The clock starts ticking immediately following a cybersecurity incident with the first 24 hours vital in terms of incident response.
The majority (59 percent) of companies are not confident they could resume ‘business as usual’ after the first 24 hours, although 41 percent say they are, according to a new social media poll by NTT Security.
Asked about their number one focus in the first 24 hours after a security incident, nearly two-thirds (64 percent) of respondents say mitigating the threat is the main priority, while 36 percent say it is about identifying the cause.
David Gray, Senior Manager and Incident Response Practice Lead EMEA at NTT Security, believes that although there is much greater security awareness from top to bottom within organizations, there is a clear lack of preparation and planning when it comes to incidents, despite the potential impact.
“There is still an element of ‘head in the sand’, where organizations simply don’t think it is going to happen to them, despite everything we are seeing in the news. Our global Risk:Value report last year backs this up, with less than half (49 percent) of respondents admitting they have implemented an incident response plan. While most say they communicate their plans internally, it’s still only a minority who are fully aware of them. These figures have barely changed year on year and suggest that incident response planning is still not a priority.”
The NTT Security poll, which was conducted over Twitter and generated around 5,500 responses, points to a lack of resources that many organizations are struggling with today as a possible explanation for this.
Lack of skills in-house is what worries the majority of companies (59 percent) when responding to a cybersecurity incident or breach, while 41 percent worry about lack of budget.
David Gray adds: “The worry is that even if organizations do have an incident response plan in place they simply do not have the resources to execute it, losing valuable hours or even days identifying the right skills and setting up the necessary SLAs and contracts. This is precious time wasted. Even the most mature security teams are forced into a reactive stance when something happens. Those first 24 hours are crucial in minimizing the impact and cost of an incident and protecting valuable data, so they need to make them count!”
Steps to take in the first 24 hours of a security incident
NTT Security recommends adopting a triage process in the first 24 hours of a security incident to provide a head start in remediation and post-incident investigation. These steps provide a starting point to this process:
Detection: Understanding how and when an incident was first detected is the best place to begin. It may be some time since the systems were compromised, but asking questions, such as whether firewall logs are being used to their full potential to identify the initial compromise or if there are other SIEM solutions in place could help to uncover vital clues.
System framework: In order to provide an effective response you must know where the servers and/or endpoints are physically located. Equally important is the setup, i.e. operating systems, storage, virtualization as well as security configuration, i.e. user groups/permissions as well as a network map.
Preliminary remediation: Providing accurate handover notes to an incident response team along with a record of the steps taken up until that point are recommended in order to prevent any cross-contamination or incorrect leads being pursued. To ensure IT, CISO and incident response single point of contacts are fully engaged with one another it is essential that this communication is continued throughout the course of the incident response plan.
Logs provide crucial evidence: Log files may be crucial in uncovering and identifying indicators of compromise (IoC) or detecting the intrusion. To avoid mislaying any evidence, logging must be fully enabled and retention periods applied and provided at the earliest opportunity to ensure a thorough review to determine IoCs.
Artefact preservation: The preservation of artefacts identified within data must be maintained to carry out comprehensive forensic analysis and so that an accurate timeline can be constructed. Each incident must be treated on an individual basis and this process should be employed whether or not external authorities are engaged. If they are involved then the reports could form key evidence.