In our last post, we focused on knowing the enemy. In this installment we explore the best practices in responding to an attack by an advanced persistent threat (APT) actor with a from-the-trenches incident response case study.
Responding to an incident requires careful orchestration. You have to assemble a cross-functional response team, conduct forensic analysis, control communication, implement timely containment and aggressively expel the attacker from your network. At the same time you need to incorporate advice and guidance from outside legal counsel and law enforcement, intelligence from regulators and provisos from insurance providers.
We recently worked with a large information services organization that was put to the test when it experienced an attack by an APT threat actor. The company engaged Fidelis Consulting Servicesto lead the incident response. As always, speed was critical. The Fidelis Incident Response (IR) Lead moved quickly to form a collaborative, cross-functional IR team comprised of internal and external stakeholders.
By quickly engaging experts in responding to security incidents to complement their top caliber internal response team, the organization was able to make quick headway within the first 48 hours after it discovered the incident.
Here are some of the things that we worked with the client on during those initial hours:
By performing a focused and thorough forensic analysis and developing an aggressive remediation plan, the IR team removed the attackers from the network within 36 hours. The expulsion event eradicated the attacker’s tools, cut off their ability to reenter the network and minimized the risk of retaliation. Going forward, with Fidelis’ help, the company implemented a defense-in-depth cybersecurity strategy that minimized risk and improved their threat-detection capabilities.
Experiencing a cyber attack is disruptive. Responding to a serious security incident correctly requires a team of outside forensic and legal experts partnered with the internal incident response team. A well-defined incident response team includes key staff and line of business managers as well as C-suite executives and board directors. Getting the right people involved and understanding the best way to efficiently use them is essential to properly investigating and resolving the event while managing costs and minimizing the impact on your business. Directors must ensure that their organizations have a well-thought-out incident response plan to minimize the organizations liability and exposure.