Companies increase their productivity by using technology in every field. Each unit, such as sales, marketing, R&D, purchasing, human resources, produces, processes or uses information. While digitalization turns into a valuable benefit if it is used well with accurate tools, if cyber security measures are not actually established, valuable problems may arise due to easy negligence. E.g; an employee inserted an infected personal USB stick into his company device and suddenly something bad happened, or an accounting officer carelessly opened an email he shouldn’t have opened. When you encounter such a situation, have you installed the necessary systems in your company to detect the problem? Your plan of action against an undesirable event; Do you have an incident response plan?
ESET experts informed companies about the basic steps that can be a roadmap against such situations.
1. Preparation Phase
Before a random event occurs, it is valuable to set up appropriate security controls to minimize the problems that may occur in the first place. Configuration, maintenance and security of the corporate network should be done. This includes keeping servers, operating systems, and applications up-to-date, configuring them properly, and hardening them with lousy software enclosure. Make sure employees receive training.
A valuable module in setting up your network is making sure you have all the necessary monitoring and logging tools in place to collect and analyze events happening in your network. An incident response group should be established and it should be decided whether this team will be formed internally or externally. You should also calculate the resources and budget you need to allocate for the decision you will take. Another point of the preparatory step is the reinforcement groups. You should also keep in mind that legal counsel and public interest groups are also important to manage any contact with the media, partners, clients and/or law enforcement agencies regarding a potential event.
2. Detection and Analysis
At this stage, incident response analysts bring their knowledge, experience and logical thinking to understand exactly what is happening on the network and what can be done, with the wide variety of information formats available to them by all monitoring tools and logs. The analyst’s job is to relate events to recreate the sequence of events that caused the problem. For this, you will need to have tools that you can use and support you. ESET Enterprise Inspector will support your endpoint detection and response analysis efforts in this context, by automatically flagging suspicious events and recording entire process trees for further investigation by incident responders.
3. Deterrence, Extermination and Recovery
In the third phase, the security incident response team decides on the method it will use to stop the further spread of detected threats. Should a server be shut down, an endpoint isolated, or certain services stopped? The precautionary strategy chosen should take into account the preservation of evidence and the possibility of further damage during the course of the containment. Often this means isolating threatened systems, partitioning the modules of the network, or putting the affected machines in a Sandbox. Sandbox has the advantage of providing more monitoring of the threat and more evidence gathering. However, there is a danger of further damage to a threatened host while in the sandbox.
Legal counsel may decide that the intervention team should gather and document as much evidence as possible. In this case, the transfer of proofs from individual to individual should be meticulously recorded. When malicious software is detected, it should be deleted from threatened systems. User accounts may need to be disabled, closed, or reset. Vulnerabilities must be patched, systems and documents must be restored from clean backups, passwords must be changed, firewall rules must be tightened. Full return to normal business operations may take months, depending on the event. In the short term, increased or more fine-grained logging and monitoring settings should be made so that IT administrators can avoid a repeat event. In the longer term, more extensive infrastructure changes could be seen that will help transform the network into a more reliable one.
4. Post Event Activity
The response team should provide and document an incident structure and timeline. This helps to understand the root cause of the event and what can be done to prevent a recurrence or similar event. This one-on-one is the time for all groups to review the effectiveness of the processes and procedures used, identify gaps in connectivity and collaboration challenges, and seek opportunities to add efficiency to the current incident response plan. Finally, the administration must decide on the policy of keeping the evidence collected during the incident. Therefore, do not erase hard drives without first contacting your legal department. Multiple organizations archive event logs for two years to ensure regulatory compliance.
If you want to complement your incident response toolkit with powerful investigation capabilities, you can try ESET Enterprise Inspector.