The incident response plan outlined at the bottom of this post is a snippet from a generic plan I found on Google. It is a plan created by Virginia Tech. In its entirety, it is 41 pages long. Try flipping through that when you are under attack!
Can you guess how long each step below will take your IT group, without help? One can imagine that the times can vary widely depending on size of infection and size of infrastructure that must be evaluated.
The typical Small to Medium Business (SMB) that has 2-5 IT professionals, usually none of which has specific cyber-security experience, has individuals whose main purpose is a domain in IT (database, developer, network, etc…). Most can’t afford to take time away from their day-to-day tasks, much less try to investigate and figure out a realm for which they are largely unfamiliar.
Notice point #10 – obtain additional monitoring to look for related activity. Infections are hard to contain, and often the initial attack is a distraction to leave back doors open for a more subtle attack later that will go unnoticed. The average time for a breach to remain undetected is 6 months, because of these and other tactics hackers use. Six months gives an attacker plenty of time to 1) slowly ex-filtrate data, or 2) map out your environment to extort the company by threatening to bring down their environment.
Here are the ways a managed security partner saves you time:
1. Notify you of an attack or breach. Most often they will know before you do, since they monitor for this 24x7
2. Tell you what it is.
3. Tell you where it is.
4. Tell you how to re-mediate.
5. Walk you through the process
6. Some providers re-mediate for you and politely notify you after the event. Nice.
I think you will see that the above actions save way more than just time.
Let’s discuss the various options together.
This link takes you to my calendar where you can schedule some time.
Sample Incident Response Report:
Action:
1. Determine whether an incident has occurred
2. Analyze the precursors and indicators
3. Look for correlating information.
4. Perform Search (e.g., search engines, knowledge base)
5. As soon as a handler believes an incident has occurred, begin documenting the investigation and gathering evidence.
6. Prioritize handling of incident based on the relevant factors (functional impact, information impact, recover ability effort, etc….)
7. Report the incident to the appropriate internal personnel and external organizations.
Containment, Eradication, and Recovery:
1. Acquire, preserve, secure, and document evidence
2. Contain the incident
3. Eradicate the incident
4. Identify and mitigate all vulnerabilities that were exploited.
5. Remove malware, inappropriate materials, and other components
6. If more affected hosts are discovered (e.g., new malware infections), repeat the Detection and Analysis steps to identify all other affected hosts, then contain and eradicate the incident for them.
7. Recover from the incident
8. Return affected systems to an operationally ready state.
9. Confirm that the affected systems are functionally normal.
10. If necessary, implement additional monitoring to look for future related activity.