1. Determine key stakeholders
Properly planning for a potential incident is not the sole responsibility of your security team. In fact, an incident will likely impact almost every department in your organisation, especially if the incident turns into a full-scale breach. To properly coordinate a response, you must first determine who should be involved. This often includes representation from senior management, security, IT, legal, and public relations.
Knowing who should be at the table and involved in your organisation’s planning exercises is something that should be determined in advanced. Additionally, a method of communication needs to be established to ensure a quick response. This should take into account the possibility that your normal channels of communication (i.e. cooperate email) may be impacted by an incident.
2. Identify critical assets
To determine the scope and impact of an attack, your organisation first needs to identify it’s highest priority assets. Mapping out your highest priority assets will not only help you determine your protection strategy but will make it so much easier to determine the scope and impact of an attack. Additionally, by identifying these in advance, your incident response team will be able to focus on the most critical assets during an attack, minimizing disruption to the business.
3. Run table-top exercises
Incident response is like many other disciplines- practice makes perfect. While it is difficult to fully replicate the intense pressure your team will experience during a potential breach, practice exercises ensure a more tightly coordinated and effective response when a real situation occurs. It is important to not only run technical tabletop exercises (often as part of a red team drill), but also broader exercises that include the various business stakeholders previously identified.
Tabletop exercises should test your organisational responses to a variety of potential incident response scenarios. Each of these scenarios might also include stakeholders beyond the immediate technical team. Your organisation should determine in advance who needs to be informed when an attack is detected, even if it was successfully defended.
4. Deploy protection tools
The best way to deal with an incident is to protect against it in the first place. Ensure your organisation has the appropriate endpoint, network, server, cloud, mobile, and email protection available.
5. Ensure you have maximum visibility
Without the proper visibility into what is happening during an attack, your organisation will struggle to respond appropriately. Before an attack occurs, IT and security teams should ensure they have the ability to understand the scope and impact of an entire attack, including determining adversary entry points and points of persistence. Proper visibility includes collecting log data, with a focus on endpoint and network data. Since many attacks take days or weeks to discover, it is important that you have historical data going back for days or weeks (even months) to investigate. Additionally, ensure such data is backed up so it can be accessed during an active incident.
6. Implement access control
Attackers can leverage weak access control to infiltrate your organisation’s defenses and escalate privileges. Regularly ensure that you have the proper controls in place to establish access control. This includes, but is not limited to, developing multi-factor authentication, limiting admin privileges to as few accounts as possible (following the Principal of Least Privilege), changing default passwords, and reducing the amount of access points you need to monitor.
7. Invest in investigation tools
In addition to ensuring you have the necessary context during an investigation.
Some of the most common tools used for incident response include endpoint detection and response (EDR) or extended detection and response (XDR), which allow you to hunt across your environment to detected indicators of compromise (IOCs) and indicators of attack (IOA). EDR tools help analysts pinpoint which assets have been compromised, which in turn helps determine the impact and scope of an attack. The more data that is collected- from the endpoints and beyond- the more context is available during investigation. Having broader visibility will allow your team to not only determine what the attackers targeted but how they gained entry into the environment and if they still have the ability to access it again.
8. Establish response actions
Detecting an attack is only part of the process. In order to properly respond to an attack, your IT and security teams need to ensure they have the ability to conduct a wide range of remedial actions to disrupt and neutralize an attacker. Response actions include, but are not limited to:
- Isolating affected hosts
- Blocking malicious files, processes, and programs
- Blocking command and control (C2) and malicious website activity
- Freezing compromised accounts and cutting off access to attackers
- Cleaning up adversary artefacts and tools
- Closing entry points and areas of persistence leveraged by attackers (internal and third-party)
- Adjusting configurations (threat policies, enabling endpoint security and EDR on unprotected devices, adjusting exclusions, etc.)
- Restoring impacted assets via offline backups
9. Conduct awareness training
While no training program will ever be 100% effective against a determined adversary, education program (i.e. phishing awareness) help reduce your risk level and limit the number of alerts your team needs to respond to. Using tools to simulate phishing attacks, provides a safe way for your staff to experience (and potentially fall victim to) a phish, enrolling those that fail into training, as well as identifying risky user groups who may require additional training.
10. Hire a managed security service
Many organisations are not equipped to handle incidents on their own. Swift and effective response requires experienced security operators. To ensure you can properly respond, consider working with an outside resource such as a managed detection and response (MDR) provider.
MDR providers offer 24/7 threat hunting, investigation, and incident response delivered as a managed service. MDR services not only help your organisation respond to incidents before they become breaches but also work to reduce the likelihood of an incident in the first place. MDR services are becoming very popular: according to Gartner*, by 2025, 50% of organisations will be using MDR services (this is up from less than 5% in 2019).