Companies and organizations are under enormous pressure in the event of a cyber attack, because the correct reaction to an incident is time-consuming, but at the same time requires quick action.
The incident response experts at Sophos have therefore developed a guide to help companies cope with this difficult task. These four tips are based on the hands-on experience of the Managed Threat Response and Rapid Response teams who have collectively responded to thousands of cyber security incidents.
1. Respond as soon as possible
When companies are attacked, every second counts. In-house security teams, however, often take too long to react quickly enough. The most common reason for this is that they don't realize the gravity of the situation and the urgency in time. In addition, many attacks take place on public holidays, weekends and at night. Since most IT and security teams are clearly understaffed, the response to an attack at these times is often too late to limit the effects of the attack in time.
Warning drowsiness
In addition, a certain amount of alarm fatigue lowers rapid action. And even with the right and timely reaction, security teams often do not have the experience necessary to take the right steps. Therefore, possible incidents and the response to them should be planned in detail in advance. Sophos has listed the ten most important steps of such a cyber crisis plan in the Incident Response Guide.
2. Don't be too hasty in declaring actions as "mission accomplished."
In a cyber incident, it is not enough to just treat the symptoms. The causes must also be investigated. For example, successfully removing malware and clearing an alarm does not mean that the attacker has been driven out of the environment. Because it could just be a test run by the attacker to determine which defensive measures he is confronted with. If the attacker still has access to the infrastructure, they will likely strike again, but with more destructive power. Does the attacker still have one foot in the area? Is he planning to start a second wave? Experienced incident response staff know when and where to investigate more closely. They look for everything that the attackers are doing, have done or possibly are planning and neutralizing these activities on the network.
3. Complete visibility is crucial
In an attack, it is important to have access to correct, high-quality data. Only this information makes it possible to precisely identify potential indicators of an attack and to determine the cause. Specialized teams collect relevant data to identify the signals and they know how to prioritize them. Please note the following points:
Collect signals
Limited visibility of an environment is a surefire way to miss out on attacks. Big data tools offer a remedy here. These collect enough data to provide meaningful insights for investigating and responding to attacks. Gathering the right, high-quality data from a variety of sources ensures complete visibility into an attacker's tools, tactics, and procedures.
Reduce noise floor
Fear of not having the data that could provide a complete picture of an attack, some companies and security tools generally collect all the information they can. However, this approach complicates the search for the attacks and more data is generated than would be necessary. Not only does this increase the cost of data collection and storage, but it also creates a high level of noise from potential incidents, which leads to alarm fatigue and wasted time chasing true false positives.
Apply context
In order to be able to carry out an effective incident response program, the context is required in addition to the content (data). By applying meaningful metadata associated with signals, security analysts can determine whether these signals are malicious or benign. One of the most important components of effective threat detection and response is the prioritization of signals. The best way to identify the top alarms is a combination of context provided by security tools (i.e. endpoint detection and response solutions), artificial intelligence, threat intelligence, and the human operator's knowledge base. Context helps determine the origin of a signal, the current state of the attack, related events, and the potential impact on the business.
4. It's OK to ask for help
The lack of skilled resources to investigate and respond to incidents is one of the biggest problems facing the cybersecurity industry today. Many IT and security teams that are under high pressure from cyber attacks find themselves in situations for which they do not have the necessary experience and skills. This dilemma has given way to an alternative: Managed Security Services. More precisely, Managed Detection and Response (MDR) Services. MDR services are outsourced security operations performed by a team of specialists and are an extension of the corporate security team. These services combine human-led investigations, real-time monitoring and incident response with information gathering and analysis technologies.
Specialized incident response services
For companies that have not yet used an MDR service and need to respond to an active attack, specialized incident response services are a good option. Incident responders are called in when the security team is overwhelmed and external experts are needed to assess the attack and ensure that the attacker is neutralized. Companies that have a team of qualified security analysts can also benefit from working with an incident response service. For example, gaps in coverage (e.g. at night, on weekends and public holidays) can be closed or specialized tasks that are required in response to incidents can be assigned.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.