When it comes to incident response, every second counts. The severity of breaches varies, but since damage done directly correlates to the time a malicious actor has access to your systems, it’s paramount that all threats are discovered and remediated as quickly as possible. The difference between a breach being detected and remediated in two hours versus two days could be the difference between a quick laptop reimaging or six-digit revenue loss.
Imagine if a virus makes it past your firewall and, instead of noticing and sandboxing the point of entry, you miss the threat. Pretty soon, maybe the entire sales team is affected. The damage compounds; not only are you losing money by taking the sales team out of commission, you’re also losing money with wasted man hours trying to mitigate damage that could have been avoided altogether if properly prepared for.
So how can you properly prepare? Here are a few places you can start when looking to reduce response time:Proper staffing
An adequate IT staff line-up is an investment in the future of the entire company. In order to get the job done, and done well, your IT team needs not just the right kind of people, but the right number of people.
The threat environment changes quickly, and in order to keep pace IT professionals need time set aside to audit their response processes and get training on the latest tools available. Unfortunately, when the team is understaffed, employees will find it difficult to get ahead, let alone get up to speed. An understaffed team is a sure-fire path to a lack of oversight.
Even if the IT team is scrappy and surefooted enough to tackle new trainings in incident response while keeping up-to-date with their various other responsibilities, a lack of staffing presents another issue: for a small team, incident response will often involve the entire staff, meaning there may not be any man-power left to tackle other problems that arise.
Pushing for more hires, especially those with the proper skill set, can be a difficult task, and many organizations will need to work with the resources they already have. Luckily, with proper procedure and the right tools, a lack of staffing doesn’t have to stand in the way of adequate response time.Streamlining procedure
All security teams should have an incident response process to guide remediation efforts. When was the last time you took a look at yours?
In order to understand incident response processes and procedures, a proper review is required. We have broken down incident response into what is most commonly seen as the seven stages:1. Preparation
It’s essential that every organization is prepared for the worst, meaning preparation is vital to any security incident response plan. It involves the identification of an incident, recovery, resumption of normal business activity, and creating established security policies including the following:warning banners user privacy expectations established incident notification processes development of an incident containment policy creation of incident handling checklists ensuring the corporate disaster recovery plan is up to date making sure the security risk assessment process is functioning and active
When looking at your pre-deployed incident handling assets, you want to make sure you have certain tools in place in case of a system breach. This includes examiningyour own sensors, probes and monitors on critical systems, tracking databases in core systems and completing active audit logs for all network aspects and components.2. Identification
The next stage of incident response is identifying the actual incident. The first item that needs to be identified is what the actual incident was and what the full scope of the incident is. You are going to want to investigate suspicious entries, excessive login attempts, unexplained user accounts, unexpected new files, etc.
After you have assessed the situation there are six levels of classification when it comes to incidents. You’ll need to determine which one the incident falls under.Level 1 Unauthorized access Level 2 Denial of services Level 3 Malicious code Level 4 Improper Usage Level 5 Scans/probes/attempted access Level 6 Investigation incident 3. Containment
Once the full scope of the incident has been identified and at which level you are dealing with, the next move is to contain the problem. This will limit its increasing in scope and magnitude. While containing an incident, there are two essential areas of coverage: maintaining uptime and protecting critical systems.
In order to determine the operational status of your infected system and or network, you have three options:Disconnect the system from the network and allow it to continue stand-alone operations Shut down everything immediately Continue to allow the system to run on the network and monitor activities
All three are viable solutions to contain the issue at the beginning of the incident response and should be determined as quickly as possible so that you can move onto the next stage.4. Investigation
Forensic investigation is the first step in determining what actually happened to your environment. A methodical review needs to take place on all the systems or networks determined to be in scope of the incident first, then moving to other systems outside the containment area. For this investigation, hard drives, memory, device logs, and other supporting data must be analyzed. It is very important to keep well-written documentation of everything you do during the investigation, especially since external threats may require law enforcement involvement.5. Remediation
Remediation is the process of actually getting rid of the issue on your computer, system or network. This step should only take place after all external and internal actions are completed. There are two important aspects of eradicationwhich you should keep in mind. The first is cleanup. Cleanup usually consists of running your antivirus software, uninstalling the infected software, rebuilding the OS or replacing the entire hard drive and reconstructing the network. In most cases reimaging the machines is going to be the recommended remediation tactic.
The second step is notification. Notification always includes relevant personnel and all stakeholders both above and below the incident response team manager in the reporting chain.6. Recovery
This is when your company or organization returns to normalcy. There are two steps to recovery:Service restoration, which is based on implementing corporate contingency plans System and/or network validation, testing, and certifying the system as operational
Any component that was compromised must become recertified as both operational and secure.7. Follow-up
After everything has been returned to standard operations there are a few follow-up questions that should be answered to ensure the process is sufficient and effective.
Was there sufficient prep?
Did detection occur in a timely manner?
Were communications conducted clearly?
What was the cost of the incident? Did you have a business continuity plan in place?
How can we prevent it from happening again?Once these questions are answered and improvements are made where necessary, your company and incident response team sh