What is the best way to manage complex security incidents?

Security incident management is the process of detecting, analyzing, managing, and responding to security threats in an organization so as to mitigate damage and restore its business continuity as soon as possible. Here are some ways to manage complex security incidents: -Prepare for incidents Identify potential incidents through monitoring, and report all incidents. -Develop incident response playbooks Create a step-by-step guide to responding to incidents -Assess risks -Conduct regular security audits -Take proactive measures -Detect insider threats -Train employees Educate your employees about potential malware and ransomware attacks. This helps staff stay alert. -Consider outsourcing

Planning is great, but avoid relying on the assumption the incident will play out just as it did in the exercise scenario. There are key things to prepare and test, that allow you to react and adapt regardless of outcome: 1) Decision Making Authorities - who can decide to turn things on/off, especially business critical functions. 2) Crisis Communications - when corporate IT falls over, how do you talk? How do you get a message out to all staff if theirs no email? 3) Access to data/facilities - who owns the data you might need to investigate an incident? Where does it live, and can you access it? Do you need to be in-person or will remote access work? Can you access a data centre out of hours, or is "Frank" the only one with a key?

A first step in being prepared is to start creating your IR plan or CSIRP as it sometimes gets referred to, test and validate your CSIRP and expand the way it references your other cyber security preparations and security controls. You should have a "Reporting Security Incidents" and a "Incident Response" policy statement, whether these are separate documents or are part of a larger Information Security Policy is down to the style of governance within your organisation. Detail approaches to common scenarios, can be documented in runbooks or playbooks, the naming convention and contents is again down to the style of governance and quality management within your organisation.

Planning in advance how and who communications will flow to. When that comms will happen (triggers) and what will be shared or said. Think in terms of a core comms circle and then expanding rings beyond that that bring more and more people into the loop.

For those who may have minimal experience with establishing an Incident Response Plan. All of these subjects and comments are relevant. However, are they relevant within your environment, might be a valid question. From my perspective… Start with the NIST Incident Response documentation, then elaborate upon all of these subjects and comments, in order to enhance the Incident Response template that has been provided by NIST.

Start by pinpointing the breach using forensic tools, identifying its scale and origin. The analysis then delves into the 'how' and 'why,' employing a mix of technical skills and critical thinking to dissect the incident. This dual approach not only resolves the current threat but also strengthens defenses against future attacks. Mastery in using forensic tools, combined with investigative acumen, is essential for extracting actionable insights and ensuring robust security measures.

Understand and apply the "Five Whys" - don't just take for granted how or why something happened - get to the root cause of WHY something happened. Ransomware doesn't just materialise out of thin air - it's not Pokemon - find out how it got there.

Gather and analyze data from logs, alerts, network traffic, endpoints, and threat intelligence to pinpoint the root cause, attack vector, and threat actor. This comprehensive analysis is crucial for accurate incident management. Maintain clear and structured communication with your IR team and stakeholders through established channels and protocols. Timely information sharing and collaboration ensure a coordinated response, aiding in swift resolution and minimizing disruption to business objectives.

Remember that there's a quick/cheap way to do this and a slow/expensive way. This realisation that there is a business impact to HOW you eradicate the threat means you may have introduce risk. That risk/cost tradeoff is important to get right - in my career I think I've only ever seen one organisation completely re-build their environment following a breach. And it cost so much it was easier to just buy the incident response company, than pay the bill.

Isolate affected systems, remove malicious files, patch vulnerabilities, and restore compromised data or functionality. Meticulously document each step of containment and eradication, including outcomes and any issues encountered. Ensure continuous communication with your IR team and stakeholders, providing updates and insights throughout the process. This thorough approach not only addresses the immediate threat but also supports future preparedness and response strategies.

This captures the delicate balance of eradication and recovery well. Having a decision making body in place to support the Incident Response process helps consider all views from the business, cyber and other stakeholders to make a balanced decision when moving through each stage.

Exercising, especially with non-IT/Security staff is a great way to get buy-in from Execs in advance of when you need it. Table Top Exercises are a great way of doing this, and gets x-business functions (HR, Legal, Comms, etc) thinking about their own role in a cyber incident.

an Incident Response Plan or CSIRP, is influenced by the maturity of both the security team and the overall organisation. It can also reference any of these Incident Response Policy, First Responder Training, SOC Runbooks Forensic Guidelines Vulnerability Management Policy Asset Management Policy Software Patching Policy Crisis Management Policy Incident Reporting Form Legal And Regulations Register

We’ve seen x-team engagement be a huge benefit to clients. There can be a lot of unexpected friction between teams. To respond and recover effectively you need to build inter-team empathy and strong lines of communication before a real incident.