There are two key imperatives in incident response. One on hand, you want to identify, mitigate, and clean up after the compromise as quickly and effectively as possible. On the other, you need to ensure that in doing so you are guarding against a repeat incident and not giving the attackers an opportunity to launch a follow-on attack. The following 3 tips aim to help IR teams optimize their incident handling protocols to accomplish both.
Tip #1: Keep Incident Response Communication Discreet
It’s important to communicate securely while handling an incident. While it may be tempting to use open communication channels such as email or messaging apps, keep in mind that you are responding to an open incident in which a threat actor may still have access to your systems. From that perspective, here are some recommendations for enabling these sensitive conversations to take place without roadblocks while keeping them private:
- Avoid using speakerphones. You don’t want people in the hallway to overhear your discussions.
- Avoid using instant messenger systems unless they are encrypted end to end or in some other way.
- Try to avoid using email as much as possible because threat actors may have access to your email systems (“Man in the Mailbox”) watching every messages coming in and out.
- Communicate in-person if possible and use secure lines for phone conversations.
- Use pre-shared access codes for authenticating users for bridge/conference calls.
Tip #2: Coordinate System Shutdown
I recall once during an incident at a previous company that a compromised server was not shut down during a coordinated effort. It actually alerted the threat actors that something was going on within our environment and that we were attempting to kick them out. So not even within ten minutes of the server being shut down, they immediately came back in to move laterally again within the environment and installed a whole set of new malware and tools. We had to go through the entire process again of conducting triage and analysis. Therefore, it is extremely important that all parties involved in a neutralization process follow the instructions carefully to avoid this from happening.
Tip 3: Be Sure to Reset Credentials
You have to be sure to reset any passwords that may have been compromised during the incident. It’s important to note though that, once a threat actor has gained access to a system, they immediately dump the credentials. Consequently, they have a whole bunch of credentials and it might not just be the one or two that they’ve used. Therefore, as part of the post-incident monitoring, identify any failed login attempts with those accounts. It could be a potential indication that they’re back in within the environment attempting to use what they’ve previously harvested.
Following these three tips will help not only streamline your incident response efforts, but also go a long way in limiting opportunities for threat actors to continue or relaunch their attack.
Read more in our Field Guide to Incident Response Series
- 5 Key Criteria for Creating an Incident Response Plan that is Practical for YOUR Organization
- Building Your Incident Response Team: Key Roles and Responsibilities
- Creating an Incident Response Classification Framework
- The Five Steps of Incident Response
- 3 Tips to Make Incident Response More Effective
- Using Existing Tools to Facilitate Incident Response
- Learning From a Security Incident: A Post-Mortem Checklist
For more incident response tips, download the Incident Responder's Field Guide.
