Remote working has increased organizational exposure to cybersecurity threats. In turn, this has changed how incident response (IR) teams are able to respond to potential security incidents.
IR teams do not always rush to a crime scene, but managing incidents with a remote workforce is considerably more tasking than dealing with on-site incidents. Not only are they managing a different environment, but the threats differ, the devices and infrastructure involved extend beyond the internal network and the scale and scope of attack make response and remediation completely different.
The key to mounting a successful remote incident response engagement is preparation. Start thinking about what will happen before the peace is shattered. Responses must be swift and decisive, with incident teams deployed within minutes of an initial alert and then bedding in for the long haul. IR engagements typically last about 12 days – but should begin within 15 minutes of an indicator of compromise being discovered. Critically, both of these timescales should be kept to a minimum.
Preparedness and Resilience
Effective preparation ensures incident readiness and proactive action. The first steps should include creating an IR plan, including escalation matrices and setting out team members’ roles and responsibilities during an incident. Playbooks should also be made to guide process flows for different incident categories. First responders should be trained to preserve evidence and conduct initial analysis from triaged data. Simulations such as tabletop exercises can also help enhance preparedness.
With a remote workforce, employees may be working from personal devices and not all business data may be visible or accessible to the security team. The same would be true for contractors who connect to an organization’s network using unmanaged devices. As such, identification of incidents could be delayed, and analysis could prove difficult. It is worth thinking about these limitations in the preparation stages so that proactive mitigations can be considered.
Sources of data that will be useful to a response, such as domain, server, application web proxy, email server and VPN authentication logs that should be securely stored, carefully preserved and easy to locate. Log information critical to IR may also be inaccessible or non-existent if central log aggregation or EDR technology is not already in place, especially when the investigation team’s remote workers’ endpoints are not easily accessible. This means IR teams could have difficulty with the investigation, containment and recovery phases that follow.
Having the right tools deployed and configured is just part of the IR strategy. The strategic management of people and processes is another piece of the puzzle. If a Cyber Security Incident Response Team (CSIRT) is technically skilled and has a well-rehearsed IR process, the response will be more effective.
Detection and Containment
Defenders should know how to react to problems before they encounter them. If a client finds strange transactions on a money transfer application, for instance, security teams should know to enact a plan that includes actions such as root cause analysis (RCA), log reviews to identify potential authentication vulnerabilities or methods for detecting attackers within the network. The approach to malicious files found on an application server or a high-risk AV alert will be different – but should also be devised in advance.
When an organization is planning for a remote IR, it must be sure to establish fast, secure and reliable communications channels that can be kept away from the compromised network. Attackers are likely to be watching emails, helpdesk ticketing systems and collaboration platforms. This is not a problem when conducting an incident response in person because teams can simply talk face-to-face. When carrying out a remote response, secure communications are paramount.
Remote Controls
We worked on an investigation at a company during the UK national lockdown with everyone working remotely, which demonstrated what can happen when policies are not set ahead of time. It had to call everyone into the office and manually remove ransomware from their laptops to deal with the incident. Domains and servers also had to be rebuilt. It was chaos. If this company had put processes in place ahead of time, IR could have been carried out remotely and disruption limited. The ability to collect evidence, remove malware and apply changes to firewall appliances while working remotely is essential.
This is not a unique example, and hammers home one simple takeaway for remote IR: prepare now and continue to prepare. The key is to scrutinize and test your processes to ensure they are effective and that the technologies implemented are fit for purpose when adopted by a remote workforce. Equally, the IR teams must be familiar with the tools and processes in place and capable of responding efficiently and effectively. Well-prepared organizations will fare better in an emergency. The time to act is now