A cyberattack is bad for everyone associated with your organization: employees, customers, partners, and other stakeholders. You need to identify and mitigate the attack as quickly as you can, but effective incident response is about much more than neutralizing a threat actor. It’s about intelligently managing the incident in ways that are appropriate and beneficial to all the stakeholders. That approach not only addresses the immediate problem but also elevates your organization’s security and business performance over the long term.
Effective incident response involves extensive communication with stakeholders. Your organization may be subject to regulatory requirements requiring the release of information about the breach to customers and partners. Even if those disclosures aren’t required by law, it’s still wise to make sure you haven’t exposed third parties to a threat that could endanger them.
Learning the right lessons
By capturing all relevant information when responding to an incident, organizations can learn important lessons to improve their security posture:
- Control shortfalls. Victims of a compromise often realize that they haven’t optimally limited and segmented administrative privileges. This is a significant problem because threat actors can use compromised administrator credentials to move laterally within environments. Unfortunately, privilege control is increasingly difficult as enterprise environments keep growing and becoming more complex.
- Enhance visibility. As environments get more complex, organizations become more susceptible to fragmented visibility into their security-related telemetry. Data from endpoint detection and response (EDR) solutions, firewalls, and other resources can be scattered. As a result, organizations can’t quickly correlate disparate pieces of telemetry to understand and respond to situations appropriately. The solution is to consolidate telemetry and alerts onto a single plane of glass. An extended detection and response (XDR) platform such as Taegis™ XDR is more effective and cost-efficient than traditional security information and event management (SIEM) or security orchestration, automation, and response (SOAR) aggregation solutions.
- Improve workflows. Secureworks® incident response engagements often reveal that the information needed to mitigate the attack was available to someone in the compromised organization, but that person wasn’t sure how to respond, didn’t understand the threat, or didn’t have the authority to initiate the response. This disconnect is especially common in organizations that engage a managed security service provider (MSSP) for monitoring without clearly delineating who is responsible for doing what — and how quickly — when they sense that something is amiss.
Getting the right help
To ensure that your organization can respond to a compromise in a way that addresses the immediate threat while also improving your security posture, you’ll want to engage a qualified incident management partner. When that time comes, consider the following factors:
- Experience and skills. Threat actors are getting more sophisticated, and they relentlessly look for new ways to circumvent conventional defenses. Make sure your incident management partner’s skills extend well beyond host-based analysis. You need a team whose skills and experience include using SQL; conducting log analysis; and working with EDR tools, Active Directory, and cloud environments.
- Threat intelligence. Effective incident response relies on complete, granular threat intelligence. A partner with that type of intelligence can quickly and accurately identify the exact nature of the threat based on its tactics, techniques, and procedures (TTPs). This capability can mitigate the scope and impact of an attack. Insights about TTPs can also be used to develop detections for malicious activity before threat actors gain a foothold in the environment.
- Comprehensive data. Make sure your incident management partner has the capabilities to gather all relevant incident data and to use a combination of human and machine intelligence to analyze that data quickly. Rapid response is critical to limiting damage.
Investing in a relationship with a highly capable incident management partner will pay off in many ways. Minimizing the impact of an attack is clearly the priority, but there are other returns on investment (ROIs). For example, cyber insurers may offer more favorable underwriting to an organization that can demonstrate its incident readiness. You also build goodwill with your customers and partners when you demonstrate your ability to weather a breach resiliently. Following a compromise, enhance your security posture by addressing identified attack vectors, enhancing security controls, and adjusting incident response procedures as appropriate.
Secureworks offers an incident management retainer to help organizations proactively improve their cyber defenses. We also offer incident response services to support victims of a compromise. If you need urgent assistance with an incident, contact the Secureworks Incident Response team.