Top 10 Cyber Incident Response Mistakes and How to Avoid Them
From lack of planning to rushing the closure of incidents, these mistakes seriously harm IR effectiveness.
April 27, 2020
A well-run cyber incident response team (CIRT) can prove the ultimate backstop for a cybersecurity program by stopping an early intrusion from turning into a full-blown data breach. At the very least, a CIRT can minimize the impact of breaches when they do fly under the radar.
While many cybersecurity organizations today field early CIRTs, not nearly as many run them well.
According to cybersecurity experts who have helped organizations clean up after disastrous security breaches, many of those events were made so much worse due to incident response (IR) failures. And those failures tend to cluster around the same common IR mistakes that enterprises make time and again.
The pundits point to the following top 10 mistakes, along with advice on how to avoid them.
Without a doubt, the No. 1 IR mistake named by expert after expert is a failure to put together a plan that can guide a team when it is in the heat of a security event.
"Even today I continue to see companies fail to have a plan in place to respond to a breach," says Tim Bandos, vice president of cybersecurity for Digital Guardian. "It often requires hiring a third-party IR team on the fly to come in, deploy agents, collect evidence, perform the analysis, and so on. This can take quite a bit of time. The more time an adversary has inside an environment, the more time they can have to steal your organization's information."
It's a story that consultants and third-party response firms see over and over again, says Andrew Howard, CEO of Kudelski Security. Organizations aren't prepared to respond and have no containment and response strategy, or they don't have appropriate escalation plans in place.
"Our IR teams have also seen a general lack of understanding from clients of the threats they face when responding to a breach," Howard says.
Howard explains that a number of factors drive this lack of understanding and preparation. First among them is that many cyber incident response programs are created without any kind of strategy in mind. Instead, a team is created and handed a set of detection or threat intelligence tools and told to get to it. Without a philosophy and a plan driving the team, this unfortunately just creates a false sense of security.
If the biggest mistake is not having a plan at all, then the closest second is never actually testing a plan once it's developed, says Aviram Jenik, CEO of Beyond Security.
"Remember, everybody has a plan until they get punched in the face," Jenik says. "You need your IR team to go into the ring and get punched in the face for you to know if the plan holds."
There are a number of ways to conduct testing. It should be validated both from a procedural level, with tabletop exercises, as well as at a technical level, with methods like regular red team exercises. In addition, experts recommend everything be further tested with more advanced dry runs and simulations.
"A rudimentary tabletop exercise that covers a single compliance-driven scenario may not provide adequate latitude to verify that the plan's fundamentals are sound and actually support an executable plan for IR at the enterprise level," says Curtis Fechner, technical director, threat management, at Optiv. "It's important to take this testing seriously to drive continuous improvement."
Another mistake that frequent testing can help curtail is letting an IR plan become out-of-date shelfware.
"IR procedures are often written once and then shelved, gathering dust until, in a panic, someone digs it out," says Andrew Bassi, principal forensic consultant for Pen Test Partners. "[By then] named contacts have left or changed roles and procedures don't apply to the current hardware/software deployed in the environment."
While a new plan doesn't necessarily need to be written every time the company changes a platform, it does need to be reviewed regularly for updated information, Bassi recommends.
It should also be written generically enough in certain sections, like the escalation plan, so that it doesn't quickly stale, says Morey Haber, CTO and CISO of BeyondTrust. Workflows should specify responsible people or groups by department, role, or title versus by individual names, he says.
"All human interaction should be generic but precise to determine ownership -- for example, specifying the data privacy officer or cloud security architect versus John or Sandy," Haber explains.
Automation can make a big difference in the efficacy and efficiency of an IR program. The trick is figuring out just the right level of automation to cut out the low-value manual work while still leaving the tasks better-suited to human judgment in the care of smart analysts.
"Some organizations underautomate and get lost in the slog because IR is hard," says Dr. Mike Lloyd, CTO of RedSeal. "Others overautomate, not realizing that machine reasoning still falls short and is easily defeated by a human who knows they only need to beat a machine, not another human."
Some of the best foundations to lay for solid IR practices are also fundamental blocking and tackling for good IT administration and security management, including doing the "know thyself" work of asset discovery and classification.
"Failing to tackle things like asset inventories or data classification and management leads to a lot of mistakes," Optiv's Fechner says. "Not knowing what you're protecting or where your crown jewels lie makes it much harder to formulate a sound IR strategy."
Alert prioritization and triage are important components of managing analytics workloads. But simply prioritizing actions by critical highs and ignoring lower-level and subtler threat behaviors could let certain activities linger uninvestigated until it's too late.
"The problem with a prioritization-only approach is that the threat has been allowed to go too far for too long to be deemed a priority," says Cody Cornell, CEO of Swimlane. "Whereas if the organization could stop the threat in its tracks earlier in the process, it would actually be in a better position to mitigate risk to the organization."
This problem can be addressed through a more balanced portfolio of IR tooling, as well as proactive practices like threat hunting.
Taking the shortest path to closing cases and avoiding asking questions about root causes and related signs of malicious activity that could indicate a broader scope of incident can create a scenario where the IR team is fighting symptoms rather than nipping a problem in the bud.
"By avoiding those critical questions in favor of speed, closing a case or earning a win can often lead to wider spread issues," says JJ Thompson, senior director of managed threat response at Sophos. "Often, the malware or obvious entry points are assumed but not verified due to technical limitations, which can cause a misunderstanding between the IR team, legal, and executives, which then results in errant breach reporting."
Successful IR programs enable teams to collaborate closely and handle incidents together more swiftly, whether responders are working from an on-site SOC or remotely. As teams now must deal with the ramifications of new remote-work policies in response to COVID-19, they should especially be doubling down on communication methods and channels. The team should be able to easily share data and relevant incident information through group chat, shared tracking sheets, and team conference calls, which are all more critical than ever.
"Conversations around the office decline in response to a global crisis," says Chris Scott, CTO and global remediation lead at IBM X-Force IRIS. "When communication and collaboration break down, the context around incidents is lost. When people have the right context, they tend to make the best decisions."
It's not good enough to just have an overarching and strategic IR plan. IR teams also need tactical plans for common scenarios so they shave time off their mean time to respond and streamline operations.
This is why one of the top mistakes named by some experts is handling incidents without playbooks and set procedures.
"You have to plan for the specific types of incidents that your team will respond to and develop step-by-step procedures that can be followed in the heat of the moment," says Ken Jenkins, CTO of By Light. "The more detailed these are, the better."
When it comes to both internal and external breach notification, timing is everything. One of the biggest mistakes organizations make is communicating details either too early or too late, says Pascal Geenens, security researcher at Radware.
"Communicating too early leads to not being able to answer questions or provide more insight on the potential risk and impact on the organization and third parties," he says. "Communicating too late provides a sense of not being able to timely detect and handle incidents."
When it comes to both internal and external breach notification, timing is everything. One of the biggest mistakes organizations make is communicating details either too early or too late, says Pascal Geenens, security researcher at Radware.
"Communicating too early leads to not being able to answer questions or provide more insight on the potential risk and impact on the organization and third parties," he says. "Communicating too late provides a sense of not being able to timely detect and handle incidents."
A well-run cyber incident response team (CIRT) can prove the ultimate backstop for a cybersecurity program by stopping an early intrusion from turning into a full-blown data breach. At the very least, a CIRT can minimize the impact of breaches when they do fly under the radar.
While many cybersecurity organizations today field early CIRTs, not nearly as many run them well.
According to cybersecurity experts who have helped organizations clean up after disastrous security breaches, many of those events were made so much worse due to incident response (IR) failures. And those failures tend to cluster around the same common IR mistakes that enterprises make time and again.
The pundits point to the following top 10 mistakes, along with advice on how to avoid them.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024