Why Your Company Can’t Survive Without Incident Response

Cybersecurity is founded on the principle of keeping threats out of networks and systems. We evaluate which assets are high-value enough to be targeted and we introduce procedures and processes, both functional and human, in order to safeguard them. However, in the grand scheme of things, some threats are all but inevitable. 

The thing is, no system is perfect.  

Flaws will crop up and often a simple flaw may not have a simple answer. There are flaws and vulnerabilities in the software you utilise on a daily basis for business operations, to your employees, and your vendors. There are security flaws in computer protocols that date to the 1960s that haven’t been fully solved because they’re also the reason why we’re able to have the internet in the first place.  

Now, before anyone talks about just throwing in the towel, cybersecurity is also founded on the principle of dealing with threats when they occur. Practicing best cybersecurity practices limits the number of cyber threats likely to gain access to your systems and cause havoc, preventing you from being overwhelmed and allowing you to mitigate the ones which do get through. 

What are precursors and indicators? 

 The first important distinction to get out of the way is how do we categorise the warning signs of what could be a cyber attack. Typically, warning signs are broken down into two categories, precursors and indicators. 

Precursors are signs that a potential cyber attack hasn’t happened yet but is possibly going to happen in the future. This could be things like: 

• Web server log entries showing the use of a vulnerability scanner against your network.  
• An announcement of a new exploit that targets a vulnerability in one of your applications. 
• A threat group stating that they’re going to attack your organisation. 

Unfortunately, these kinds of heads-up are not the most common warning signs that an organisation has the privilege of receiving. Indicators, which involve signs of a cyber attack that has already happened, with malicious actors having gained some sort of access to your system, are far more typical. 

Indicators can include: 

• Alerts from antivirus software detecting a host is infected with malware, from event management software, from third-party monitoring services, etc.  
• Admins finding a filename with unusual characters, a large number of suspicious emails or unusual deviations from normal network traffic.  
• Host recording an auditing configuration change in application log.  
• Multiple login attempts from an unknown remote device. 

How are cyber threats detected? 

Monitoring systems are crucial for detecting early threats for your networks and systems.  

The impacts to systems that incident response has to generally deal with can be broken down into three major categories, which are: 

• Functional Impacts: This involves how the cyber attack has impacted a company’s ability to provide all services to all users. 
• Information Impacts: This involves what information was targeted and how much critical, sensitive data has been exfiltrated, changed, deleted or otherwise compromised. 
• Recoverability Effort: This is about the time and the predictability of recovery after a cyber incident, as well as if additional support is needed. 

The severity of a cyber event can often depend on how much time threat actors are given with a network and system, which is why time is critical in cybersecurity and early detection is key. Threat actors love having all the time in the world to discreetly seed themselves into your network and system, so you need to impede their progress, contain infected systems, eradicate threats and recover, but, most importantly, you need to know they’re there in the first place. 

In cybersecurity, we use a combination of multiple monitoring systems to cover our bases and safeguard our systems, flagging up threats and ranking their priority. Monitoring systems can typically be broken down in these broad categories: 

• Intrusion Detection Systems (IDS) is a monitoring system that gathers data and detects cyber events, operating as part of network security infrastructure.  
• Intrusion Prevention Systems (IPS) is a software intrusion prevention system that is also a part of network security infrastructure. It’s a control system which actively filters out suspect packets that don't comply with security policy. IPS differs from IDS mainly due to the fact it actively performs actions to prevent threats as opposed to only monitoring.  
• Data Loss Prevention (DLP) is a set of tools and processes used to detect if sensitive data is being misused, lost, or accessed by unauthorised users, ensuring data security during its life cycle. 
• Security Information and Event Management solution (SIEM) holistically combines Security Event Management (SEM), the process of analysing cyber events and log data in real-time, with Security Information Management (SIM), a monitoring software that collects data from computer logs and analyses it in a central repository. SIEM uses log files to notify you of cyber events to look into.  

It should be noted that these are not all of the systems available to incident response teams, just broad categories that they can use in order to perform their duties. 

What is incident response? 

Monitoring systems may be tools which provide a stream of security-related data, but you need human beings to interpret, analyse and use that data to organise an appropriate incident response to a cyber event. 

This is where an incident response team comes in.  

Every business needs to have an incident response team, be it a small business with a centralised team to a global conglomerated with a distributed team placed at key geographic areas around the world. They analyse and interpret the data coming in from your technical functions and turn it into action to protect your company, determining if there’s actually a cyber attack happening, contacting relevant parties and co-operating with company departments to deal with cyber incidents. 

Not only will an incident response team analyse the mountains of data coming in from monitoring systems and process, but, just as importantly, as they deal with threats, they will create detailed, ticket documentation which will take into account things like: 

• Precursors and indicators. 
• The incident and the evidence of it. 
• Related incidents. 
• The timeline 
• The actions taken to resolve the incident. 
• The chain of custody. 

This information is vital for the incident investigation and also for court if legal action arises due to something like a data breach involving customer PIIs. Incident response teams will also take part in post-Incident activities, like lessons learned meetings and planning for potential, future cyber events. 

Securiwiser 

Securiwiser is a security monitoring tool which helps your company and incident response teams keep up with threats coming in from the internet.  

Securiwiser evaluates your company’s cybersecurity posture in real-time and flags up threats and vulnerabilities in an easy-to-read dashboard, checking things like the security of your network and cloud, suspicious port activity and internet traffic, if malware is propagating on your network and much, much more.  

Give yourself a free scan today!