Cyberattacks today remain a mounting threat, therefore, an organization’s response capabilities must perpetually evolve. As adversaries plot their attacks, they meticulously study and map your network landscape, and may even possess knowledge of your current defense strategies. Therefore, expert intervention is necessary to foresee an incident and minimize the impact.
Incident response has emerged as a critical aspect for companies to navigate the challenges of today’s volatile cyberscape. That said, organizations struggling with resource limitations, shortage of cybersecurity professionals, and the absence of a dedicated response team or a well-tested response plan is still a common scenario.
Frequently, it is the lack of preparedness that thrusts CISOs and CIOs into the forefront of the daunting challenge. The focus becomes rapid recovery – minimizing downtime by swiftly pinpointing the incident’s root cause and implementing corrective measures to restore normalcy.
Recently, Dmitry Volkov, the CEO of Group-IB, a company that stands at the forefront of the fight against cybercrime, shared insights on how effective incident response can unlock additional opportunities for growth and resilience for organizations. Whether you’re a security professional focusing on building incident response or a decision-maker pondering its pros, cons, cost and business saving potential, sustainability benefits,etc, read along.
Q1: Do organizations today need to change their approach to incident response?
Dmitry V: With the number of incidents increasing y-o-y, many organizations are still questioning the need for preparedness through incident response. This grave misconception can lead many into a dead-end when a threat strikes.
There’s a strong need to shift from this mindset. I’ve often witnessed that the unexpected nature of incidents lead organizations into a state of heightened anxiety. Relying on an IR blueprint isn’t ideal, but having experts that can deeply assess the situation and provide guidance on the most appropriate course of action is essential.
Cyber incidents are well-orchestrated and require special minds to decipher what tools, techniques, and motives are hidden behind the attacks. Having access to the right information, coupled with the expertise necessary to address the urgent situation can facilitate responses that effectively mitigate the damage caused by such incidents.
Q2: According to the surveys, 77% of organizations lack an incident response plan and those who do, do not have a mature one. Your thoughts?
Dmitry V: Contrary to current practices, I believe that having an IR plan can only guide you so much. Organizations should focus on building the right expertise (both internal and external) to tackle the complexities of a cyber incident.
It is essential for security teams to practice tabletop exercises, drills to understand the actions to be performed in case of an emergency. Nevertheless, it’s undeniable that no amount of simulations can guarantee complete readiness for real risks.
Quoting Dwight D. Eisenhower, “In preparing for a battle, I have always found that plans are useless, but planning is indispensable.” This adage holds true in case of cyber threats. Having basic discourse is needed, but cannot completely be relied upon. The best approach to tackle real risk is to have experts who have successfully addressed them head-on.
Group-IB’s incident response team has over 70,000+ hours of incident response experience, where we’ve helped businesses rapidly thwart attacks of varying nature, followed by a deep dive into the adversaries, motives, and TTPs, all to understand the intrusion’s methods and reasons; strengthening network security in the process.
Our experts assist organizations in harnessing technology to combine process-oriented defense with intelligence-based detection and response as a proactive frontline approach. Tools like Threat Intelligence considerably improve the threat awareness of your organization. It offers context-rich data on industry-specific threats, risk profiles, threat actor presence, intentions, historical behaviors, and attack maneuvers. Subsequently, your team, along with external incident response experts can build strategies tailored precisely to your organization’s needs.
I also recommend organizations with non-mature incident response to opt for an Incident Response Retainer. This proactive step provides them with the assurance that they won’t have to face a crisis alone, when it occurs.
Q3: Organizations are often conflicted with the question of where the responsibility of managing an incident falls. What’s your opinion?
Dmitry V: Detecting and responding to incidents require a collaborative effort between the security teams and organizational leadership. It isn’t solely the responsibility of any one individual or team.The C-suite’s overall responsibility is managing risk and creating an effective crisis strategy. However, the success of the strategy relies on the seamless coordination of incident response and security teams.
The Chief Information Security Officer (CISO) and the leadership team should ensure a cohesive strategy in which the security teams, communication experts, and media relations teams are involved in the crisis management plan. This is essential for managing the narrative, safeguarding corporate reputation, and maintaining a dialogue with shareholders and the authorities.
However, organizations with limited experience in conducting an IR are advised to seek external expertise to overcome any potential oversights by internal teams. At Group-IB, our IR engagements are designed to offer all-round support – addressing not only threat containment but also all the aspects discussed in the previous question.
Q4: How can a dire situation like a cyberattack bring opportunities for growth and resilience?
Dmitry V: In case of an incident, reacting quickly yet strategically is key. Incident response isn’t just about containing damage, it is about seizing opportunities amid adversity by:
Forging change in crisis: Incidents compel organizations to swiftly adapt. This triggers internal process enhancements, particularly when guided by seasoned advisors and an adept response team.
Learning and improving: Effective incident response involves post-incident analysis, leading to continuous enhancement of cybersecurity measures and coordination across the organization.
Establishing a strong position: The more you know about the attacker, the stronger your position will be. Comprehensive investigations empower companies during negotiations, PR campaigns, and legal proceedings, which sends a strong message to the potential attackers.
Demonstrating strength: Successful investigations can ultimately bring perpetrators to justice, deterring future attacks.
Q5: What are the common mistakes made by organizations during an incident response?
Dmitry V: It is the act of restoring systems from clean images without conducting a thorough incident investigation. Some cybersecurity experts believe that the easiest and most reliable method to mitigate risks in the event of a cyberattack is to restore all systems from clean images and then verify with existing AV/EDR/IDS, etc. However, if the extent of the attackers’ actions within the network remains unknown, there could be unforeseen consequences.
Advanced threat actors often strive to maintain persistence and may even target backup systems. Their objective is to infect the backups, enabling them to activate backdoors weeks after recovery, making detection incredibly difficult. As a result, the attacker gains access to the systems once again with your help.
This is why a well-planned incident response is so essential.
Q6: Should organizations go for an external incident response provider?
Dmitry V: In complex incidents, it is essential to involve experts with real-world experience to ensure a comprehensive and effective incident response. Organizations often lack the internal expertise to create or execute a strategic plan. Moreover, in moments of panic, an outsider’s perspective and specialized knowledge can radically improve your response plan. Beyond a well-structured process, having the right know-how to assess, contain, and trace an incident is crucial for mitigating attacks and gathering insights.
So, digital forensics and incident investigation are equally essential. This approach uncovers sly attacker tactics and fills visibility gaps. These processes can be conducted by DFIR experts without any operational hiccups.
Also, unpredictable cyber threats call for flexibility over rigid checklists. External teams can help you build responses suitable for different situations and threat complexity.
I’ve also seen internal incident response teams often overlooking regular skill tests and simulations to test their incident response efficiency. This oversight can be addressed by IR experts through red teaming, vulnerability tests, table top exercises, and assessments to build readiness.
Q7: How can experts help devise incident responses that extend beyond threat containment?
Dmitry V: Incident Response (IR) experts can help you build and implement a discourse that goes beyond immediate damage control, unlocking broader benefits, such as:
Preventing the repetition of the incident: History often reveals that incidents recur. When incidents are dismissed as just technical glitches, without an investigation into the origins, it allows attackers to remain unnoticed. One example is them targeting the backup systems, with the intent of infecting them, and later reactivating backdoors long after the initial recovery.
Neglecting the real extent of risks hinders effective action. Incident response experts help organizations better gauge the scope of the incident and improve risk assessment capabilities.
Abiding regulatory compliance: Industries subjected to data security and privacy regulations must demonstrate compliance. Therefore, with the help of compliance and audit experts, businesses can certify, document, and validate their cybersecurity defenses against cyber incidents through assessment and consulting.
Shrugging legal and financial consequences: Data breaches lead to legal actions, fines, and financial liabilities and experts can help mitigate these consequences.
Protecting the organization’s reputation: Cybersecurity incidents can tarnish an organization’s reputation. A well-managed incident response by experts can curtail damage, maintain transparent communication with stakeholders, and can help avoid putting reputation in jeopardy.
Q8: How to choose the right incident response provider?
Dmitry V: Selecting an incident response provider is a crucial decision. Key factors to consider are:
Experience: Opt for providers with proven expertise in handling diverse cases and geographies.
Technology: Look for providers equipped with advanced technologies to expedite incident response. Even when armed with top-tier human expertise, lacking appropriate technological tools can lead to extended timelines, translating into financial losses. For instance, having the capability to monitor your network and beyond, including the activities involving your data on the dark web stands as a strong example of such a technological edge.
Processes: At every phase of incident response, ensure value is delivered. It’s beyond mere reports; your team should gain knowledge, and enhance coordination.
Communication: Clear communication is essential for effective collaboration. All instructions and guidelines must be fast and clear. All findings during IR will be useless if your team does not understand IR experts or can’t follow instructions.
Investigation Capabilities: A provider’s ability to identify threat actors can significantly impact the outcome of the incident.
In June, Gartner released its latest “Market Guide for Digital Forensics and Incident Response Services” which is a great resource on the subject. In the report, Gartner identified Group-IB as a representative vendor for incident response services for the third time in a row. I take great pride in it!
Q9: What are the common threats that the Group-IB Incident Response team helps contain? What is the usual process like?
Dmitry V: Group-IB’s Incident Response services empower businesses to take proactive measures before, during, and after security incidents. Our team combines the expertise of Digital Forensics and Incident Responders, adversary-centric Threat Intelligence, and Malware Reverse Engineers, who work collaboratively through a structured approach that starts with:
Preparation: We assist in implementing the necessary technologies, crafting effective incident response plans, providing training, conducting tabletop exercises to simulate various scenarios.
During an Incident: Support is deployed to swiftly counteract attackers, develop customized remediation plans, and provide guidance to technical, legal, and PR teams, ensuring a coordinated response.
Post-Incident: We continue to monitor the network for any residual threats, offering expert guidance to support legal and PR efforts in the aftermath of the incident.
In addition to these services, we offer proactive incident response through Red Teaming exercises. While many external Red Team units focus solely on achieving client-defined goals, our approach goes further.
Sometimes, while navigating the infrastructure, our Red Team experts stumble upon shells, backdoors, or traces of data exfiltration. Such traces aren’t necessarily indicative of a malicious attack; they might have been left by previous security testing teams. Yet, some cases reveal espionage traces or impending ransomware threats.
Q10: Any recent incident response activities undertaken by Group-IB experts that you’d like to share?
Dmitry V: I’d like to share two recent instances:
Case 1:
A certain company found itself in the clutches of cybercriminals, desperately trying to restore their services after days of struggle. They were on the verge of paying a massive ransom of $100k+ to regain control of their business ASAP.
We strongly advised against giving in to the attackers’ demands, and instead, asked them to share a memory dump from the infected server with us. Remarkably, within a span of hours, we retrieved the decryption keys from the memory dump.
However, here comes the shocking part – the company decided to go against our advice and paid the ransom anyway. Surprisingly, they received a decryption key from the threat actor, and guess what? It was the same key we had shared with them earlier that day.
The moral is clear: Always stay prepared and have professionals on your side. With the right Incident Response team, you can overcome any cyber crisis, saving time, money, and your precious reputation. We’ve decrypted hospitals, telecom, retail, and government organizations. It is possible if you act promptly.
Case 2 is an intricate one:
In the ever-evolving landscape of cybersecurity, appearances can be deceiving. What seems like a straightforward ransomware attack might be the tip of the iceberg.
Recently, we encountered a case where our rapid incident response to a ransomware attack unveiled a deeper plot. We have successfully restored the network and decrypted the files. However, as we delved into the incident response process, a startling revelation emerged: the encryption was merely a smokescreen for a meticulously orchestrated espionage campaign.
This reinstates the importance of engaging seasoned experts in incident response. Without the right expertise, you might miss the complexity that lies beneath the surface of your case.
The tactic of concealing a more sophisticated criminal activity under the guise of another is not new. Cast your mind back to a time when hackers used Distributed Denial-of-Service (DDoS) attacks to divert attention during financial thefts from bank accounts. These diversionary tactics often left substantial breaches unnoticed amid the chaos of mitigating DDoS aftermath.
Wrapping up the conversation with Dmitry Volkov, we trust the insights shared will assist organizations in strengthening their incident response. Dmitry has both led and now maintains close involvement with Group-IB’s incident response initiatives. His active participation extends to leveraging the experiences into enhancing the cybersecurity capabilities offered by Group-IB. This has not only strengthened the company’s expertise but also reshaped the industry’s conversation around detecting and managing incidents.
Want to know more about Group-IB’s cutting-edge cybersecurity technologies? Reach out to our incident response experts for containment, remediation, and recovery discussions here.
Experiencing a breach? Report an incident to get immediate assistance.
