In our recent report, Incident Response Strategies in the Spotlight, we partnered with Enterprise Security Group (ESG) to find new solutions to one persistent problem: despite continued security program investments, threat actors continue to successfully compromise the attack surface. The solution? New incident response (IR) strategies – and fast.
75% Experienced Damaging Cyberattacks
Notwithstanding an ongoing focus on bolstering cybersecurity programs, over two-thirds of organizations reported at least one cyber incident within the past two years. Over 10 percent experienced multiple damaging attacks.
“The high percentage of organizations that have experienced an incident in the last two years supports the common maxim of security professionals that it’s not if you’ll experience an incident, it’s when,” notes Josh Davies, Principal Technical Marketing Manager at Fortra’s Alert Logic. “A mature security partner or program that pairs automated detection with proactive threat hunting will allow organizations to be confident that they are not experiencing an ongoing and undetected breach.”
This brings to light an IR strategy that could prevent the subtle, “low-and-slow” embedded cyberattacks Davies was referring to. While many applications could fall under this umbrella, a proactive incident response strategy is key to limiting successful attack surface compromises. In addition to automated detection, investigation, and response tools, offensive security solutions like penetration testing, vulnerability management, and red teaming can be applied so exploits come as less of a surprise – or don’t come at all.
It’s Easy to Botch a Response
You know what they say — “When the time for decision is here, the time for preparation is past.” When a cyberattack is upon you, you lean on your training (or fall to the level of your habits) and just do your best in the moment. Unfortunately, many of those split-second judgement calls are often wrong. Human error being what it is, there may be no way to account for mistakes made in the heat of battle, but there are ways to prepare to avoid so many, or such excessively grave ones, the next time around.
Over a quarter (27%) of respondents admitted to making misjudgments in response and recovery which led to embedded actors remaining undetected within their environments.
Davies suggests that these organizations “are likely to have suffered from either a lack of visibility or security expertise (or both).” A lack of security expertise is indeed likely, as the following question reveals that when asked to rate their IR weak points, 22% pointed to “Not Enough Talent” and 20% implicated “Unprepared Talent.” Amid record-high cyber talent shortage concerns, this disparity is understandable, yet still frustrating. How do you fill necessary gaps in incident response when seasoned cyber experts are hard to come by? How does an organization catch those embedded actors next time when its current talent pool proved itself insufficient for the task?
Well, the right tools could help. When it comes to visibility, teams can look for toolsets that aggregate all relevant information for them, cross-correlating and investigating multi-vector threats (whether the team knows how to do it or not). One boon that did manage to make its way out of the cyber talent dearth is an improvement in solutions that can force-multiply small team resources and bridge the gaps between what professionals currently know and what they need to know to catch today’s threats.
XDR is a toolset with these capabilities, and yet still not a catch-all solution. While it effectively and accurately finds, combines, and analyses information (and even investigates and responds), it is still subject to security configuration drift. Evolving technologies need to constantly be checked and brought into alignment with current security protocols and strategies, and for this, experts are needed. So, are we back to square one? No. Organizations just need to be open to adding managed security services providers to their IR strategy, if in-house talent isn’t enough.
New incident response strategies require knowing what assets you have, which capabilities you need, and being flexible enough to adopt the technologies, vendors, and external solutions required to do the job.
IR Readiness Activities Over the Past 12-18 Months
How are organizations attempting to fill the gaps?
Over the past year to 18 months, the majority of respondents have been starting at the beginning; baselining with:
~ Cybersecurity maturity assessments (47%)
~ Response readiness assessments (35%)
~ Attack surface assessments (31%)
~ And compromise assessments (25%). It’s good to know what you now.
However, planning is also a very important part of incident response readiness and represents the second of three steps: assessments, plans, and proactive testing. Only 38% of all surveyed participated in this step, listed as Response Plan and Playbook Development. Between 17-28% were actively engaged in some type of proactive testing, with threat hunting (28%), penetration testing (27%), and wargaming (26%) topping the list.
Not only are these IR readiness activities beneficial for testing your current security stack, but, as Davies puts it, for “getting stakeholders comfortable and identifying bottlenecks that are usually easy to address when the pressure is off.”
Unexpected But Positive Results of IR Engagement
Sometimes there’s no better way to learn things than to get your hands dirty. When asked how they planned to improve their IR strategies, nearly half (47%) responded, “Work with professional services to help us assess and improve incident response readiness processes.” Working directly with IR experts who can navigate the tooling and familiarize your team with processes is essential. They can help you master a new approach before incidents occur.
Davies shares a firsthand account of a similar scenario working with a client:
These exercises can be enjoyable, foster a collective security responsibility and culture while also reassuring executive leadership and beyond that your organization has the cyber resilience to face the real world.”
This real-world example uncovers one of the most valuable, but underemployed, IR strategies of all; upskilling or reskilling your current professionals to assist in security (and therefore incident response-based) positions. As Davies shared, after a quick engagement with IR security tooling and a quality IR vendor, several IT staff felt ready to take on cybersecurity roles.
A Future-Proof IR Strategy
As attack surface compromises show no signs of slowing down, it’s up to us to find ways to stop them. Read the report in full to find out:
~ The many avenues through which IR services are available.
~ How organizations measure IR readiness.
~ Which dynamics yield the best (and worst) IR results.
~ Current gaps and challenges in IR processes.
~ The unique benefits that IR vendors bring to the table – plus, the stats to prove them.
Responding to malicious cybersecurity incidents is the crux of any security strategy today. Until cyberattacks stop being successful, organizations need all the data they can get on what works, what doesn’t, and what needs to be done to future-proof incident response.