Unfortunately the current public health crisis has not led to a reduction in cyber threats and an effective security incident response capability remains a central requirement for organisations.
However, near universal remote working poses an unusual challenge for security incident response and even organisations with mature security operations functions may encounter unexpected challenges and need to adapt existing capabilities and processes.
MDR Cyber advises reviewing communications procedures, incident response processes, and response technologies to ensure your organisation is ready to conduct a fully remote response to a cybersecurity incident.
COVID-19: Remote Incident Response
The COVID-19 pandemic has forced organisations to turn 'inside-out' and the default position for many businesses is to have many staff working remotely.
Unfortunately the public health crisis has not led to a reduction in cyber threats and an effective security incident response (IR) capability remains a central requirement for organisations. Contemporary security strategy relies heavily on rapid detection of issues and efficient response to reduce the impact an incident can have.
Remote working has both exacerbated some the challenges of conducting IR and created new difficulties; even organisations with mature security operations functions may encounter unexpected challenges and need to adapt existing capabilities and processes.
MDR Cyber's IR function has reviewed and updated its capabilities and processes and shifted to remote-first operations. In moving to this model we identified a number of key challenges which are likely to be common to many organisations and some measures which can help to remediate these difficulties.
These challenges focus on communications, technology and response processes.
While it might seem mundane, a perennial challenge of IR is ensuring that response teams maintain continuous communication and that leaders are kept informed of progress.
Remote working can make this much harder as team members can no longer easily communicate verbally, increasing the likelihood of delays and crucial information falling through the cracks.
Incorporating these guidelines into your standard operating procedures (SOPs) can help to reduce this friction, improving efficiency and reducing the likelihood of costly errors.
- When an incident is declared, set up a dedicated channel on your organisational instant messaging (IM) and video conferencing platform and run all communications through this central point.
- If possible, host incident documents such as incident logs, timelines, situation reports (SITREPs), and call notes on the same channel to allow for collaborative editing and visibility across the team.
- Don't try to rely on IM for complex exchanges, this will inevitably lead to misunderstandings and confusion. If you need to provide an urgent update, pick up the phone.
- Schedule daily calls to review findings and progress and ensure that all team members attend. Team leaders can use these calls to give verbal SITREPs, assign taskings, and get input from the team. These calls should follow a defined agenda – avoid freeform conversations with no clear focus.
We have found that these changes mirror the efficiency we have when we are all working in one place, albeit now virtually.
As with all technology, you never really know if your IR tooling works until you try it out. Even if tooling worked fine under normal conditions, remote working may introduce reliability issues.
You might have a remote digital forensics tool already deployed, but will it still work over a potentially flaky VPN connection? The new reality of incident response is that crucial evidence may be both in cloud systems or an employee's device at home.
A focus on testing in excess of the usual process can identify potential issues and options for remediation and help avoid a critical tooling failure during a live incident.
- Review your IR processes and identify critical procedures that rely on a network connection. Test each of these processes for each set of working conditions your staff are operating under (e.g. remote over VPN, connection to cloud-hosted virtual desktop, etc.) and determine whether results meet your requirements.
- If issues are identified, consult with your IT and networking teams to identify root cause and ascertain whether remediation is possible.
- If remediation is not possible, consider whether processes can be updated and whether as an organisation you are willing to accept some evidence may not be available.
In many organisations critical IR processes may rely on physical access, such as for collecting a disk image from a potentially compromised machine.
Remote working may make this difficult or impossible. It is important to review IR processes to identify and remediate these potential roadblocks now – the last thing any responder wants to have to do is deploy a new capability during a live engagement.
- Investigate deploying a remote IR and forensics solution. Commercial and open source options are available and can in many cases be quickly deployed, although testing will be required to ensure that new tooling functions properly when connecting to remote machines.
- Consider deploying Microsoft System Monitor (SysMon) to critical assets. SysMon is free and provides a rich endpoint monitoring capability. SysMon integrates well with an ELK (Elasticsearch, Logstash, and Kibana) Stack and a functional deployment can be set up very quickly.
Taking action now to overcome the challenges remote working poses for IR and instituting a robust remote response capability could be the difference between effective containment of a threat and suffering a major incident.
Examining processes, testing technology, and implementing adaptations will help to ensure your organisation is as ready as it can be to respond to cyber threats in these difficult times.
Practical guidance for COVID-19
Read the latest COVID-19 related updates on our hub.