The Biggest Mistakes to Avoid with Incident Response

Incident response is a critical component to containing and remediating security incidents and events. It can also be an incredibly detailed and difficult process to manage when you’re trying to quickly restore business operations.

Consider these big mistakes you’ll want to avoid with incident response.

 

1. Lack of an IR Playbook

 

Incident response is a well-planned process for the security team. It must be customized for your organization because all security events must be ticketed and tracked by a relevant category and sub-category applicable to your business. By doing so, it creates escalation profiles that comprise an IR playbook, and include:

  • Escalation types
  • Ticket types 
  • Sending email alerts
  • Travering a call tree

Based on analysis results and escalation type, IR actions should also be documented in the playbook.  ROI can be assigned to each response type.

  • Ex: malware results in offline scan or re-image
  • Ex: scanning results in double-checking systems hardening, possibly add firewall/IPS rule to block
  • Ex: DDoS should have mitigations in place already, coordinate with DDoS Prevention Vendor
  • Ex: AAA should have investigative steps to determine root cause (is it old credentials on a file share or service account, or brute force attempts?)
  • Ex: AUP violations should have consequences coordinated with HR and awareness raised about severity of infraction
  • Ex: App/OS Vulnerabilities should coordinate with engineering that handles patch management and include possibly taking a server out of service until mitigated
  • Ex: Health is critically important – if you’re not getting logs from an endpoint of interest you’re in the dark as to what’s happening with it

Incident Response Playbook Example 

2. Inadequate logging to the SIEM

Another common mistake in IR is not having adequate logging in place or worse yet, no SIEM in place at all. Coordination with engineering may prove a challenge, but security teams must first be accurately aware of what’s in the environment, and second ensure that logs are ingested, correlated, and monitored. 

Security must keep after it if they know, or even suspect, that there are assets in the environment that they don’t know about and/or aren’t ingesting logs.

 

3. Not Conducting Complete Forensic Analysis

Conducting thorough and complete root cause and forensics analysis can be missed in the heat of battle, with management demanding a return to safe operations as quickly as possible. 

Containment is not remediation; if only contained, without root cause analysis and remediation, threat actors will be back in 30-90 days or less.

Learn more about each critical phase you must have in incident response.

 

4. Having a Prevention Bias

Over-emphasis on preventive measures while allowing response activities to remain immature is another mistake to avoid. People tend to think it can’t happen to them if they have multi-layered preventive measures in place. People who say they’ve never been compromised are unaware that they have been.

Learn more about what it means to have a prevention bias.

 

5. Only Reacting to Real-World Security Incidents

Only reacting to real-world incidents – tabletop exercises that take the IR team through its paces are invaluable in not only keeping them fresh on what actions to take but ensure that documented procedures are still current.

Keep these common mistakes in mind throughout your incident response process. And, if you need expert advice to plan and build your own incident response process, consider CIPHER as a managed security services provider (MSSP) that can integrate a proven process directly into your business.

reduce the cost of incident response Carbon Black

Did you enjoy this blog article? Share it with your friends or comment below.
 
.

 

About CIPHER

Founded in 2000, CIPHER is a global cybersecurity company that delivers highly accredited SOC I & SOC II Type 2 and ISO 20000 & ISO 27001 certified Managed Security Services and Security Consulting Services with expertise across PCI DSS holding the PCI QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past six years. These services are supported by the best-in-class security intelligence lab: CIPHER Intelligence. Our offices are located in North America, Europe, and Latin America with 24×7×365 Security Operations Centers and complemented by strategic partners around the globe.

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions.

Subscribe to Us!

Recent Security Posts

Essential-Cyber-Security-Tips-Guide.jpg

Twitter Feed