Systal’s DFIR Manager, James McGoldrick, explores the differences between proactive and reactive incident response and explains the top three actions to take on your journey to developing a proactive incident response strategy.
Over the past few years, most companies have significantly changed their network architecture. Back in 2020, businesses scrambled to create flexible network environments to facilitate remote and hybrid working environments. Since 2022-2023, the post-pandemic need for remote working has subsided, leading to those businesses looking to rationalise that hybrid working environment. This fundamental change in network architecture has consequently raised these business’s threat profile and threat landscape.
2023 bore witness to an increase in the use of ransomware, with many threat actors exploiting remote working infrastructure as an initial point of entry. This has continued into the first half of 2024 with more evidence being observed of threat actors exploiting vulnerabilities in VPN gateways and other publicly exposed network devices as an initial point of entry.
Companies are also embracing the Internet of Things (IoT) and Internet-connected operational technologies. Whilst this helps streamline their business activity, it creates an increased attack surface and increases the opportunity for an attacker to cause physical damage to equipment, environments, or in the worst case, our people. Securing IoT devices is often not easy as firmware may not be easily updated and maintaining inventories of every growing IoT estate becomes more and more challenging.
Without exploring quantum computing, artificial intelligence (AI), zero trust networking, and many more subjects, 2024 is proving to be an extraordinarily busy year for cybersecurity and IT teams globally.
Proactive vs Reactive Incident Response Attitudes
Having a positive attitude towards incident response is a key part of your cyber security planning. But what does that look like?
In too many cases, the first time an organisation considers incident response is AFTER they realise that they have been the victim of a cyber security or information security breach. When this happens, companies will scramble to understand what has happened and will generally not understand fully the sources of information available to them that can help identify the nature of the problem and how best to recover from it.
Many companies either don’t have good backups in place or do have a backup system but don’t practise implementing it. It is sadly an all-too-common occurrence to see companies try to recover from a backup, only to discover that the backup integrity is not good, and the recovery fails – leaving them with nothing.
These scenarios are examples of reactive incident response.
3 Ways to Develop a Pro-Active Incident Response Strategy
Here are the top three things you should consider on your journey to developing a proactive incident response strategy.
1) Understand your company’s infrastructure, assets, and technologies.
To react effectively to any incident, you need to have a good understanding of the equipment, technologies and connections between the items that exist within your organisation. You should be able to identify exactly how many devices are connected to your network and be able to identify unauthorised users and devices quickly. This information should be maintained as part of an asset register/inventory as well as in the form of logical and physical network topologies. These need to be maintained to reflect any changes that are made to your organisation’s network.
Do you know what software – including their current versions – exists across your full organisation? The answer to this question should be yes.
Asset management software can assist you in this process, but you should have a good understanding of the software and technologies that you use, and how they are configured. This information should be documented and made available to your IT or Security Incident Response team along with your topologies and asset registers.
This information is invaluable when responding to incidents as your incident response team needs to be able to identify devices, locations and users from device identifiers, IP addresses and subnets encountered during an incident.
2) Have a plan in place ahead of time.
- Do you know how to isolate your network environments?
- How long would it take to do this?
- Who needs to authorise such an action?
- What business continuity plans are in place to allow your core business activities to continue if key systems become unavailable?
- Who needs to be informed in the event of a cyber security incident?
These are just five questions to which you must know the answer. In the case of question 5 for example, this could be internal managers or decision makers, customers, regulatory bodies, or all the above.
You should have a plan of action in place so that communication is quick and effective in the event of an incident. This will not only ensure a rapid response but also help meet regulatory and legal obligations as well as protect your organisation’s reputation.
Do you know where your key logs and systems are located? You should understand where your company’s valuable assets and systems are located and have a plan in place to quickly obtain copies of those systems and relevant network traffic logs that can be provided to an incident response team for examination.
3) Test your approach.
Having a plan written down on paper is great, but there isn’t much value in it unless you have practised putting that plan into action. You may identify challenges in communication or weaknesses in your plan that require remediation. It’s much better to realise this in a dry run than during a real incident.
Practising the key steps needed for incident response also helps your decision makers understand some of the difficult decisions that they may face during an ongoing crisis. They may be able to make some decisions to likely situations agreed ahead of time, saving valuable time and money if the worst does indeed happen.
Finally, practice is important for your IT managers, engineers, and support staff, who need to be able to quickly and effectively isolate systems, create snapshots, transfer logs and other data to investigation teams and implement recovery steps. These key individuals should know what’s expected of them during an incident and they should have the resources and information needed to quickly help mitigate any issues when they do arise.
Implementing these three things can be challenging and it represents a significant amount of work, especially if you are starting from scratch. You may not have all the necessary skills or expertise within your organisation at present to achieve these steps. In that case, it may be worthwhile considering the support of a managed security services provider such as Systal…
Systal’s CSIRT and DFIR Capability
Our team can walk you through this process from start to finish. We will provide the expert consultancy needed to start this journey, as well as the technical support needed to map your environment, create, and maintain inventories and topologies, and plan and test an incident response strategy.
We also have a dedicated CSIRT and DFIR capability which is available 24/7/365 to step in and guide you through every step of a security incident, providing incident management, regulatory consultancy and forensic support if required to help you get back to safe business operations quickly and effectively. Contact our experts for more information.
About the author:
James McGoldrick is a Digital Forensics and Incident Response (DFIR) Manager with Systal and has over 8 years’ experience in Cybercrime Investigation – 5 years of which were served in a UK Law Enforcement setting. James works with an experienced team of managed Network and Security Service engineers and consultants and works with them to provide class leading services in Incident Response, Professional Service Consultancy and Managed Network and Security Services globally.
Contact Systal's Experts