12 steps to take when there’s an active adversary on your network

CISOs know they must respond quickly and effectively to an incident, yet surveys point to continuing challenges to deliver on that goal.

The State of Incident Response 2021 report, from tech companies Kroll, Red Canary and VMware, surveyed more than 400 IS professionals and 100 legal and compliance leaders and found that 45% of them identified inadequacies in detection and response resources. Additionally, 55% wanted to improve time to containment and incident response automation.

There are compelling reasons for investing in improved incident response.

Consider the findings from tech company Cisco, which in its December 2021 Security Outcomes Study Volume 2 report, identified five key drivers of cybersecurity program success. The five include the ability to detect threats early and accurately, the ability to respond quickly to incidents, and the capacity to recover promptly from disasters.

CISOs need detailed cyber incident response plans to deliver on those three points. They need to practice them to identify any deficits that could hinder their performance should hackers strike. And they need to drill regularly so they can perform as best they can in a real event.

“An active incident is not the time to go figure all that out,” says Joe McMann, global cybersecurity portfolio lead for Capgemini.

To be well prepared, enterprise cybersecurity teams need to have accurate asset inventories and visibility into all areas of their IT environment; they need to know their organization’s mission-critical systems; and they must understand how to respond if they detect hackers trying to disrupt any of that.

The key steps they’ll need to take—quickly and nearly simultaneously—if there’s an active adversary in their network are as follows:

1. Sound the alarm

Security teams face an average of 11,047 alerts a day, according to the 2021 State of Security Operations report from Forrester Consulting and Palo Alto Networks.

Of course, many of those alerts are false positives or indicate low-priority risks, but others point to bigger problems that must be quickly escalated.

“You need to know when to break the glass. People are afraid to pull that trigger, to reach that mode, because it’s hard to take it back if you do. There’s oversight and costs, and people are afraid to spin it up sometimes,” McMann says.

Given that, teams must have good guidelines to know when and how to escalate situations.

“That decision point will be unique to each organization, but the escalation path, who to call, when to engage legal, [etc.] should be clearly documented,” says Nick Biasini, head of outreach for Cisco Talos, a threat intelligence organization.

That prevents delays that could allow hackers more time to do damage, yet prevent costly responses to minor incidents or false alarms.

2. Scope the situation and triage

“Take stock of what you know and what you don’t know: These are the facts, the alerts being generated, information I’m receiving from peers, how big is this, how big could the impact be, those are some of the questions that have to be answered initially, so you can prioritize, make smart decisions and take actions,” McMann says.

This requires CISOs to have in place good asset management and visibility into systems, he adds, as security logs, application logs, transactional data and other such data help teams assess the situation, then triage and formulate the right response.

3. Bring in the business

CISOs should be looping in business during the triage process, security leaders say, a point that’s often overlooked during active responses. As part of this, security teams need to immediately identify what impacted components are critical for conducting business, who owns those components and who controls them.

As J. Wolfgang Goerlich, advisory CISO with Cisco Secure, says: “This is a business problem. But in a security breach, a very technical person will be thinking, ‘I have to remediate.’ However, one of the things that CISOs need to remember is that a breach is a business problem not a technical problem. So there should be a secondary process that’s running business continuity and disaster recovery so that the business can keep doing what it needs to be doing.”

4. Staunch the bleeding

As that’s all happening, security teams need to focus on egress routes to make sure that nothing is getting out, says Steven Graham, senior vice president for EC-Council, a cybersecurity technical certification body.

“If there’s an active adversary in the network, they probably set up as many backdoors as they could. Identify what egress points exist within the network so you can stop the effect of the attack,” he says.

5. And find the points of entry

At the same time, security teams need to figure out how the hackers got in and where they went. “Investigate the breadcrumbs, what was their path in, what did they do next, what is everything they touched. It’s an additional step of triage,” Graham says, adding that good networking monitoring is a must here. Then close those vulnerabilities so no one else can get in again.

6. Assemble the troops

As the scope of the incident comes into focus, CISOs should be assembling the full complementary team they’ll need to respond – all the executives needed to make decisions; the security and IT practitioners with the skills needed for response; the right representatives from communications, human resources, legal and other functional areas; and any external resources required. CISOs also need to know whether and when to bring in law enforcement, and which agencies to involve, another element that should be outlined in advance so there’s no scrambling during the incident, says Randy Trzeciak, director of the Master of Science in Information Security Policy & Management (MSISPM) program at Carnegie Mellon University.

7. Track your actions

Notes on the investigation, priorities, accomplished tasks, ongoing activities, unresolved needs and other details must be effectively documented and efficiently disseminated, McMann says, adding that Word docs or emails typically aren’t good vehicles for such information-sharing and archiving.

He stresses the need for a good knowledge management system or communications platform for sharing and recording data during the incident response—another point that he says is often overlooked during a real event.

“You have to have a platform that collects and stores information and the findings, all the open questions. That has to be collected, organized, and made sense of because that information levels up to the incident coordinators so CISOs or their deputies can distill the information and make decisions,” he says.

8. Coordinate the counterattack

As investigation turns to action, CISOs need to coordinate their moves against the hackers—whether that means booting them out right away or taking time to monitor their activities before striking against them, Biasini says.

“They’re going to have more than one foothold, so you want to kick them out of all the footholds at once. Be as thorough as you can, so you’re not playing Whac-A-Mole,” he says.

9. Work the plan

CISOs, other executives, and all responding teams need to stick to the incident response plan, and resist taking over tasks outside their assigned roles, experts say.

“You have a playbook. Make sure that’s being run and you don’t take it over. Your plan as a leader is not to step in unless it’s assigned to you,” warns Jeff Pollard, vice president and principal analyst at Forrester Research.

Leaders in crisis are often tempted to jump into the trenches, but they, like everyone else, can best contribute by focusing on their own work. CISOs who start reviewing log data or jumping on keyboards actually create bottlenecks in the response and delay other critical tasks that only they can do, such as communicating to the board.

10. But adapt as needed

Even the most detailed and practiced incident response plan can’t account for every potential scenario, a new threat or a novel technique, so CISOs and organizations as a whole must know when to pivot and be able to adapt their response to the realities they’re facing during the actual event.

“There’s always a curve ball,” Pollard says.

He points out that ransomware attacks at one point morphed, with hacker groups not only holding encrypted data hostage but then, after getting paid the ransom, threatening to release stolen data if another ransom isn’t handed over. Somewhere there’s a CISO who was first to see that and had to figure out on the fly how best to counter—which, Pollard says, confirms the need for security leaders to be agile.

11. Alert others

CISOs won’t be able to hide an incident, and in many cases they can’t legally try to do so. That means they must work with their legal and communications teams to plan what they should say, when to say it, how to deliver the message and to whom.

“Know your points of contact, create a clear concise story, and get everyone on the same page,” Graham says.

CISOs should also alert other internal and external security officials, Pollard adds.

“When there’s an attack, sharing becomes an afterthought or it’s a concern because of the possibility of litigation, but find out what you can share, so you can let your team know what they can and can’t talk about, and let others know they should check their environments even if you’re not able [to say that you’ve been breached],” he says.

Not only does that help prepare other CISOs, Pollard adds, it helps the responding CISO quickly know whether the vulnerability or attack is unique to his or her organization or part of a larger issue.

12. Stay calm; tend to staff needs

Security professionals will know the gravity of the situation, so angry or frantic reactions won’t get anyone to work harder or scare off the adversaries. In fact, such reactions can do more harm than good. As Pollard says: “It’s going to be a crisis, but it doesn’t have to be chaos. We can work a crisis; no one can work effectively in chaos.”

He and others say CISOs and their executive colleagues are better served by being attentive to their workers and their needs.

Goerlich says he has seen teams “run themselves into the ground” by working long hours without breaks and even a day or more without sleep. Although that grueling schedule shows a level of dedication, it’s likely to lead to mistakes.

“People get into their zones and work well beyond the times that they should,” Goerlich says, noting that CISOs should plan for clear lines of communications, caps for work hours, staggered schedules, and post-event time off. He adds: “As much as possible, organizations should think out in advance how to handle the human elements.”