Asked about their number one focus in the first 24 hours after a security incident, nearly two-thirds (64 per cent) of respondents say mitigating the threat is the main priority, while 36 per cent say it is about identifying the cause. David Gray, Senior Manager and Incident Response Practice Lead EMEA at NTT Security, believes that although there is much greater security awareness from top to bottom within organisations, there is a clear lack of preparation and planning when it comes to incidents, despite the potential impact. The NTT Security poll, which was conducted over Twitter and generated around 5,500 responses, points to a lack of resources that many organisations are struggling with today as a possible explanation for this. Lack of skills in-house is what worries the majority of companies (59 per cent) when responding to a cybersecurity incident or breach, while 41 per cent worry about lack of budget. Steps to take in the first 24 hours of a security incident NTT Security recommends adopting a triage process in the first 24 hours of a security incident to provide a head start in remediation and post-incident investigation. These steps provide a starting point to this process:
“There is still an element of ‘head in the sand’, where organisations simply don’t think it is going to happen to them, despite everything we are seeing in the news. Our global Risk:Value report* last year backs this up, with less than half (49 per cent) of respondents admitting they have implemented an incident response plan. While most say they communicate their plans internally, it’s still only a minority who are fully aware of them. These figures have barely changed year on year and suggest that incident response planning is still not a priority.”
David Gray adds: “The worry is that even if organisations do have an incident response plan in place they simply do not have the resources to execute it, losing valuable hours or even days identifying the right skills and setting up the necessary SLAs and contracts. This is precious time wasted. Even the most mature security teams are forced into a reactive stance when something happens. Those first 24 hours are crucial in minimising the impact and cost of an incident and protecting valuable data, so they need to make them count!”
Understanding how and when an incident was first detected is the best place to begin. It may be some time since the systems were compromised, but asking questions, such as whether firewall logs are being used to their full potential to identify the initial compromise or if there are other SIEM solutions in place could help to uncover vital clues.
In order to provide an effective response you must know where the servers and/or endpoints are physically located. Equally important is the setup, i.e. operating systems, storage, virtualisation as well as security configuration, i.e. user groups/permissions as well as a network map.
Providing accurate handover notes to an incident response team along with a record of the steps taken up until that point are recommended in order to prevent any cross-contamination or incorrect leads being pursued. To ensure IT, CISO and incident response single point of contacts are fully engaged with one another it is essential that this communication is continued throughout the course of the incident response plan.
Log files may be crucial in uncovering and identifying indicators of compromise (IoC) or detecting the intrusion. To avoid mislaying any evidence, logging must be fully enabled and retention periods applied and provided at the earliest opportunity to ensure a thorough review to determine IoCs.
The preservation of artefacts identified within data must be maintained to carry out comprehensive forensic analysis and so that an accurate timeline can be constructed. Each incident must be treated on an individual basis and this process should be employed whether or not external authorities are engaged. If they are involved then the reports could form key evidence.