It’s a typical Tuesday in your security operations center (SOC) and everything is going fine… until it isn’t. Your dashboard lights up. Alarms are triggered. A series of events have escalated. Everyone’s phone starts to buzz. It’s clear that an incident has occurred, and a threat actor may already be several steps ahead, and you have minutes to contain the breach before it spreads to the rest of the network.
The first hours after a breach are pivotal. Every decision you make now can either pave the way for a swift recovery or lead to potential chaos.
This is a moment to pivot from reactive to proactive, to not just respond but to outmaneuver. In the breakdown below, we’ll guide you through mastering the art of incident response, turning potential disaster into a demonstration of resilience. Discover strategies that empower you to seize control, minimize damage, and ensure that if the next incident strikes, you’re more than ready.
Before we get into how best to respond in the moment, it’s important to set the stage and discuss how we got here. Over the past five years, accelerated digital transformation and hybrid work models have expanded today’s threat surfaces. Mission-critical infrastructure has spread out from the hardened data center out to the edge of the network in web apps, software-as-a-service (SaaS) platforms, public cloud environments, and distributed endpoint devices. As a result, security infrastructure has spread out as well with dozens of new tools bolted onto existing security stacks.
This hodge podge of security tooling makes it difficult to know whether every nook and cranny across today’s dynamic infrastructures are truly protected. Are you logging the right types of events? Are sensors deployed in the right places? What events are truly important, and which are just noise? At the same time, a skills gap has emerged within the SOC teams – especially within the mid-market where resources and upskilling often fall outside of the budget. Small teams simply can’t keep up with emerging technologies, self-service IT and bring your own device (BYOD) policies.
The result is that a lot goes on across the enterprise network that escapes the attention of the SOC team. False positives are swamping analysts, allowing legitimate events to go unnoticed. According to Gartner®, “the average lowest response time for IR providers is about two hours, and the highest offered response time is about six to eight hours.”¹ In that time, it’s possible that the threat actor has probed the network, identified valuable targets and is waiting for the optimal moment to strike. And, by then, it’s too late. The attacker is already a dozen steps ahead, has delivered their payload and has you at their mercy.
Staying one step ahead of threat actors starts way before the attacker has even considered breaching your network. Preparation, quickly followed by investigation and discovery, is critical to responding quickly to the inevitable breach. Security teams then need to contain the threat, eradicate it, and restore regular business operations as fast and non-disruptively as possible. Finally, learning from mistakes and closing vulnerable security gaps can improve readiness in the future, ensuring you aren’t bitten by the same snake twice.
While preparation ideally precedes an attack, we’ve included it as the first key step here.
A lot of people like to compare cybersecurity and military strategy, and field readiness is one of the strongest parallels you can draw between the two worlds. Generals and battlefield planners spend an enormous amount of time running simulations and tabletop exercises to determine battle plans and hone their ability to respond to enemy movements. Security teams need to do the same to make sure that when an attack occurs, it’s not the first-time security analysts are dealing with the specific scenario.
Penetration testing is crucial for preemptive defense, employing white hat hackers to uncover and seal security vulnerabilities by regularly probing the network. This practice not only identifies and mitigates limitations in network observability and capabilities but also tests the effectiveness of established playbooks and formal procedures. Such preparation puts your team through rigorous exercises, enhancing readiness and establishing a strong precedent for responding to real-world cybersecurity events. It’s also a good idea to ask your vendors tough questions about their products’ capabilities and limitations. Testing them allows you to ensure your tools are doing what their developers have promised.
The clock starts ticking as soon as a breach is detected. The initial step involves gaining insight into the breach, including the attack methods, the systems compromised, and potential future targets. This crucial phase not only involves understanding the scope of the attack by pulling data and logs from affected systems but also assessing your exposure and identifying which assets are most at risk. Analyzing this information allows analysts to investigate the root causes through recursive searches, setting the stage for determining the fastest, most effective response strategy in these critical first moments.
Gathering and understanding this context is completely reliant on observability into your assets. Hopefully, you’ve prepared through penetration tests and have closed any gaps in visibility that allow you to piece together the entire attack chain – from breach to detection. Keep in mind that today’s threat actors are likely using your own tools against you to spread throughout the network, so it’s important to check on new admin access or other authentication changes. By leveraging threat intelligence, you can identify patterns across disparate events, rule out or find activity, and anticipate the attackers’ next steps, stripping away the unpredictability they depend on to stay ahead of defenses. This intelligence is crucial during the triage, investigation, and containment stages, helping to swiftly navigate the threat landscape.
The goal of the first two threats is to get you to this step as quickly as possible. Speed is of the essence when it comes to an ongoing threat, and battlefield readiness and understanding the context of an attack allow you to take decisive action quickly. Stopping the attack from spreading is the most important goal at this juncture of the attack chain. Remember, stopping breaches from occurring is probably not a viable option. But minimizing their impact and reducing business risk is the main goal.
Once you know what the attacker is up to, you can start to isolate infected systems and cut off access points to prevent spread. Set up automated triggers that reset account credentials and permissions. Deploy honeypots and sandboxes across the network to force intruders’ hands – tricking them into deploying their payloads in a safe environment. Root out unauthorized entities attempting to connect to your assets or initiate an outside connection.
Once quarantined, you can start to triage a response to get operations back up and running as quickly and non-disruptively as possible. If you’ve done everything right, it’s possible that the network or other assets haven’t been impacted at all and users are none the wiser that a breach had taken place.
If systems have been compromised or shut down, it’s important to restore them with up-to-date images that have had the vulnerability fixed and reset permissions to authorized users as quickly as possible. You should then conduct a full audit of impacted systems and users to detect any changes that the attacker made during the breach. If found, fix them immediately. It would be a shame to catch a thief in the act then have them come back later because you failed to take away the keys they had stolen.
Throughout this entire process, it’s crucial to meticulously document every action and decision. This allows for a retrospective analysis where you can glean insights from any oversights or errors. Enhance your defenses by deploying additional sensors, sealing security vulnerabilities, and providing further training to analysts who may have overlooked critical signals. Regularly auditing your processes ensures cohesive teamwork towards a unified objective. Equally important is conducting feedback sessions, where the team not only discusses areas for improvement but also acknowledges the processes and controls that performed well, reinforcing their validity. These discussions are essential for refining playbooks and should foster a constructive atmosphere, focusing on collective advancement rather than individual blame. The goal is to cultivate an environment where every team member is committed to ongoing improvement and the effective validation of existing procedures.
It's also important to engage with senior leadership and legal and PR teams if necessary so everyone is in the loop about what happened and the risk it poses to the organization. Was customer data exposed? Will the attacker publicize their attack? Are there any regulations that require disclosure? Will an audit be triggered? These are all questions that the risk assessment team needs to consider when determining whether a public response is required.
We live in a world where breaches are inevitable and quick response is critical to mitigating the impact an attack has on the business. This requires in-depth preparation before a breach has occurred, so the SOC team has visibility into the attack chain and impacted systems. Moving quickly with actionable information is critical to reducing business risk by containing and remediating the impact of the attack. Finally, a post-event audit and feedback session may be necessary to close vulnerabilities, improve processes and improve readiness in the future.
[1]Gartner, 4 Key Considerations to Perform Effective Incident Response, Carlos De Sola Caraballo, February 12, 2024
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.
tags
By leveraging his background as a journalist and editor, Marcos Colón has been specializing in cybersecurity content creation for over a decade. Known for his proficiency in communicating complex topics effectively, he bridges the gap between technical aspects and audience understanding. His interviewing skills and commitment to creating engaging narratives have made him a distinctive voice in the cybersecurity sphere.
View all postsDon’t miss out on exclusive content and exciting announcements!