, and time is not on a defender’s side when it comes to incident response.
Even in situations where the security team is aware that they are under attack and something needs to be done immediately, they may not have the experience to know what to do next, which also makes them slow to respond. The best way to combat this is by planning for incidents in advance.
When it comes to incident response, it’s not enough to only to treat the symptoms. It’s important to treat the disease as well.
When a threat is detected, the first thing to do is triage the immediate attack. This could mean cleaning up a ransomware executable or a banking Trojan or blocking the exfiltration of data. However, teams will stop the initial attack but not realize they haven’t really solved the root cause.
Successfully removing malware and clearing an alert doesn’t mean the attacker has been ejected from the environment. It’s also possible that what was detected was only a test run by the attacker to see what defenses they’re up against. If the attacker still has access, they’ll likely strike again, but more destructively.
Incident response teams need to ensure they address the root cause of the original incident they mitigated. Does the attacker still have a foothold in the environment? Are they planning to launch a second wave?
Incident response operators who have remediated thousands of attacks know when and where to investigate deeper. They look for anything else attackers are doing, have done, or might be planning to do in the network and neutralize that, too.
While navigating an attack, nothing makes defending an organization more difficult than flying blind. It’s important to have access to the right high-quality data. This makes it possible to accurately identify potential indicators of attack and determine root cause.
Effective teams collect the right data to see the signals, can separate the signals from the noise, and know which signals are the most important to prioritize.
Limited visibility into an environment is a sure-fire way to miss attacks. Over the years, many big-data tools have been brought to market to try to solve this specific challenge. Some rely on event-centric data like log events, others utilize threat-centric data, and others rely on a hybrid approach. Either way, the goal is the same: collect enough data to generate meaningful insights for investigating and responding to attacks that would otherwise have been missed.
Collecting the right high-quality data from a wide variety of sources ensures complete visibility into an attacker’s tools, tactics, and procedures. Otherwise, it’s likely only a portion of the attack will be seen.
Fearing they won’t have the data they need to get the full picture of an attack, some organizations (and the security tools they rely upon) collect everything. However, they’re not making it easier to find a needle in a haystack; they’re making it harder by piling on more hay than is necessary. This not only adds to the cost of data collection and storage, but it also creates a lot of noise, which leads to alert fatigue and time wasted chasing false positives.
There’s a saying among threat detection and response professionals: “Content is king, but context is queen.” Both are necessary to run an effective incident response program. Applying meaningful metadata associated to signals allows analysts to determine if such signals are malicious or benign.
One of the most critical components of effective threat detection and response is prioritizing the signals that matter the most. The best way to pinpoint the alerts that matter the most is with a combination of context provided by security tools (i.e., endpoint detection and response solutions), artificial intelligence, threat intelligence, and the knowledge base of the human operator.
Context helps pinpoint where a signal originated, the current stage of the attack, related events, and the potential impact to the business.
No organization wants to deal with breach attempts. However, there’s no substitute for experience when it comes to responding to incidents. This means that the IT and security teams often tasked with high-pressure incident response are thrown into situations that they simply don’t have the skills to deal with—situations that often have a massive impact on the business.
The lack of skilled resources to investigate and respond to incidents is one of the biggest problems facing the cyber security industry today. This problem is so widespread that, according to ESG Research2, “34% say their biggest challenge is that they lack skilled resources to investigate a cyber security incident involving an endpoint to determine root cause and the attack chain.”
This dilemma has given way to a new alternative: managed security services. Specifically, managed detection and response (MDR) services. MDR services are outsourced security operations delivered by a team of specialists. They act as an extension of a customer’s security team. These services combine human-led investigations, threat hunting, real-time monitoring, and incident response with a technology stack to gather and analyze intelligence.
According to Gartner, “by 2025 50% of organizations will be using MDR services.” Organizations are realizing they will need help to run a complete security operations and incident response program.
For organizations that have not employed an MDR service and are responding to an active attack, incident response specialist services are an excellent option. Incident responders are brought in when the security team is overwhelmed and needs outside experts to triage the attack and ensure the adversary has been neutralized.
Even organizations that have a team of skilled security analysts can benefit from collaborating with an incident response service to shore up gaps in coverage (e.g., nights, weekends, holidays) and specialized roles that are needed when responding to incidents.
At Techinc, we believe that proper cyber security is one of the most important parts of any business’s IT infrastructure. We also believe in a proactive approach—that means we put structures in place to prevent problems rather than act as damage control once it’s too late.
There’s no room to be careless when it comes to your cyber security, which is why we monitor the entire system from the top down. Our security services cover everything from your entire network down to each individual computer.
If you’re unsure about the strength of your cyber security setup, we offer a free security assessment! If you’re interested in our suite of security services, our technicians are happy to talk through your needs. We look forward to hearing from you.