Responding to a critical cyberattack can be stressful and time consuming. While nothing can fully alleviate the pressure of dealing with an attack, these tips from the incident response experts of Sophos’ Managed Threat Response and Rapid Response teams offer advantages when defending your organization.
Tip #1: React as quickly as possible
When an organization is under attack, every second matters. Often teams don’t understand the severity of the situation – and that leads to a lack of urgency.
Cyberattacks tend to hit at inopportune times: holidays, weekends and in the middle of the night. Since most incident response teams are significantly understaffed, this can lead to a “we’ll get to that tomorrow” attitude. Unfortunately, tomorrow may be too late to minimize the impact of the attack.
Overwhelmed teams are more likely to react slowly to indicators of a cyberattack because they suffer from alert fatigue. When a case is initially opened, it may not be correctly prioritized due to a lack of visibility and context. This costs time, and time is not on a defender’s side in an incident response.
Even if the security team is aware that they are under attack and action needs to be taken immediately, they may not have the experience to know what to do next. The best way to combat this is by planning for incidents in advance.
Tip #2: Don’t declare “mission accomplished” too soon
In incident response it’s not enough to only treat the symptoms. It’s important to treat the disease as well. When a threat is detected, triage the immediate attack. Often teams will stop the initial cyberattack but not solve the root cause. Successfully removing malware and clearing an alert doesn’t mean the attacker has been ejected from the environment. If the attacker still has access, they’ll likely strike again, but more destructively.
Incident response teams need to ensure that they address the root cause of the original incident they mitigated. Does the attacker still have a foothold in the environment? Are they planning to launch a second wave? Incident response operators know when and where to investigate deeper. They look for anything else attackers are doing, have done, or might be planning to do in the network – and neutralize that, too.
Tip #3: Complete visibility is crucial
While navigating a cyberattack, nothing makes defending an organization more difficult than flying blind. It’s important to have access to the right high-quality data, to accurately identify potential indicators of attack and determine the root cause. Effective teams collect the right data to see the signals, separate the signals from the noise and know which signals to prioritize.
Collecting signals: Limited visibility is a sure-fire way to miss cyberattacks. Collect enough data to generate meaningful insights for investigating and responding to attacks.
Reducing noise: Fearing they won’t have enough data, some organizations collect everything. However, they’re not making it easier to find a needle in a haystack; they’re making it harder by piling on more hay. This not only adds to the cost of data collection and storage, but it also creates more noise, which leads to time wasted chasing false positives.
Applying context: There’s a saying among threat detection and response professionals: “Content is king, but context is queen.” Both are necessary to run an effective incident response program. Applying meaningful metadata associated to signals allows analysts to determine if such signals are malicious or benign.
One of the most critical components of effective threat detection and response is prioritizing the signals that matter the most. The best way to do this is with a combination of context provided by endpoint detection and response solutions, artificial intelligence, threat intelligence and the knowledge base of the human operator. Context helps pinpoint where a signal originated, the current stage of the cyberattack, related events and the potential impact to the business.
Tip #4: It’s OK to ask for help
No organization wants to deal with breach attempts. However, there’s no substitute for experience when it comes to responding to incidents. This means that IT and security teams tasked with high-pressure incident response are thrown into situations that are beyond their skills to deal with; situations that often have a massive impact on the business.
The lack of skilled resources to investigate and respond to incidents is one of the biggest problems facing the cybersecurity industry today. This problem is so widespread that according to ESG Research, “34% say their biggest challenge is that they lack skilled resources to investigate a cybersecurity incident involving an endpoint to determine root cause and the attack chain.”
This dilemma has given way to a new alternative: managed detection and response (MDR) services. MDR services are outsourced security operations delivered by a team of specialists, and act as an extension of a customer’s security team. These services combine human-led investigations, threat hunting, real-time monitoring and incident response with a technology stack to gather and analyze intelligence. According to Gartner, “by 2025, 50% of organizations will be using MDR services,” signaling that organizations are realizing they will need help to run a complete security operations and incident response program.
For organizations that have not employed an MDR service and are responding to an active attack, incident response specialist services are an excellent option. Incident responders are brought in when the security team is overwhelmed and needs outside experts to triage the attack and ensure the adversary has been neutralized.
Even organizations that have a team of skilled security analysts can benefit from collaborating with an incident response service to shore up gaps in coverage and specialized roles that are needed when responding to incidents.
To learn more about how Sophos can help protect users and devices against malware, ransomware, exploits and viruses, visit CDW.ca/Sophos