Do No Harm – First Rule for Cyber Incident First Responders

But it’s a critical element of your cybersecurity strategy and one that requires specialist skills and tools that, without training, your team may not have.

The first task of the first responder at a cybersecurity incident is just like that of an emergency services worker. A well-prepared responder can identify the threat, contain it, make things safe and then help you learn what happened to prevent a repeat.

When a first responder is unprepared their first actions may exacerbate a situation rather than contain the damage and aid recovery. While there is a temptation to respond quickly, particularly in a highly stressful and unexpected situation, knowing what not to do is just as important as knowing what to do first.

Cybersecurity first responder training helps teams learn about the tools, procedures and practices that are critical to ensuring those first moments lead to a solution and not to more problems. Thorough training involves understanding the following elements.

WHO ARE THE THREAT ACTORS?

Understanding how to respond to an incident starts by understanding the nature of threat actors and how they operate. The most common threat actors are APT groups or cyber gangs. These are coalitions of hackers whose primary motivation is financial gain. They will steal what they can sell, such as privileged corporate account credentials and personally identifiable information. They might attempt to defraud you through phishing, compromise the mailboxes of corporate users, use ransomware or attempt to trick you into paying fake invoices or by some other means.

Insider threats are perhaps the next most common type of threat actor. However, not all insider attacks are malicious. Many data losses caused by insiders are the result of errors rather than a specific desire to cause trouble.

Hacktivists typically carry out attacks to further some sort of political agenda while state sponsored threat actors are looking to further the national interests of their country of origin.

WHERE DOES INCIDENT RESPONSE START?

Incident response starts with preparation and ensuring that the organisation has up-to-date incident response plans and playbooks in place. Regularly performing tabletop exercises is also a very useful activity to ensure that incident response plans and playbooks are constantly updated to cater to the latest threats.

While it can be tempting to try and jump to attribution when an attack has occurred, this shouldn’t be your priority. Frameworks prepared by experts from NIST, SANS and others place incident identification and containment as higher priorities. That means it’s critical to understand the tools and methods used by attackers.

Threat actors use technical tools and social engineering to infiltrate systems, gain intelligence and execute their malicious actions. By investing time into understanding these tools and methods, it’s possible to radically improve the way you respond to incidents. For example, while phishing scams are well known, understanding what happens after the email is opened is critical. That means understanding what vulnerability is being exploited, what tools are being used and how it is being controlled.

This allows first responders to identify what systems are affected and to take steps to contain the damage and mitigate the risk to the business.

THE EVIDENCE CHAIN

Once an incident is contained, it’s time to carry out an investigation. While it may be tempting to take a scorched earth approach after the breach is contained and destroy all data, the business loses the ability to examine what happened forensically. While there is a chance of attribution, the main objective is to learn from the attack and ensure sufficient controls are in place through all layers of the security infrastructure to prevent the attacker from returning.

While the effects of an attack can be swift and devastating, many attacks take weeks or months to execute. Some of the most damaging attacks in recent years, ranging from the Target breach in 2013 through to the recent attack on News Corp started days, weeks or even months before the impact was felt.

Many threat actors spend considerable time probing systems in order to find vulnerabilities and valuable data to steal. While they might be imperceptible before the attack is complete, they form a vital trail of evidence that can be used later.

Skilled incident responders will know how to use tools that can take disk images, memory dumps and other data that can help. This is the equivalent of a digital autopsy, dissecting what happened to learn the cause and prevent a recurrence.

CLOUD COMPLEXITY

With businesses increasingly dependent on cloud services, gathering this kind of intelligence following an incident can be challenging. Collecting disk images and memory dumps on cloud services requires different tools and methods to those used with on-prem systems.

Microsoft Azure, AWS and Google Cloud Services all provide tools to assist with detection, containment, eradication, and recovery to learn in order to prevent, detect, and respond to similar incidents in the future. But extracting data to carry out your own analysis requires different tools and methods.

DON’T FORGET SEARCH ENGINES

Open-source intelligence (OSINT) is also a powerful tool. Knowing what to search for can reveal plenty of useful information on the public internet. While popular tools such as haveibeenpwned are useful, many criminals use publicly accessible but somewhat obfuscated websites and underground forums to share stolen information such as usernames and hashed passwords. When investigating an attack, public data can be extremely helpful.

Prioritising and investing in first responder training enables your cybersecurity or IT team to better respond when an incident inevitably occurs – equipping them to know who should be involved, what tools they’ll need, where to start and, critically, how to avoid making things worse.