Remote working has boosted an organization’s vulnerability to cyber threats. As a result, how Incident Response (IR) teams respond to possible security issues has undergone a sea change.
According to the “COVID-19 Cyber-Attack Analysis report” by Cynet, around 20% of cyber-attacks used malware or methods that had never been seen before prior to the pandemic. During the pandemic, this percentage has grown to 35%. Some of the new attacks employ Machine Learning (ML) to adapt to their surroundings while remaining undetected. As a result, incidence response teams face a number of challenges in the process of first actions.
The biggest issue that remote incident response teams encounter is not being able to capitalize on all of the affected systems or accessing enterprises’ SIEM and other logging technologies (for those firms who have their SOC team working remotely it’s a bigger challenge). Additionally, even simple tasks such as sitting down and communicating with others has become more complex. Teams need new ways to respond. Businesses can utilize the following strategies to conduct remote incident responses.
Enforcing reviews of remote IT systems and other logs more often
Additional remote worker IT system logs that gather and analyze data to indicate unlawful or dubious conduct that may warrant further investigation should be considered by companies. Additionally, where feasible, firms should automate the collecting and processing of audit logs.
Resilience and preparedness
Effective planning ensures that firms are prepared for an emergency and can take proactive action. Developing an IR plan, including escalation matrices and defining team members’ roles and duties during an event, should be the first step. Playbooks should also be created to guide workflows for various types of incidents. First responders should be taught how to preserve evidence and perform preliminary analysis using triaged data. Tabletop exercises and other simulations can also help to improve preparedness.
Employees may operate from personal devices with a remote workforce, and not all corporate data may be viewable or accessible to the security team. Contractors who link to an organization’s network using unmanaged devices face the same risks. As a result, incident detection may be delayed, and analysis may be challenging. It’s important to recognize these restrictions early on in the planning process so that proactive mitigations can be explored.
Domain, email server, server, application web proxy, and VPN authentication logs are examples of data sources that should be securely saved, carefully preserved, and easy to retrieve. If central log aggregation or EDR technology is not yet in place, information critical to IR may be unavailable or non-existent, especially when the investigation team’s remote workers’ endpoints are not immediately accessible. This means that the investigation, containment, and recovery stages may be challenging for IR teams.
Examining the initial configurations
Companies should reconsider implementing a minimal acceptable remote workforce IT system baseline configuration that restricts the IT system’s acceptable operations. Firms might, for example, consider banning USB ports or limiting their use to particular users who require access as part of their tasks and obligations. Organizations should roll out the baseline to their remote workforce once it has been built and tested.
The deployment and configuration of the appropriate tools is only one aspect of the IR strategy. Another aspect of the puzzle is the strategic management of people and processes. The reaction will be more effective if the Cyber Security Incident Response Team (CSIRT) is technically knowledgeable and has a well-rehearsed IR methodology.
For more such updates follow us on Google News ITsecuritywire News