At this time of year, many New Year’s resolutions could benefit from a reassessment, and for organizations seeking to improve their risk management, recent events have underscored the importance of being prepared for a cyber incident.

Effective preparation is key to ensuring a swift and efficient response to security incidents.

This includes standard best practices such as setting up communication trees, establishing agreements with external counsel and incident response providers, and maintaining detailed runbooks for common event types. This also involves adequate preparation in the form of deploying crucial security tools like Endpoint Detection and Response (EDR) and Security Information and Event Management (SIEM) platforms to enable detection and investigation of potentially malicious activities.  Even when incident response (IR) plans and security programs cover these fundamentals, there is one issue that is often overlooked. What happens immediately after an event occurs, and the IR provider is engaged to begin their work?

Let’s examine this from the perspective of StoneTurn’s cybersecurity professionals. Once we receive a call from a client that an incident has occurred, our team is ready to hit the ground running. We spearhead a kickoff call to collect initial information regarding the event, including what was detected, which systems were impacted, and where current analysis efforts currently stand. After we collect this information, we develop an action plan to mitigate, assign resources, and get ready to access our client’s security stack to begin our collection and investigation. However, this is where the trouble can start.

One of the main challenges Incident Responders can encounter when called in to investigate an ongoing event is gaining access to a client’s infrastructure.

Delays in setting up accounts can lead to significant timing setbacks. On client engagements, we have experienced scenarios where it took several days for organizational accounts to get created because of institutional red tape, from multiple approver requirements to lengthy onboarding workflows. Without these accounts and with security measures like Single Sign-On (SSO), we have found situations where we are hamstrung analyzing partial exports of artifacts or at a standstill waiting for access. Moreover, complex Identity and Access Management (IAM) roles for cloud resources can create issues that force incident response professionals to engage in multiple back-and-forth exchanges with the client for days before gaining access to the right assets to begin evidence collection. Challenges in getting visibility hinder the progress of the investigation.

Once access is granted, we often look to witness devices like SIEMs which should have some valuable information relating to the event under investigation. Teams like ours will collaborate with internal security teams to better understand system visibility, configured log levels, or data retention, which are often not documented appropriately, creating uncertainty. Without a clear understanding of which data sources are feeding into the SIEM, which assets are covered, and whether further logs can be rehydrated, we must spend time assessing if this source contains any relevant evidence. While collaboration usually helps resolve these issues, it often requires hours of discovery, analysis, and back-and-forth communication. Instead of focusing on pursuing the threat actor immediately, we are often left to chase critical information from the client first.

As you assess your security program strategy, consider enhancing your IR kick-off processes with the following:

• Plan for Rapid Onboarding: Develop and test Standard Operating Procedures (SOPs) to streamline account management for external firms engaged to support incident response. These SOPs should ensure there are expedited workflows with HR and other stakeholders to provision accounts with the right level of access during security incidents. These procedures should account for the platforms that responders need access to, the permissions they will need, and the dependencies required for access (e.g., does a virtual desktop need to be spun up, is a virtual private network required). Finally, processes should also consider how to close out and clean up accounts once an investigation concludes.
• Keep Your IR Teams Ready: Whether it is an outside firm or your own internal Digital Forensics and Incident Response (DFIR) team, there are some recurring practices which can help to make response efforts more efficient. If you are relying on an external firm and have already given them security stack access, work with them to conduct periodic access checks ensuring accounts do not get disabled accidentally. Additionally, keep teams in the loop regarding changes to the environment or critical assets. This can help them better navigate alerts and effectively investigate events.
• Know Your Data: Work to maintain clear documentation of what your SIEM is ingesting and where other potentially relevant data sources reside across technology and security stacks. Security teams should be able to explain what sources are in the SIEM and other critical security controls, how far back logs go (active and long-term storage), and what logging configurations look like for different assets. If there are other data sources which can be rehydrated or are not in the SIEM, notify responders so we can assess if rehydration is required or if we need to start other collections processes.

As such, it’s not too late to make a new resolution to be simply “ready.” The faster IR teams can integrate into the security stack, understand the environment, and start investigating, the sooner we can identify and mitigate malicious activity. Addressing small details like account provisioning, permissions, and data availability ahead of time can significantly reduce pressure during security incidents and enhance the efficiency of response efforts.

If you have any questions or would like to discuss these topics please reach out to Martin Narciso.

To receive StoneTurn Insights, sign up for our newsletter.