After experiencing a breach, organisations often realise they could have avoided a lot of costs, pain, and disruption if only they had an effective incident response plan in place.
According to Ross Anderson, Sophos Product Development Manager at Duxbury Networking, the best way to avoid having a cyber-attack turn into a full breach is to prepare in advance.
“It’s important to define the framework for cyber-security incident response planning that gives you the best chance at thwarting an adversary.
These recommendations are based on the real-world experiences of the Sophos Managed Threat Response and Sophos Rapid Response teams, who have tens of thousands of hours of experience when it comes to dealing with cyber-attacks.”
Cyber-security incident response plan
There are nine main steps to an effective incident response plan:
1. Determine key stakeholders
Properly planning for a potential incident is not the sole responsibility of your security team.
In fact, an incident will likely impact almost every department in your organisation, especially if the incident turns into a full-scale breach.
To properly coordinate a response, you must first determine who should be involved. This often includes representation from senior management, security, IT, legal, and public relations.
2. Identify critical assets
To determine the scope and impact of an attack, your organisation first needs to identify its highest priority assets.
This will not only help you determine your protection strategy but will make it much easier to determine the scope and impact of an attack.
Additionally, by identifying these in advance, your incident response team will be able to focus on the most critical assets during an attack, minimising disruption to the business.
3. Run tabletop exercises
While it is difficult to fully replicate the intense pressure your team will experience during a potential breach, practice exercises ensure a more tightly coordinated and effective response when a real situation occurs.
It is important to not only run technical tabletop exercises (often as part of a red team drill) but also broader exercises that include the various business stakeholders previously identified.
Your organisation should determine in advance who needs to be informed when an attack is detected, even if was successfully defended.
Common incident response scenarios include:
- Active adversary detected within your network
- Successful data breach
- Successful ransomware attack
- High-priority system compromised.
4. Deploy protection tools
The best way to deal with an incident is to protect against it in the first place. Ensure your organisation has the appropriate endpoint, network, server, cloud, mobile, and email protection available.
5. Ensure you have maximum visibility
Without the proper visibility into what is happening during an attack, your organisation will struggle to respond appropriately.
Before an attack occurs, IT and security teams should ensure they can understand the scope and impact of an attack, including determining adversary entry points and points of persistence.
Proper visibility includes collecting log data, with a focus on the endpoint and network data.
Since many attacks take days or weeks to discover, you must have historical data going back for days or weeks (even months) to investigate.
Additionally, ensure such data is backed up so it can be accessed during an active incident.
6. Implement access control
Attackers can leverage weak access control to infiltrate your organisation’s defences and escalate privileges.
Regularly ensure that you have the proper controls in place to establish access control.
This includes, but is not limited to, deploying multi-factor authentication, limiting admin privileges to as few accounts as possible (following the Principle of Least Privilege), changing default passwords, and reducing the number of access points you need to monitor.
7. Invest in investigation tools
In addition to ensuring you have the necessary visibility, your organisation should invest in tools that provide the necessary context during an investigation.
Some of the most common tools used for incident response include endpoint detection and response (EDR) or extended detection and response (XDR), which allow you to hunt across your environment to detect indicators of compromise (IOCs) and indicators of attack (IOA).
In addition to EDR tools, advanced security teams might also deploy a security orchestration, automation, and response (SOAR) solution that aids in response workflows.
8. Establish response actions
Detecting an attack is only part of the process.
To properly respond to an attack, your IT and security teams need to ensure they can conduct a wide range of remedial actions to disrupt and neutralise an attacker.
Response actions include, but are not limited to:
- Isolating affected hosts
- Blocking malicious files, processes, and programs
- Blocking command and control (C2) and malicious website activity
- Freezing compromised accounts and cutting off access to attackers
- Cleaning up adversary artefacts and tools
- Closing entry points and areas of persistence leveraged by attackers (internal and third-party)
- Adjusting configurations (threat policies, enabling endpoint security and EDR on unprotected devices, adjusting exclusions, etc.)
- Restoring impacted assets via offline backups.
9. Conduct awareness training
While no training programme will ever be 100% effective against a determined adversary, education programmes (that is, phishing awareness) help reduce your risk level and limit the number of alerts your team needs to respond to.
When a cyber-security incident strikes, time is of the essence. Having a well-prepared, well-understood response plan that all key parties can immediately put into action will dramatically reduce the impact of an attack on your organisation.
“Sophos Rapid Response provides lightning-fast assistance with identification and neutralisation of active threats against organisations.
It provides 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully managed service.
Onboarding starts within hours, and most customers are triaged within 48 hours.
The service is available for both existing Sophos customers as well as non-Sophos customers,” says Anderson.