Once you’ve detected a threat and confirmed that the security incident is an issue that needs to be actioned, you move into the “response” phase of security incident response life cycle. To thoroughly respond to security threats, you need to mitigate and contain threats, protect your data and property, and ensure devices are accounted for. In other words, during the “response” phase of the security incident response life cycle, the security teams are busy handling the incidents and getting to the root cause of the threat.
In this article, we’ll go over how to respond to security threats and incidents. A variety of tools and solutions are recommended to respond to security incidents, including an investigation team, an MDR solution, device visibility, and more. This article builds off a previous article: How to Detect Security Incidents.
Contain the threat
When a security incident occurs, your incident response team or security team needs to triage any threats, focusing on the highest risk vulnerabilities first. In these situations, time is imperative to contain the security threat; oftentimes, the faster you respond, the less your organization is at risk. To contain the threat, security teams should identify which systems, devices, or networks are at risk. Depending on the scenario, may decide to:
- Disconnect compromised devices from the network, helping prevent further spread
- Disable or lock user accounts if they were compromised, removing access privileges to data and IP
- Shut down vulnerable services if they were affected until they can be patched, limiting the spread through services
- Segment your network to further protect sensitive data and devices, limiting lateral movements of malicious actors
Effective and fast response is critical to contain and eradicate security threats. To become faster and more prepared, organizations should have an incident response plan in place, and should run tabletop exercises to practice fictitious security incidents and responses. Once the threat is contained and you’re sure that vulnerabilities can no longer spread, you can work on eradicating the threat.
Eradicate the threat
How you eradicate the security threat varies depending on the nature of the threat. However, you should begin by identifying the root cause of the security threat. What is the threat? Where did it come from? What vulnerability was exploited? These questions help you investigate the threat and its origins, which help you respond to the security threat.
To eradicate the threat, you may decide to:
- Apply a patch and update any affected systems or software, which may remediate the exploited vulnerability
- Use an antivirus tool to scan your environment for malicious files and remove malicious code, artifacts, or files from your system
- Change passwords to compromised logins
- Restore clean backups to remove malicious code, but make sure you use a backup from before the security incident occurred
- Monitor your environment to ensure new threats don’t emerge
Make sure you’ve conducted a thorough scan of your systems, along with a strong incident investigation. To completely eradicate the security threat, you need to know what systems and networks were compromised, and security teams should validate that the threat was neutralized and hasn’t returned or caused new issues. While containing and eradicating threats, make sure you document everything; keep a detailed record of the timeline of events and the actions taken. This may be required for cyber insurance purposes, but it also is helpful to improve your incident responses in the future.
Investigate the root cause
Incident response teams should conduct a thorough investigation into the root cause of the incident. Going back to the root cause of the incident tells you about how it happened, and more importantly, how exploited vulnerabilities can be remediated so similar incidents can be prevented in the future. A post-incident analysis reveals what systems were affected and what security measures need to be implemented for the future.
To get to the root cause of the incident, start by doing the following:
- Identify the entry point of the malicious actor to determine how they accessed your systems
- Interview those who were involved or affected by the security incident and make note of any suspicious activities observed
- Work with a managed IT service provider to analyze security logs, review document findings, conduct through investigations, and prepare to report any security breaches to governing bodies
Oftentimes, the forensic investigation is the most time-consuming, costly part of responding to incidents, as it can be expensive to hire experienced security investigators in house. For this reason, many teams turn to managed detection and response services (we recommend Arctic Wolf’s Managed Detection and Response), where third-party security engineers leverage 24/7 monitoring to identify, investigate, and remediate security threats.
Once you’ve discovered the root cause of the incident, you can start repairing any vulnerabilities to ensure similar incidents don’t happen again. We’ll cover more about incident response in our next article: How to Recover from Security Incidents.
Recover and improve after a security incident
Responding to security incidents is a big job for security teams. It takes many people, devices, and tools to contain and eradicate threats, which can be overwhelming and time consuming for smaller IT teams. To recover from a security event, you need to make improvements to your security posture to make sure similar security incidents don’t occur again.
With the help of Microserve’s security team, you can be prepared to handle any incident. With over 35 years of experience, we help organizations improve their security posture, create a robust security strategy, and implement the best security measures. Get in touch with the team today to become prepared to respond to any security incident.