Overlooked Dimensions of Incident Response

IBM

By John Dwyer, Head of Research, X-Force Consulting

---

Over the years, I have witnessed incident responders pull rabbits out of hats while catching Hail Mary passes to prevent incidents from becoming major crises. However, there are often uncontrollable factors that can significantly impact an incident response (IR) investigation process. That’s why it’s important to consider the often-overlooked aspects of IR planning. Adequately preparing for the inevitable has its benefits: organizations that had an IR team and conducted IR plan testing saved an average of $2.66 million in data breach costs compared to those lacking both, according to an IBM report.

Make or Break Moments

It’s 7:00 PM on a Friday and you need to install software or run a script across every Windows, Linux, and Mac system within the enterprise, what do you do? The wrong answer is “push it out.” Anyone whose deployed a piece of software across an enterprise even during the best of times knows it’s not simple.

In the worst of times (during an incident), this can be a major hurdle and can delay incident responders from taking the critical steps needed to contain an incident. Emergency software deployment should be part of a cybersecurity incident response plan (CSIRP). This is partly because, during an enterprise-wide incident response, there are two key questions that need to be answered:

1. Is the incident over?
2. How did the incident happen?

To investigate the state and cause of a breach, it’s critical to gain real-time visibility into your environment with an endpoint detection and response (EDR) solution. Most EDR solutions install as an agent on systems and provide insights into network connections, program executions, and file activity. If anomalous behavior is detected, the EDR software can activate remedial processes to stop adversarial programs and isolate infected machines.

Once the breach is contained, the next step is to investigate how it occurred. To perform proper root cause analysis, incident responders often need to collect forensic artifacts at scale through the deployment of scripts or forensic tools which will build a timeline of historical data. It’s important to have an EDR platform that allows responders to run forensic tools. Otherwise, your internal team will be extremely limited in determining the root cause of the incident.

Emergency Software Deployment Strategies

In addition to developing multiple technical solutions for emergency software deployments for incident response, consider including the following in your CSIRP strategy:

• Get pre-approval to use EDR solutions with cloud-based infrastructure during an incident
• Develop and test at least one backup software deployment solution
• Test IR software deployment with IT before an incident and resolve any potential issues
• Document deployment considerations, including firewall rules, allowing scripts and EDR in the existing antimalware solutions, and temporary privileged account to execute the software
• Ensure that change management pre-approves the change so that you can accelerate deployment during an active incident

During incidents, its common to lack the crucial data and visibility needed to scope the incident, identify attacker activity, and determine the root cause. To support adequate detection and response actions, IR teams often need to increase visibility and collect data at scale through software and scripts.

With the ever-increasing threat of ransomware hours, minutes, and seconds matter and any delay can truly be a make-or-break moment.