Incident response as a term is reactive, so it’s no wonder that a proactive approach to incident response is a foreign concept to many clients and resellers that we work with. Let’s look at a few common scenarios to understand why proactive incident response is so critical.
Scenario 1 – Customer is hit with malware attack
Foresite gets a call from a Reseller, one of their larger customers has been infected with malware, and they are looking for help to investigate the incident to help them to determine how it got into the network, what systems have been affected, and what should be done to effectively remediate it. When Foresite’s IR team talks to the customer we learn that the firewall logs overwrite themselves and are not archived, the endpoint solution in place on the workstations is outdated, and the servers didn’t even have any endpoint or AV solution at all. At this point, there isn’t enough value that we can provide in analysis because the information wasn’t collected and preserved, so we typically just recommend they start remediation steps.
Scenario 2 – Insider exposes sensitive data
Extremely sensitive data was exposed when an employee copied unencrypted files prior to being fired. The company only determines this when they are made aware that some of the files are now showing up on public sites. Although forensics may be able to prove who copied the files and when, the exposed data cannot be recalled, and the damages from the exposure (lost business due to negative publicity, potential regulatory fines, possible lawsuits) cannot be undone. The company’s insurance has limitations on what it will cover, resulting in a major financial impact to the business.
Scenario 3 – Incident response plan that is just a piece of paper
Many organizations now have a written incident response plan to meet a compliance requirement. However, very few proactively test the plan to see what they might be missing for resources if an actual event occurs. During a table top exercise, a common scenario is provided for the client and they have to confirm what steps they will take, who they will involve both inside and outside the organization, and what information they will need. The client realizes that they don’t know where all the protected data is to know what would have been exposed, they don’t have a clear notification path and they have a single contact authorized to call in outside resources – what if he was not available? Logs that they would have need for forensics were not being collected and no one knows who they would call if the internal team needed assistance with a response, including when to bring in senior management, notify authorities or put together a press release. Incident response is not just an IT function.
Do you see yourself or your customers in any of these scenarios? If you have never done proactive incident response exercises, it’s very likely that you would see similar results and negative outcomes.
Foresite’s managed services can help:
- Prevent or stop attacks
- Identify what assets may have been affected
- Collect relevant evidence for civil, criminal, or regulatory proceedings
- Mitigate the impact of the event
- Recommend and implement operational improvements to prevent similar events
- Address compliance requirements for detection and response