A cybersecurity incident is a terrible crisis for any organization. Even with the best preparation and retainers, incident response is rarely an inexpensive endeavor in terms of money, people, operational disruption, or time. Investigations and forensics require specific expertise, and typically involve concerted eradication and recovery efforts. However, careful advance planning can substantially decrease these costs.
As a Principal Incident Responder at Dragos, Inc. I have consulted on numerous cases where significant time and resources could have been saved. I’ve discovered that by avoiding the five common “gotchas” below, your organization can avoid some of the most common traps which increase the time, personnel, downtime, and expense of managing a cybersecurity incident.
The bottom line is that incident responders will always need a clear understanding of your impacted network topology, asset and security tool configuration, network addressing, and security policies in order to conduct a complete investigation. If you cannot provide current and complete architectural information about your environment and how it is secured and accessed, incident responders will have to gather that information themselves, at the cost of consulting rates and significant time. This information provides important clues about intrusion, adversary activities, and what evidence they will need to gather. Without this documentation, incident responders may fail to analyze the correct devices or correctly scope the investigation.