Response (IR) plan. It’s a sound security practice to prepare a
comprehensive IR plan to help the organization react to a sudden
security incident in an orderly, rational manner. Otherwise, the
organization will develop a plan while frantically responding to
the incident, a recipe ripe for mistakes.
Heavyweight boxer Mike Tyson once said, “Everybody has a plan
until they get punched in the mouth.”
A significant cybersecurity incident is an equivalent punch in
the mouth to the cybersecurity team and perhaps the entire
organization. At least at first.
Developing an Incident Response plan is undoubtedly smart, but
it only gets the organization so far. Depending on the severity of
the incident and the level of cybersecurity expertise within the
breached organization, a cybersecurity incident often leads to
panic and turmoil within the organization – plan or no plan.
It’s very unsettling to have systems and data locked by
ransomware or not knowing whether a potential intruder hidden on
the network is continuing to do damage and exfiltrate data.
One of the first things most breached organizations do is call
in a seasoned, 3rd party Incident Response team. Many IR providers
follow a structured 6-step process defined by the SANS Institute in
a 20-page Incident Handler’s
Handbook[1]. The six steps outlined
are:
- Preparation—review and codify an organizational security
policy, perform a risk assessment, identify sensitive assets,
define critical security incidents the team should focus on, and
build a Computer Security Incident Response Team (CSIRT). - Identification—monitor IT systems and detect deviations
from normal operations and see if they represent actual security
incidents. When an incident is discovered, collect additional
evidence, establish its type and severity, and document
everything. - Containment—perform short-term containment, for example,
by isolating the network segment that is under attack. Then focus
on long-term containment, which involves temporary fixes to allow
systems to be used in production while rebuilding clean
systems. - Eradication—remove malware from all affected systems,
identify the root cause of the attack, and take action to prevent
similar attacks in the future. - Recovery—bring affected production systems back online
carefully, to prevent additional attacks. Test, verify, and monitor
affected systems to ensure they are back to normal activity. - Lessons learned—no later than two weeks from the end of
the incident, perform a retrospective of the incident. Prepare
complete documentation of the incident, investigate the incident
further, understand what was done to contain it, and whether
anything in the incident response process could be improved.
One of the leading global Incident Response providers is BugSec.
Organizations reach out to BugSec when there is a compromise, but
the company (and their current security providers) cannot figure
out precisely what the problem is.
Maybe the company has been infected with ransomware, but can’t
figure out how it was deployed and whether the adversary has access
to the network. Perhaps the company became aware of stolen
intellectual property and didn’t know how the information was
exfiltrated.
The BugSec team’s first order of business is to figure out what
malicious actions have transpired and how the adversary was able to
compromise the organization. Once BugSec can identify and contain
the incident, they can fully eradicate all attack components and
artifacts and then fully restore operations.
How does BugSec accomplish the difficult task of identifying,
containing, and remediating the full scope of a cyberattack?
The one such tool BugSec relies on for virtually all IR
engagements is Cynet
360[2]. Cynet offers its
platform for IR providers for free. The Cynet agent can be deployed
to thousands of endpoints in a matter of hours and immediately
provide visibility into endpoints, processes, files, network
traffic, user accounts, and more.
The platform automatically detects anomalies and can quickly
pinpoint an attack’s root cause and expose its full extent.
Moreover, Cynet removes active threats “on the fly” and can be
used for more complex remediation across the environment.
Customized remediation playbooks can be easily configured and
deployed to fully eradicate complex attack components across the
environment so operations can be quickly restored. More information
about how BugSec works with Cynet can be found
here[3].
You may get punched in the mouth by a very capable cybercriminal
someday. Just remember that specialists are ready to help you
recover when your IR plan seems to be falling apart.
References
- ^
Incident Handler’s Handbook
(www.sans.org) - ^
Cynet 360
(www.cynet.com) - ^
Cynet can be found here
(go.cynet.com)
Read more http://feedproxy.google.com/~r/TheHackersNews/~3/P1T4GbC3qLE/incident-response-software.html
Latest News
- Michael Jackson, Olodum and the Yoruba Connection ! October 27, 2025
- The 7 Stages of British Decline — From Empire to Middle Power October 27, 2025
- NDLEA uncovers UK-bound cocaine in cream containers, Meth in water heater October 27, 2025
