Let’s face it: Cyberthreats aren’t going anywhere. As technology continues to evolve and grow, so will the tactics and techniques used by threat actors. A recent report from Statista estimates the global cost of cybercrime to reach $15.63 trillion by 2029. To combat this, one of the most important things organizations can do is be prepared. According to the National Institute of Standards and Technology (NIST), the incident response life cycle can be broken down into four key stages, with the first, and arguably most important, being preparation.
Your organization can take several proactive preparatory steps to ensure incident response (IR) readiness, including evaluating the existing threat landscape of your environment. These steps include conducting regular risk assessments, implementing comprehensive security policies, and providing continuous monitoring and threat intelligence gathering. Organizations can enhance their IR capabilities by investing in training programs and simulation exercises, enabling a swift and effective reaction to cyber incidents.
Let’s examine several readiness activities that can be conducted well before any cybersecurity incident. These activities can ultimately help improve your organization’s overall IR and cybersecurity maturity.
Feeling prepared for a worst-case scenario can be deceptive because untested organizations may not fully grasp what they are unaware of. Readiness assessments conducted by an external third party provide a critical perspective on your organization’s current state of readiness. Such assessments should include evaluating processes, procedures, personnel, documentation, and technology to gauge the maturity of your organization’s overall IR readiness. Unlike an audit, these assessments are designed to pinpoint potential weaknesses that could undermine your ability to respond effectively to an incident.
Organizations can proactively address deficiencies outside active engagement by identifying people (capacity and skill gaps), processes, or technology. This proactive approach identifies opportunities to strengthen resilience against cyberthreats and enhances readiness. Ultimately, such assessments empower organizations to fortify their defenses and better protect themselves in an increasingly complex and challenging cybersecurity landscape.
An IR plan serves as a comprehensive guidebook for managing cyber incidents. It meticulously outlines your organization’s response strategies before, during, and after incidents of any type and severity. It also details the structure of your IR team, specifying roles and responsibilities to ensure clarity and efficiency during an incident.
The plan encompasses the essential steps of IR: preparation, detection and analysis, containment, eradication and recovery, and post-incident activity. Each step is designed to methodically address and mitigate the impact of incidents, ensuring a structured approach to incident management. Additionally, an effective plan defines goals and objectives, incident severity levels, and other crucial elements that contribute to a comprehensive response framework.
Most importantly, the IR plan should be viewed as a living document. It requires regular updates and maintenance to remain effective and relevant. Fortinet recommends conducting a bi-annual review of the plan and an evaluation after each significant incident. This review process ensures that lessons learned are integrated into the plan and that any organizational changes are reflected and addressed.
Without such a plan, organizations may make ad hoc decisions during a crisis, leading to costly and ineffective outcomes. A well-maintained IR plan provides a clear roadmap during incidents and enhances your organization’s ability to respond swiftly and effectively to challenges.
Incident response playbooks are an essential extension of the broader IR plan, offering standardized procedures tailored to specific incidents. Such playbooks provide a clear, actionable framework that outlines the precise steps an organization must take to prepare for, respond to, and recover from each distinct type of incident. By focusing on specific incident scenarios, playbooks ensure that the response is not only swift but also effective and consistent.
Each IR playbook provides detailed guidance on all phases of IR, including preparation, detection and analysis, containment, eradication, recovery, and post-incident activity. These documents should also designed to be comprehensive, featuring step-by-step action items assigned to specific members of the response team. This level of detail ensures that all tasks are accounted for and every objective is met during an incident response.
Typical playbooks include ransomware, malware, business email compromise, denial-of-service attacks, data loss incidents, lost or stolen devices, insider threats, and zero-day vulnerabilities. The playbook should delineate specific actions and responsibilities for each scenario, ensuring the response team is well-prepared to handle an incident efficiently and confidently.
Once an IR plan and playbook are in place, it’s time to test them with a tabletop exercise. According to NIST, a tabletop is “a discussion-based exercise where personnel… [discuss] their roles during an emergency and their responses to a particular emergency situation.”
To simplify, a tabletop exercise is like a role-playing game. A facilitator provides the participants with facts, or “injects,” about a fictional cybersecurity incident. The participants then discuss how to respond to those facts using the IR plan and playbook as a guide. These exercises can be developed and catered to a specific audience, usually as an operational exercise for technical team members or a senior-level exercise where organizational leaders focus on business and policy-related decisions during an incident.
Tabletop exercises should be conducted at least annually. However, a quarterly cycle is optimal for the teams to stay fresh and improve their response to cybersecurity incidents.
Unfortunately, many security and IT professionals are unaware of what IR resources exist or how to access them. This makes it difficult for security teams to understand the context of an observed activity or efficiently discover an incident’s breadth and depth. It is also not uncommon for security and IT professionals to not know what data may be impacted when a system is compromised. In either scenario, critical time may be wasted tracking down business owners, building out network maps, or other activities that should have occurred well before an incident. This can significantly slow response efforts and increase business impact.
System inventories should include information such as the business owner, system functionality, hostnames and IPs, data classification, data criticality, relevant audit or regulatory information, and other crucial identifying information that could be useful to incident responders. Such information can help identify and ensure timely responses to the most critical systems across the organization. Understanding the business processes associated with these systems is essential so informed decisions can be made throughout the incident.
Network diagrams assist incident responders in understanding where systems are, how the network is segmented, and potential chokepoints or isolation points that can be used to help contain and eradicate a threat actor. Developing system inventories and network diagrams before an incident enables a more efficient and effective response, enabling responders to understand the organizational impact of a given system being compromised during an incident.
Threat actors thrive on exploiting vulnerabilities in internet-facing systems as an initial access vector. Based on IR engagements handled by the FortiGuard IR team in the second half of 2023 and the first half of 2024, 46% of all incidents were directly the result of an exploit in a public-facing application. Vendors have often provided patches for these vulnerabilities weeks, months, and sometimes years before being exploited by the threat actor. While one can argue that patching is not foolproof due to zero-day vulnerabilities, patching known vulnerabilities efficiently narrows the organization’s threat landscape and removes low-hanging fruit that can be an enticing entry point.
Vulnerability assessments are critical for evaluating and refining the effectiveness of a patch management process. These assessments are typically scoped to target internal or external IPs or systems, employing automated tools and manual techniques to scrutinize existing vulnerabilities across systems, applications, and network devices. It is essential during such assessments to meticulously review results to eliminate false positives and accurately assess the potential impact of vulnerabilities on the organization.
While vulnerability assessments focus on known vulnerabilities, penetration tests play a complementary role in uncovering unknown weaknesses that may compromise your organization’s networks, systems, or applications. Penetration testing can be tailored to specific environments, such as internal or external networks, or even concentrate on individual segments within these networks. These assessments are designed to identify potential entry points threat actors could exploit to infiltrate external environments or pivot within internal networks. Alternatively, penetration tests may focus on a specific web or mobile application, conducting a thorough examination to identify potential vulnerabilities that could be exploited for malicious purposes or to gain unauthorized access within a network.
Although regulatory requirements may mandate annual penetration tests for specific environments, it is prudent for many organizations to conduct these assessments more often. Given the dynamic nature of networked environments—with continual integration of new systems and technologies—vulnerability assessments should be scheduled frequently, often monthly, with penetration testing commonly occurring at least annually and, if possible, more often.
Active Directory (AD) infrastructures typically expand as organizations grow organically. While integral to Identity and Access Management (IAM) programs, AD environments are often neglected in terms of thorough management and security oversight. Conducting a comprehensive review of the AD environment is crucial to ensuring alignment with critical recommendations from Microsoft and standards bodies, such as NIST. This alignment enhances the overall security posture of the AD configuration and facilitates the optimization of logging features to support data collection and drive more effective incident detection and investigation efforts.
An assessment of an AD environment should include evaluating its configuration against industry best practices. This process aims to identify and remediate potential security gaps, misconfigurations, or vulnerabilities malicious actors could exploit. By implementing recommended protocols, organizations can significantly reduce their overall threat landscape and strengthen their defenses against unauthorized access and potential breaches.
Reviewing and enhancing AD logging is essential for swift and accurate incident response. Properly configured logs provide crucial insights into user activities, authentication attempts, and system events, enabling security teams to detect and mitigate threats promptly. This proactive approach helps mitigate potential risks and ensures compliance with regulatory requirements and industry standards. Investing in a thorough review and continuous management of the AD environment is essential for maintaining robust IAM practices and bolstering overall cybersecurity resilience.
Many cybersecurity incidents can persist undetected for weeks or even months, underscoring the critical role of logs in effective incident investigation. Adopting a risk-based approach is essential for determining which logs to capture, defining retention periods, and establishing the necessary level of detail to support the investigative process. By aggregating logs generated by devices, networks, and security solutions, organizations can correlate data to assist in investigations and detect anomalous behaviors across their environment.
Centralized logging forms the foundation of an effective detection program, but monitoring this collated information is equally vital. Without robust monitoring, organizations can overlook or miss critical alerts, potentially escalating cybersecurity incidents. Therefore, organizations must diligently ensure responsiveness to anomalies and alerts identified through comprehensive logging and security alerting mechanisms.
By integrating centralized logging and vigilant monitoring, organizations can proactively identify and respond to events before they escalate into full-blown incidents. This proactive stance enhances IR capabilities and strengthens overall cybersecurity defenses, safeguarding against potential threats in today’s dynamic threat landscape.
Over the past year, the FortiGuard IR team has observed a notable rise in the use of valid credentials during their engagements, accounting for approximately 54% of initial access methods. This trend underscores the growing sophistication of attackers who exploit legitimate credentials to gain unauthorized access, often enabling them to bypass traditional security measures. To effectively combat this threat, organizations should prioritize profiling normal user behavior within their environments to identify deviations indicative of malicious activity. One powerful approach is the implementation of User and Entity Behavior Analytics (UEBA). UEBA leverages advanced algorithms and machine learning to monitor user actions, establish behavioral baselines, and detect anomalies that could signal security incidents. For organizations utilizing FortiSIEM, deploying FortiSIEM agents with UEBA enabled can facilitate detailed user activity data collection, which can help detect anomalous, malicious behavior.
However, sophisticated tooling is not strictly necessary for user behavior analysis, provided robust logging practices exist (see item 9 above). Organizations can create comprehensive behavioral baselines by systematically logging various user activities, such as logon times, devices used for authentication, accessed systems, and utilized applications. These baselines enable the identification of deviations that might indicate potential cybersecurity incidents. Defining what constitutes normal behavior and establishing thresholds for abnormal activities are crucial steps. When anomalies are detected, they may indicate compromised accounts or insider threats, necessitating immediate investigation and response. Regardless of how user behavior analysis is conducted, it’s crucial to have a playbook in place for response and responders.
Integrating behavior profiling into security strategies is essential for mitigating the increasing threat of credential misuse. By leveraging UEBA (or even basic logging and monitoring), organizations can create a dynamic and responsive security posture that can quickly adapt to identify and mitigate threats. This proactive approach enhances early detection of malicious activities, strengthens IR capabilities, and fortifies your organization’s security framework.
While this list is not exhaustive, and every organization must take additional measures, it covers the most common weaknesses found within the organizations Fortinet works with. We highly recommend that organizations start by working through the first four items on the list sequentially, especially if they haven’t been done or are not currently in place. The remaining items should be prioritized based on your business objectives.
Did you know that FortiGuard Incident Response and Advisory Services can assist with many of the proactive services outlined above? Talk with your account manager today to see how we can help!