How Planning Ahead Can Help Avoid the 6 Pitfalls of Breach Investigations

I recently had the opportunity to attend a webinar covering incident and breach response.  In the world of cyber resilience, being able to respond to an attack is becoming equally important as preventing the attack to begin with.

The speaker outlined the 6 biggest setbacks that he had seen first-hand when responding to an incident or breach and what can be done now to ensure these failings don’t cripple your team in such a crucial situation.

1. Security Staff not Trained to Handle Breaches 

   What you can do:  Train your security staff on standard incident response techniques and, more importantly, on the specific procedures set by your organization.  Take the time to conduct table top exercises to let your team prepare for various scenarios and look for ways to improve their response.

 The speaker also added that organizations are placing too much focus on prevention and not enough on incident detection and response.
2. Organizational Shellshock
   What you can do:  Promote user awareness that breaches do happen and are a very real thing.  Focus on what to do next at various levels of various departments.  Don’t make the mistake of only communicating this to IT staff.
3. Incident Response Team Poorly Represented
   What you can do:  Be sure to include other departments along with IT and Security, like Executive Management, Legal, Human Resources, Public Relations, etc.
4. Lack of Network Visibility
   What you can do:  Create an accurate representation of your digital enterprise.  This includes accurate, up to date, network diagrams, data flow diagrams, IP address lists, asset inventory, etc.
5. Lack of Skills to Perform Network/Packet Forensics
   What you can do:  Keep the experts on speed dial.  Some digital forensics experts require an on-boarding fee along with ongoing retainer ahead of time to “be available” in the event of a cyber incident.  Communicate with those experts that you will need for an incident ahead of time; don’t wait until a crisis to have that conversation.
6. “Ideal” Packets not Stored in Advance
   What you can do:  Forensics teams are relying on network packets now more than ever to piece together the puzzle of a breach or major incident.  Without baseline network packets stored before the alert, it becomes difficult to differentiate the good from the bad.  This doesn’t mean keeping EVERYTHING, but only packets around detected events.  Setting a strategy for this would probably mean a conversation with your Log/IDS team or SIEM provider.

The key takeaway from these 6 items is that you don’t wait for the incident to address them.  With a little work ahead of time, you can avoid some of these most common pitfalls when trying to put the pieces back together.

Like this post?  Please share:

[feather_share]