Over the past couple of years there has been a meteoric rise in cybersecurity incidents and it’s only a matter of time before the inevitable occurs in your organisation. Whether hit by a Distributed Denial-of-Service (DDoS) attack or infected by malicious programs or even becoming a victim to ransomware, the first-responder actions will often determine the output of the security incident. According to NTT Security’s 2018 Risk:Value Report the average recovery time from a breach is 57 days so whatever the form of the attack the immediate actions taken following incident are critical. Yet even though there are greater prevention efforts in raising awareness from warehouse staff to boardroom level, there is still a lack of preparation and planning.
Organisations of all shapes and sizes can fall victim to media coverage of the latest network intrusion stories and this is mostly due to a lack of security awareness or strategy. High profile attacks such at Wannacry could have been mitigated much quicker had efficient policies and tested processes been in place. There are now far tougher consequences for those who commit offences and organisations need to take responsibility and plan for such scenarios in order to prevent business shutdown and legal repercussions which is why taking the appropriate steps in the first 24 hours is imperative.
In the early phases of a cybersecurity incident senior management typically want a clear understanding of what damage has been done, if any sensitive data has been stolen and how the attacker gained access. The responsibility to track down the route cause and contain the incident typically lies with the computer emergency response team (CERT)/incident response (IR) practitioners.
To ensure this process can be carried out effectively adopting a triage process in the first 24 hours of the incident can provide a head-start in the remediation and post-incident investigation attempts. In cooperation with the organisation’s IT department. The following steps provide an excellent starting point to this process:
Understanding how and when the incident was first detected is the ideal place to begin the timeline. Of course, it may be some time since the systems were compromised but asking questions such as whether firewall logs are being used to their full potential to identify the initial compromise or if there are other SIEM solutions in place could help to uncover vital clues.
In order to provide an effective response you must knowing where the servers or/and endpoints are physically located. Equally important is the setup, i.e. operating systems, storage, virtualisation as well as security configuration, i.e. user groups/permissions as well as a network map. If it’s an external IR team that you have coming in to perform compatible technical work, then this can provide instant insight and make it much easier for them to quickly familiarise themselves with the IT systems in situe.
Providing accurate handover notes to the IR team along with a record of the steps taken up until that point to are recommended in order to prevent any cross-contamination or incorrect leads being pursued. To ensure that IT, CISO and IR single point of contacts (SPoC) are fully engaged with one another it is essential that this communication is continued throughout the course of the incident response plan.
Logs provide crucial evidence
While to many users log files containing countless lines of code mean nothing, they may in fact be crucial in uncovering identifying indicators of compromise (IoC) or in other words detecting the intrusion. To avoid mislaying any evidence logging must be fully enabled and retention periods applied and provided at the earliest opportunity to ensure a thorough review to determine IoCs.
The preservation of artefacts identified within data must be maintained to carry out comprehensive forensic analysis and so that an accurate timeline can be constructed. Each incident must be treated on an individual basis and this process should be employed whether or not external authorities are engaged. If they are involved then the reports could form key evidence further underlining the importance of the continuity and retention of such material.
The likelihood of a cybersecurity incident in today’s world is more ‘when’ than ‘if’ which is why appropriate planning and preparation measures, as we have listed here, should be central in the remediation of a cyber threat. Should the worse happen the activation of an effective and efficient response plan in the early stages of an incident will provide a secure foundation for recovery allowing you to manage the compromises, whilst causing minimal disruption.
Those first 24 hours when a security incident happens are crucial so get on the front foot and make them count.