Late last year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a new guidance document for cybersecurity incident response: Technical Approaches to Uncovering and Remediating Malicious Activity. This marked a major moment in cybersecurity guidance because it wasn’t just the work of CISA’s U.S. authors. It was a joint effort that represents the consensus guidance of cybersecurity experts from the governments of Australia, Canada, New Zealand, the United Kingdom and the United States.
As organizations struggle to combat the steadily increasing risk posed by ransomware, business email compromise and other threats, this international consensus provides important guidance on the best ways to prepare for, detect and respond to malicious cyberattacks, and how to avoid common pitfalls. Let’s take a look at five key takeaways from the guidance.
1. You Can’t “Wing It” When It Comes to Cybersecurity Incident Response
Many organizations approach incident response with a cavalier attitude, thinking, “If an attack happens, we’ll just pull the cord out of the wall and we’ll be fine.” This approach is a recipe for disaster that can magnify the effects of an incident. Organizations that take this approach are often unable to detect the signs of an incident, are slow to mitigate and contain the damage, and may destroy potentially useful evidence.
2. Have a Structured Plan Before an Incident Occurs
The core of any incident response plan is a formal, documented set of policies and playbooks that guide incident response efforts. This documentation should include incident triage procedures, contact information for first responders and subject matter experts, and specific step-by-step procedures for common security incidents. This approach will allow you to plan ahead and avoid making crucial decisions in the heat of a crisis.
3. Don’t Overreact and Tip Your Hand Too Early
While it’s tempting to respond quickly to an emerging security incident, responders should first investigate and build indicators of compromise to avoid actions that would immediately tip off the adversary that they’ve been detected. Don’t prematurely block adversary access to your network, reset credentials or take other measures that might identify an incident response effort. These and other actions can prompt the adversary to change their tactics, putting you back at square one. Also, be sure not to use a potentially compromised network to communicate about an incident — there’s a real chance that the attackers are reading those communications.
4. Address the Root Cause, Not Just the Symptoms
The first signs of a security incident may be a single misbehaving system, but that may be only a symptom, not the root of the security incident. Take the time to understand how attackers breached your controls in the first place and remediate those root cause issues to ensure that cybercriminals can’t regain access using the same techniques.
5. Collect and Preserve Critical Log Data
Information is crucial to reconstructing attacker activity and getting to the heart of a security incident. Without comprehensive log data, incident responders will remain in the dark about any adversary’s activity. Now is the time to establish a centralized security incident and event monitoring strategy to collect, correlate and preserve log records that might be crucial to a future investigation.
As you approach these goals, it’s often helpful to have a skilled partner by your side. Having an active retainer agreement with an incident response provider ensures that you have immediate access to specialized technical expertise when disaster strikes.