As a CSIRT consultant, I cannot overemphasize the importance of effectively managing the first hour in a critical incident.
Finding out what to do is often a daunting task in a critical incident. In addition, the feeling of uneasiness often prevents an incident response analyst from making effective decisions. However, keeping a cool head and actions planned out is crucial in successfully handling a security incident. This blog will elaborate on some key points to help readers facilitate better incident response procedures.
Preparation is essential
Before taking on any incidents, security analysts would need to know a great deal of information. To start off, incident response analysts need to familiarize themselves with their roles and responsibilities. IT infrastructure has evolved rapidly over the past years. For example, we observed increasing movement to cloud computing and data storage. The fast-changing IT environment frequently requires analysts to update their skill sets, such as learning about cloud security. Consequently, analysts will need to have hands-on practice and maintain a complete picture of the topology of all systems. In the real world, external CSIRT analysts should quickly identify all assets under their responsibility. At the same time, the in-house CSIRT analysts should also actively participate in the vulnerability management and the discovery scanning processes.
The quality of collected information determines the outcomes of incident response. In addition, the CSIRT analysts would also need to understand the threats they will be facing. As defensive cyber security technologies are upgraded each day, the threat actors are poised to evolve. For example, according to a paper in 2020, four out of the top ten active ransomware actors are now using the “Ransomware as a service” business model . This pattern denotes that malicious actors will more easily deploy ransomware because of the lack of technical requirements to leverage such attacks. After all, CSIRT teams need to identify the primary threats they are likely to encounter.
For example, a CSIRT specialist may see common malware and conclude that no additional threats exist. But when this situation arises for more sensitive scenarios, such as an attack in the energy sector, they will have to think critically and look out for unconventional attack methods. To effectively prepare for incident response, the analysts need to be familiar with the infrastructure they will be working with and the cyber security threat landscape they will be facing.
images from Hacker News