fbpx

Incident Responder

  • Home
  • Incident Responder
Incident Responder

According to many security experts, it’s a matter of “when” and not “if” your company will experience a serious cybersecurity incident. An incident response plan is your best chance at defending your organization from suffering the effects of a data breach. The time to plan and prepare your response to security incidents – whatever they may be – is long before they ever happen.

 

Any organization with digital assets (computers, servers, cloud workloads, data, etc.) has the potential to experience a cyber attack or data breach. Unfortunately, most organizations don’t realize they’ve experienced a data breach until it’s too late. Creating a cybersecurity incident response plan helps you prepare for the inevitable and equip your IT security team to respond before, during, and after a cyber attack. While this blog post  will help you understand key factors and considerations at each stage of the incident response process: preparation, detection, response, recovery, and post-incident follow-up.

Ideally, your security incident response plan should be leveraged on an ongoing basis — a living document (OMERTA) — driving recurring detection and response activities (threat hunting, cyber incident investigations, incident response, and remediation/recovery). By performing ongoing detection and incident response activities, we can improve your IT and security hygiene and better protect your organization from unknown threats, hidden attackers, and potentially prevent a data breach.

Preparation

Preparation is the first phase of incident response planning and arguably the most crucial in protecting your business and digital assets. During the preparation stage we’ll document, outline, and explain your IR team’s roles and responsibilities, including establishing the underlying security policy which will guide the development of your IR plan.

  • Determine the exact location, sensitivity and relative value of all information in your organization that needs to be protected.
  • Gauge whether you currently have sufficient IT resources to respond to an attack or whether third-party support would be required.
  • Gain executive buy-in so the plan has full approval from the top of the organization.
  • Assign roles and responsibilities for all relevant stakeholders, including IT, HR, internal communications, customer support, legal, PR and advisors.
  • Establish a chain of command that includes both IT and corporate leaders. Who is the incident commander? Who launches the incident response plan? Who has “stop work” authority, such as the emergency shut down of company websites?
  • Gather and update 24/7/365 contact information (email, text, VOIP, etc.) for all incident response team members, their backups, and managers. Establish alternative channels of communication if regular channels are compromised or unavailable.
  • Identify cybersecurity regulatory requirements for the organization across all functions and develop guidance on how to interact with law enforcement and other governmental authorities in the event of an incident.
  • Develop and maintain a list of preferred technology vendors for forensics, hardware replacement, and related services that might be needed before, during or after an incident.
  • Establish procedures for IT teams to receive clear, actionable alerts of all detected malware. Specific explanations can help team members avoid dismissing the alert as a false positive.
  • Store privileged credentials, including passwords and SSH keys, in a secure, centralized vault.
  • Automatically rotate privileged credentials, isolate privileged account sessions for temporary employees, and regularly scan for orphan accounts of former employees that might still provide unauthorized access.
  • Request employees to report suspicious emails and activities that might compromise network security.
  • Ensure that you have a clean system ready to restore, perhaps involving a complete reimage of a system or a full restore from a clean backup.
  • Establish a comprehensive and integrated communications plan to inform both internal and external audiences on incidents in a rapid, accurate and consistent fashion.

Detection & Analysis

The detection phase of security incident response and IR planning involves monitoring, detecting, alerting, and reporting on security events. This includes identifying known, unknown, and suspect threats—those that appear malicious in nature, but not enough data is available at the time of discovery to make a determination either way.

When a lead, threat, or security incident is detected, your incident response team should immediately (if not automatically with the help of cyber incident response software) collect and document additional info—forensic evidence, artifacts, and code samples—to determine the severity, type, and danger of the incident, and store that data for use in prosecuting the attacker(s) at a later point in time.

  • Develop a proactive detection strategy based on tools that can automatically scan your physical and virtual hosts, systems, and servers for any vulnerable applications, identities, or accounts.
  • Consider traditional solutions such as Endpoint Detection and Response (EDR) platforms, Next-gen antivirus (NGAV) software, or User/Entity Behavior Analytics (UEBA/UBA) tools to detect malware.
  • Also consider deep analysis and forensics-based capabilities that can assess the health of an endpoint by validating what is running in memory at a given point in time.
  • Conduct compromise assessments to verify whether a network has been breached and quickly identify the presence of known or zero day malware and persistent threats active or dormant — that have evaded your existing cybersecurity defenses.

Response

Responding to security incidents can take several forms. Incident response actions may include triaging alerts from your endpoint security tools to determine which threats are real and/or the priority in which to address security incidents. Incident response activities can also include containing and neutralizing the threat(s)—isolating, shutting down, or otherwise “disconnecting” infected systems from your network to prevent the spread of the cyber attack. Additionally, incident response operations include eliminating the threat (malicious files, hidden backdoors, and artifacts) which led to the security incident. You can also visit our Incidence response panel for more.

  • Immediately contain systems, networks, data stores and devices  to minimize the breadth of the incident and isolate it from causing wide-spread damage.
  • Determine if any sensitive data has been stolen or corrupted and, if so, what the potential risk might be to your business.
  • Eradicate infected files and, if necessary, replace hardware.
  • Keep a comprehensive log of the incident and response, including the time, data, location and extent of damage from the attack. Was it internal, external, a system alert, or one of the methods described previously?  Who discovered it, and how was the incident reported? List all the sources and times that the incident has passed through. At which stage did the security team get involved?
  • Preserve all the artifacts and details of the breach for further analysis of origin, impact, and intentions.
  • Prepare and release public statements as soon as possible, describe as accurately as possible the nature of the breach, root causes, the extent of the attack, steps toward remediation, and an outline of future updates.
  • Update any firewalls and network security to capture evidence that can be used later for forensics.
  • Engage the legal team and examine compliance and risks to see if the incident impacts any regulations.
  • Contact law enforcement if applicable since the incident may also impact other organizations. Additional intelligence on the incident may help eradicate, identify the scope, or assist with attribution.

Recovery and Follow-up

Post-incident activities (Recovery and Follow-up actions) include eradication of the security risk, reviewing and reporting on what happened, updating your threat intelligence with new information about what’s good and what’s bad, updating your IR plan with lessons learned from the security incident, and certifying then re-certifying your environment is in fact clear of the threat(s) via a post-incident cybersecurity compromise assessment or security and IT risk assessment.

Recovery

  • Eradicate the security risk to ensure the attacker cannot regain access. This includes patching systems, closing network access and resetting passwords of compromised accounts.
  • During the eradication step, create a root cause identification to help determine the attack path used so that security controls can be improved to prevent similar attacks in the future.
  • Perform an enterprisewide vulnerability analysis to determine whether any other vulnerabilities may exist.
  • Restore the systems to pre-incident state. Check for data loss and verify that systems integrity, availability and confidentiality has been regained and that the business is back to normal operations.
  • Continue to gather logs, memory dumps, audits, network traffic statistics and disk images. Without proper evidence gathering, digital forensics is limited so a follow-up investigation will not occur.

Follow-up

  • Complete an incident response report and include all areas of the business that were affected by the incident.
  • Determine whether management was satisfied with the response and whether the organization needs to invest further in people, training or technology to help improve its security posture.
  • Share lessons learned. What went well, what didn’t and how can procedures be improved in the future?
  • Review, test and update the cybersecurity incident response plan on a regular basis, perhaps annually if possible.
  • Conduct a compromise assessment or other security scans on a regular basis to ensure the health of systems, networks and devices.
  • Update incident response plans after a department restructure or other major transition.
  • Keep all stakeholders informed about the latest trends and new types of data breaches that are happening. Promote the message that “security is everyone’s job.”

Related Posts

Cyber Security

We help you protect your information technology such as systems, networks and computer data against

Read More

Secure Awareness Training

This training explains the web and application vulnerabilities most used by attackers in order to

Read More

Threat Hunter

Omerta Security's Cyber threat hunters are information security professionals who proactively and iteratively detect, isolate,

Read More