Why proactive security results in more efficient response and recovery times
20 May 2020
Since the first cyberattacks, threat actors have been picking the low hanging fruit from the vulnerability orchards of organizations to gain access to and maintain their presence in enterprise environments. Organizations need to be ready to go to battle stations for the inevitable times they will face an incident. This means proactive security measures and processes need to be implemented to ensure organizations minimize any security gaps and have repeatable processes in place when the next major incident occurs.
In addition to performing internal and external penetration tests, vulnerability scans, security awareness training and patch management, conducting a compromise assessment at least annually can be an incredibly enlightening way in identifying gaps you didn't know existed in your environment. A compromise assessment is a comprehensive review of network activity to identify suspicious and/or malicious activity, misconfigurations, policy violations, weaknesses or intrusions, and serves as a proactive approach to harden the security posture of the environment.
Compromise assessment tips
Some helpful tips to keep your organizations battle ready with a compromise assessment include, but are not limited to:
- Use the results from your vulnerability scan report or threat intelligence feeds to review your log data to identify anomalous behaviour.
- Use your Endpoint Detection and Response (EDR) solutions to perform threat hunting to reveal system anomalies.
- Review your O365 environment for enabled forwarding rules to external email addresses on accounts not on an approved exception list.
- Ask internal departments questions based on what is being observed and document all findings.
If your organization doesn't have an incident response plan, yesterday was the time to implement one. It's not a matter of ’if’ but ‘when’ you are dealing with an incident and if you don’t have a plan for your organization to follow once disaster strikes, it could have a devastating impact on the business and be extremely costly. Incident response plans that are read, understood, practiced and maintained annually will have a higher success rate when they are implemented.
Organizations need incident response plans for when disaster strikes
What’s more, create runbooks or standard operating procedures for generic scenarios such as data breaches, malware, phishing, ransomware, even data acquisitioning. If you're faced with an incident that applies to one of your runbooks, you have a repeatable process for your team to follow that will drastically reduce response time. Remember to review your runbooks along with your incident response plan annually to stay battle ready and prepared.
Conduct annual tabletop exercises to test your incident response plan and runbooks with your security team, but also include executives, HR, internal and external legal counsel, PR and IT teams. This level of collaboration and effort will ensure that each person is familiar with the incident response plan, understands what roles and responsibilities they play when an incident occurs as well as identify any gaps in the plan or other internal processes the incident response plan may reference.
Man your battle stations
In conclusion, an annual compromise assessment added to your proactive regimen can help identify malicious and/or suspicious activity occurring within an environment before critical system degradation occurs. Preparing and arming your organization with an incident response plan, runbooks and annual tabletop exercises that exercise the incident response plan and runbooks with real world attack scenarios will result in faster more efficient response and recovery times, as well as reduce the impact on business operations. Compromise assessments, tabletop exercises and incident response are important activities/actions required to ensure the organization is battle ready.
Organizations – man the battle stations…