Incident response is a critical component to containing and remediating security incidents and events. It can also be an incredibly detailed and difficult process to manage when you’re trying to quickly restore business operations.
Consider these big mistakes you’ll want to avoid with incident response.
1. Lack of an IR Playbook
Incident response is a well-planned process for the security team. It must be customized for your organization because all security events must be ticketed and tracked by a relevant category and sub-category applicable to your business. By doing so, it creates escalation profiles that comprise an IR playbook, and include:
- Escalation types
- Ticket types
- Sending email alerts
- Travering a call tree
Based on analysis results and escalation type, IR actions should also be documented in the playbook. ROI can be assigned to each response type.
- Ex: malware results in offline scan or re-image
- Ex: scanning results in double-checking systems hardening, possibly add firewall/IPS rule to block
- Ex: DDoS should have mitigations in place already, coordinate with DDoS Prevention Vendor
- Ex: AAA should have investigative steps to determine root cause (is it old credentials on a file share or service account, or brute force attempts?)
- Ex: AUP violations should have consequences coordinated with HR and awareness raised about severity of infraction
- Ex: App/OS Vulnerabilities should coordinate with engineering that handles patch management and include possibly taking a server out of service until mitigated
- Ex: Health is critically important – if you’re not getting logs from an endpoint of interest you’re in the dark as to what’s happening with it
2. Inadequate logging to the SIEM
Another common mistake in IR is not having adequate logging in place or worse yet, no SIEM in place at all. Coordination with engineering may prove a challenge, but security teams must first be accurately aware of what’s in the environment, and second ensure that logs are ingested, correlated, and monitored.
Security must keep after it if they know, or even suspect, that there are assets in the environment that they don’t know about and/or aren’t ingesting logs.
3. Not Conducting Complete Forensic Analysis
Conducting thorough and complete root cause and forensics analysis can be missed in the heat of battle, with management demanding a return to safe operations as quickly as possible.
Containment is not remediation; if only contained, without root cause analysis and remediation, threat actors will be back in 30-90 days or less.
4. Having a Prevention Bias
Over-emphasis on preventive measures while allowing response activities to remain immature is another mistake to avoid. People tend to think it can’t happen to them if they have multi-layered preventive measures in place. People who say they’ve never been compromised are unaware that they have been.
5. Only Reacting to Real-World Security Incidents
Only reacting to real-world incidents – tabletop exercises that take the IR team through its paces are invaluable in not only keeping them fresh on what actions to take but ensure that documented procedures are still current.
Keep these common mistakes in mind throughout your incident response process. And, if you need expert advice to plan and build your own incident response process, consider CIPHER as a managed security services provider (MSSP) that can integrate a proven process directly into your business.