Author: Ido Naor and TrustPeers team, July 4, 2021
In today’s world, the options of completing tasks remotely are infinite. And when it comes to cybersecurity, having teams which were previously required onsite for forensics investigations to solve complicated puzzles in order to understand how a cyber-attack happened, conducting all this work from their remote office is nothing short of extraordinary. It probably means that it takes a world size disaster as a crucial factor to accelerate major changes in how we think to step in. It was Thomas Edison who said: "If we did all the things we are capable of, we would literally astound ourselves."
"Past Incident Response included an engagement where the responder was almost every time obligated to physically visit the ‘crime scene’. During Covid19, the enclosure of airports shifted organizations to a different modus operandi", says Ido Naor.
Frequently referred to as The Tsunami of Remote Work, COVID19 provided a definite answer to the question of how to respond to cyberattacks during the spread of the pandemic worldwide. Attackers took advantage of the fact that businesses sent their employees home and raided their offices networks, knowing for sure that no one was around to stop them. That initially was the first step in moving to fully remote security services.
“I remember how in 2018 we travelled to East Europe to simulate hacking attacks on government networks. A year later we travelled to South America to respond to a ransomware attack.”, Naor recalls. “Responders are everywhere, but organizations are interested in the best they can find, and we were it”, he added
After attackers gave no other option, organizations asked for our services remotely. Since attackers changed the rules, we had to adapt. We chose a set of tools that gained the right access for forensics investigation. VPN into the organization, for example, was not an option. What we needed was something far more robust, more centralized, with options not to infect our own machines and still gain control on the entire network from one place. At the time, we had no idea that a startup in Israel is working on such a solution in stealth mode.
“Eli Cohen, Co-founder of TrustPeers told me they are developing a SaaS solution that automates cyber crisis management and forensics investigations”, Naor said.
The challenge of managing an online incident response is full of obstacles. The incident itself is divided into four major roles: Containment, Recovery, Forensics and Negotiation. Sometimes an organization assigns several response teams simultaneously which makes it even a bigger, more complex challenge.
The teams online have never met the other members and roles are being divided upon meeting over Zoom / Teams / Hangouts / etc. That makes decisions hard to make.
When several teams are working in parallel it's a race against time. In many cases, only one team will stay to support the organization in the aftermath of the attack. A contract worth ‘fighting’ for.
Stopping the virus from spreading requires the full disconnection of the network, which will bring a business to full shutdown (in cases of ransomware, for example). Trust is not something you want to put your eggs in after signing contracts that puts you in-charge of remediation. Visibility is the name of the game and special tools are required for monitoring behavior of all teams following their work.
It is generally an issue even before COVID started and the challenge only becomes greater when it is being done over the wire, sometimes from thousands of miles away.
Each security firm has their own tools and when engaging together in an incident, it is required to agree on one software for communication, however in most cases it boils down to 2-3 and even more. For example, in one case Slack can be used for textual comms, Zoom for video comms and O365 One Drive for file exchange comms.
More advanced organizations tune their Slack to support all kinds of addons, which allows having almost all communication types in one place - but it’s barely scratching the surface in terms of a cross-wide solution.
One example for an obstacle is memory dumps. These large files are required to move from the machine itself to a cloud storage for further inspections against the presence of the malware. To do so, the team requires an integration between an agent that is physically installed on a machine and a cloud solution that knows how to take this file apart and display a nice dashboard with results. If that’s not enough, try getting results for hundreds of computers all in parallel.
Board members of the company, HR, finance and other sectors aside from IT are also part of the incident as things like noticing customers and employees, assessing the reasons for the attack and the outcomes (budgets to open a bitcoin wallet and transfer ransom) are also part of the process. In meetings face to face, trust increases and information can be censored to specific ears. When moving to online communication, data could be lost in translation, in air or even in the absence of trust between the legal entity and the response teams.
Making sure that the right person has the right access is a big obstacle. Not once that we witnessed excessive access an organization gave a 3rd party company unknowing that this itself can create a backdoor. Using password vaults and secure file/data transfer is a must and policies on how to do so must be in place if that’s being done manually.
Documenting an incident is a work of art. Drawing the flow of how patient zero was infected all the way to how machines were infected is not something that can be done autonomously by a security software. Some solutions to document an incident are there for responders to manually craft a report. For example - Office, Google Drive, Confluence and so on. These obstacles and more have emphasized the urge to use cyber crisis management solutions.
Organizations now understand that in light of the ever-increasing complexity of cyberattacks, pandemics and other world-size disasters might require them to change the way they used to work along with the software they used to work with, the way they plan incident response steps and the way they perform Incident response exercises. Autonomous cyber Crisis Management platforms will greatly assist responders to first assemble all comms into one place, record and control the content delivery in an incident, assist with gaining access in a convenient way and will also be much more simple for board members and organization owners to learn from an incident and narrow costs and business damage.
TrustPeers is an Incident Response technology company. It develops an innovative Cyber Crisis Management platform that saves organizations in real time, by allowing them to prepare for attacks and take control over cyber emergencies.
Our proprietary crisis management SaaS platform is based on a unique PPRP (Planning, Practice, Response, Post) methodology that revolutionizes existing Incident Response (IR) solutions by handling the entire incident lifecycle.For more information contact us.
Incident response tabletop exercises are designed to increase the response teams’ preparedness. As far as preparedness is concerned, a cyber incident response tabletop exercise is to cybersecurity what a fire drill is to firemen.
An incident response tabletop exercise program should be a holistic one involving all parties potentially affected and covering all aspects of every potential incident in maximum detail. Yet, that lofty goal is not always an applicable option, so there are intermediate approaches to consider.
The main goals of any Incident Response (IR) tabletop exercise are to minimize MTTR (Mean Time to Resolution) and increase the IR team members’ level of preparedness. When planning an online tabletop exercise, there are a few things to keep in mind to organize it optimally and reap maximal results.
Applying the TTE principles delineated might be easy to achieve with a small team, but, when running Incident Response (IR) Tabletop Exercises (TTEs) for large organizations spread across continents and with thousands of employees, scaling up might seem insurmountable.