(Louisville Geek | Ben Lawrence) -- All companies, regardless of the size of the business or industry, should have a cybersecurity incident response plan. Some companies, particularly those that haven't yet experienced a major security incident, don't know where to begin, let alone what to prioritize. 

To shed some light on this pressing issue, we turned to a panel of cybersecurity experts and industry professionals and asked them to weigh in. While nothing can fully alleviate the pressure of dealing with a critical cyberattack, understanding these key tips will give your team an advantage when defending your organization.

1)   Determine Key Stakeholders

Contrary to popular belief, properly planning for a potential incident is not the sole responsibility of your security team. In fact, an incident will likely impact almost every department in your organization – especially if the incident turns into a full-scale breach. To properly coordinate a response, you must first determine who should be involved.  This often and additionally includes representation from:

• Senior Management 
• IT 
• Legal
• Marketing/Public relations

Knowing who should be involved in your organization’s planning exercises is something that should be determined in advance. It’s also important to take into consideration that your normal channels of communication (i.e., email) may be impacted by an incident. 

2) React as Fast as Possible

Every second matters when an organization is under attack, but unfortunately most organizations don’t understand the severity of the situation. This lack of awareness inevitably leads to a lack of urgency. 

Another thing to consider is that attacks tend to hit at the most inopportune times: holidays, weekends, and in the middle of the night.  In 2021 alone we’ve seen attacks on Mother’s Day Weekend (Colonial Pipeline), Memorial Day Weekend (JBS Meat Processors), and July 4^th (Kaseya). Malicious actors often know that long weekends mean there will be a delayed response or an unprepared 'skeleton crew' that simply doesn't have the resources to monitor for simultaneously and deter threats fast enough. 

Overwhelmed teams are also more likely to react slowly to indicators of attack because they suffer from alert fatigue, which means signals get lost in the noise. Even when a case is initially opened, it may not be correctly prioritized due to a lack of visibility and context. This costs time, and time is not on a defender’s side when it comes to incident response.

Even in situations where the security team is aware that they are under attack and something needs to be done immediately, they may not have the experience to know what to do next, which also makes them slow to respond. The best way to combat this is by planning for incidents in advance.

3)   Don’t declare “Mission Accomplished” too soon

When it comes to incident response, the first thing to do is to address the immediate attack. This might include cleaning up a ransomware executable or blocking the exfiltration of data. While this is a solid first step in mitigating the attack, it’s the equivalent of treating the symptom and this is no time to declare mission accomplished. Successfully removing malware and clearing an alert doesn’t necessarily mean the attacker has been ejected from the environment. It’s also possible that what was detected was only a test run by the attacker to see what defenses they’re up against. If the attacker still has access, they’ll likely strike again, but more destructively.

Incident response teams need to ensure they address the root cause of the original incident they mitigated. They should determine if the attacker still has a foothold in the environment and take whatever course of action necessary to eject them before they are able to launch a second wave of attacks. Experienced Incident response operators know when and where to investigate deeper. They look for anything else attackers are doing, have done, or might be planning to do in the network – and neutralize that, too.

4)   Complete visibility is critical

Nothing makes defending an organization more difficult than having blind spots in a network. It’s important to have access to the right data, which makes it possible to accurately identify potential indicators of attack and determine the root cause. 

Over the years, several big-data tools have entered the market and tried to solve the challenge of limited visibility. Some tools rely on event-centric data like log events, others use threat-centric data, and some utilize a hybrid approach. Regardless of the approach, the end-goal is the same: collect enough data to generate meaningful insights for investigating and responding to attacks that would otherwise have been missed.

Fearing they won’t have the data they need to get the full picture of an attack; some organizations decide to collect everything. This is a big mistake, especially considering the amount of data we are swimming in on a daily basis. This not only adds to the cost of data collection and storage, but it creates a lot of noise, which leads to alert fatigue and time wasted chasing false positives.

Remember, it’s OK to ask for help

No organization wants to deal with breach attempts. However, there’s no substitute for experience when comes to responding to incidents. This means that the IT and security teams often tasked with high-pressure incident response are thrown into situations that they simply don’t have the skills to deal with; situations that often have a massive impact on the business. The lack of skilled resources to investigate and respond to incidents is one of the biggest problems facing the cybersecurity industry today. Recent estimates from ISC, a nonprofit association of certified cybersecurity professionals, pegs the global talent shortage at more than 3.1 million people.

As a result, organizations are increasingly seeking to outsource some or all of their security efforts. Specifically, managed detection and response (MDR) services. MDR services are outsourced security operations delivered by a team of specialists, and act as an extension of a customer’s security team. These services combine human-led investigations, threat hunting, real-time monitoring, and incident response with a technology stack to gather and analyze intelligence. According to Gartner, “by 2025, 50% of organizations will be using MDR services,” signaling a trend that organizations are realizing they will need help to run a complete security operations and incident response program.

Ben Lawrence is the managing partner of Louisville Geek, which is a silver sponsor of FEI Louisville.