Perspectives from an External Incident Response Team: Strategies to Reduce the Impact of Cybersecurity Attacks – Cybersecurity Insiders

[ This article was originally published here ]

The content of this publication is the sole responsibility of the author. AT&T does not adopt or endorse any of the opinions, positions or information provided by the author in this article.

“Why are you here if you can’t decrypt our data?” This is how people sometimes react to the arrival of the external incident response team. In this article, I will try to answer this question, but at the same time I will describe the stages of incident response, list the main errors that make the game hackers, and give basic tips on how to respond.

Let’s start by defining what a security incident is. Although the concept is straightforward, various companies may interpret it differently. For example, some companies may consider incidents to include things like a power failure or hard drive malfunction, while others may only classify malicious actions as incidents.

In theory, an incident is a moment when some kind of undesirable event occurs. In practice, the definition of “undesirable event” is determined by the interpretation and perspective of each company.

For an organization, the discovery of an email is what requires investigation. Other companies may not see the point in worrying about such incidents. For example, they may not be concerned about a phishing email being opened on an employee’s device in a remote location that is not connected to the main infrastructure, as it does not pose an immediate threat.

There are also interesting cases here. For example, online traders consider a 1% drop in the speed of interaction with the online exchange to be a serious incident. , proper incident response steps, and cybersecurity in general, cannot be underestimated. But if we talk about serious incidents, then most often these are events related to the penetration of an attacker into the corporate network. This annoys the vast majority of business leaders.

Incident response stages

While the interpretation of certain events as security incidents can vary based on various factors, such as context and threat model, the response steps are often the same. These response steps are primarily based on the older standard, which is widely used by many security professionals.

SANS identifies six stages of incident response:

  1. Preparation
  2. ID
  3. Containment
  4. Eradication
  5. Recovery
  6. Learned lessons

It is important to note that the external response team is not immediately involved in this process.


Preparation involves properly aligning organizational and technical processes. These are universal measures that must be implemented effectively in all areas:

  • inventory networks
  • Build subnets correctly
  • Use correct security controls and tools
  • Hire the right people

All this is not directly related to the external response team, and at the same time significantly affects its work. The answer is based on preparatory steps. For example, it largely depends on politics.

Each attack has its own: the time from when an attacker enters the network until his activity is detected. If the attack has a long residence time (three or four months) and the logs are kept for seven days, it will be much more difficult for the research team to find the “entry point”. The required data will no longer be available. If such a situation arises, the response team can take action, but the probability of achieving a 100% successful outcome is significantly reduced.


This stage is completely based on how well the preparation was done in the first stage. If everything is done correctly, it is very likely that you will find out something in advance that can lead to an unacceptable event.

Even primitive and basic steps can greatly increase the likelihood of early detection of a cyber threat. By creating your own (SOC) or contracting with a trained third-party provider and implementing effective monitoring practices, you can greatly improve your chances of detecting potential security incidents. Careful preparation allows you to detect an attack in its early stages before the attacker has done any damage.

Ideally, the response process should start at this stage. Unfortunately, in practice, there are many cases where the sad consequences of an attack are the only reason why the incident is detected. Everything follows the logical chain: preparation is lousy, detection and analysis fail, and an incident occurs. And the investigation, in this case, turns out to be a far from trivial task.


This stage is done in close collaboration between the external response team and the customer. IT staff often simply reboot computers before the external incident response team arrives. Yes, this is also a containment method, although not the most elegant.

The problem is that this deprives the response team of a lot of important data. And more importantly, it doesn’t always work. Today, hackers rarely use just one. They tend to use (RDP) for lateral movement, and stopping them is not always easy. Therefore, conjoint analysis is vital to understand which connection is legitimate and which is not. When the external response team and your customers work closely together, it’s easier to understand the situation and develop effective tactics to contain specific threats.


At this stage, it is generally expected that the incident response team has already provided the customer with an incident analysis, including malware analysis, etc. A comprehensive network scanning process is underway, followed by the removal of all detected anomalies.


At this stage, a consistent and accurate restoration of the customer’s IT systems is carried out. It involves not only recovering from backups, but also reactivating and testing information security tools.

Restoring protections is usually a fairly simple task. The fact is that attackers, as a rule, act simply by bypassing protection mechanisms. They get administrative privileges and, if possible, “turn off” security solutions. Yes, hackers can use malware that interferes with the Windows registry or disrupts critical event handling, but such cases are relatively rare.

Although not a common occurrence, some attackers may leave markers to allow for repeat attacks. It is vital to remain vigilant and check such markers, even in the case of a seemingly simple attack.

Learned lessons

It may seem like the primary task of the incident response team is to restore everything to its previous state, but this is an oversimplification. The response team is invited for a different purpose. Your tasks are to understand:

  • The attack vector used by hackers.
  • The specific entry point used to gain unauthorized access to IT systems.
  • A detailed timeline of how the attack progressed.
  • Identification of possible prevention measures that could have been implemented at different stages.
  • Recommendations to address the root cause of the incident to prevent future attacks.

The answers help to give better recommendations. For example:

  • If the attack started with phishing, it’s a good idea to set up an email sandbox, adjust spam filters, and train employees.
  • If a vulnerability is to blame, it is recommended to change the update patch and network monitoring procedures.

Why is the final stage so important? First, most attacks aren’t very inventive. Actually, they are formulas. Thus, you can draw conclusions from one attack and prevent dozens of similar attacks.

Second, the pirates often come back. Here is a real life example. The IR team identified an entry point, studied that PC, and found that some files were encrypted a year before the incident. It turned out that the customers were aware but did not pay attention to the incident from the first time, it caused almost no damage. As a result, a second attack occurred through the same entry point. This time the hackers spent a bit more of their time and encrypted everything and destroyed the entire domain.

Third, without proper response procedures, it is impossible to improve security awareness training and incident detection, which are the foundation of a company’s security system.

How to improve security

Basic knowledge is important

The basic stuff that you probably already know about is already great and very useful. Every year, thousands of companies are victims of attacks for the most banal reasons. The most common cases are the exploitation of unpatched vulnerabilities. The second common thing is phishing.

Therefore, a significant number of potential security issues can be mitigated by prioritizing effective patch management, maintaining an accurate inventory of infrastructure, and providing staff training in digital hygiene.

There are many organizations that have already done all the basic things. However, it does not guarantee the total absence of incidents. They can be recommended for running. However, you need to “grow up” for this kind of thing. It makes no sense to perform penetration tests when only 20% of the infrastructure is covered with solutions (IDRIDS).

Follow industry trends and reports

Numerous security news and reports can tell you what tools and attacks hackers are using. In this way, you will be able to establish security criteria relevant to your company. The reports often provide specific recommendations on how to protect yourself from a particular attack. One of the best sources of such information is .

Don’t panic, and don’t do rash things.

A typical mistake is to reboot all the computers involved in the attack. Yes, there are urgent situations where this is crucial, but if possible, make copies of infected machines. This will allow you to preserve the evidence for any further investigation.

In general, don’t act impulsively. Very often, upon discovering encrypted files, employees immediately disconnect the power supply. This approach is similar to gambling. Nothing can be guaranteed after that. Yes, the encryption stops and you can probably save multiple files intact. On the other hand, such an abrupt stop corrupts the disk and the data affected by the encryption process. Even if the security community comes up with one or you pay a ransom(), it may not be possible to restore data whose encryption was broken.

Contacting the experts

Is it possible to deal with an attack on our own? Yes, if you have well-established procedures. Mitigation efforts can be prioritized. It is not very difficult to protect, implement or establish efficient patch management procedures. From a financial standpoint, relying on backups and minimizing recovery time may be an acceptable strategy. However, when it is essential to stop the attack immediately, determine the exact nature of the incident, understand who is to blame, and chart an effective course of action (there are no alternatives), call the external response team.


Source link

James D. Brown
James D. Brown
Articles: 9343