4 Ways to Ensure You Do Incident Triage Right

All too often, when IT professionals and enterprise administrators confront data system glitches and error messages indicating a security incident, they’re reluctant to seek outside help. Whether paralyzed by fear or blinded by pride or simply overwhelmed by the crisis, they delay in triggering the alarm—a common but sometimes disastrous decision.

Not long ago, for example, Symantec’s Incident Response team received a call from a manufacturing company that had spent the previous four days trying to recover from a ransomware attack on their own. The lead IT person had just resigned, and senior management directed bringing Symantec in for triage.

After more than two weeks onsite, we identified the ransomware and verified that it had been sitting dormant on the company’s network for two months before it detonated. Unfortunately, these revelations hardly mattered: Everything had been encrypted, including the spreadsheet containing authorization credentials for accessing the company’s backups. In large part because the company lacked an endpoint security system (a final line of defense against ransomware), the incident brought down the entire business.

Contrast that tragic story with another recent incident we handled for one of Symantec’s Incident Response retainer clients, an e-commerce platform company with multiple web properties. Their IT team called us immediately after noticing a handful of dropped transactions on a critical, distributed system. They were frantic that customers’ personally identifiable information (PII) had been hacked. In this case, two of our team’s triage experts ran the dragnet, working hand-in-hand with the in-house team. We had sorted it out in the space of six hours: The failed transactions had been a kind of self-inflicted injury; the result of internal system changes that had unanticipated, unintended impacts. All the facts supported that no customer data had been compromised. Nothing had happened, which in incident response is always the best possible conclusion.

In decades of experience with incident triage, we’ve seen countless other examples of how a rapid response has been the key to companies’ survival. In incident triage, every minute and hour counts. While a swift response can be critical in containing an incident, we also advise creating security baselines for every system on a network, through tools like Symantec’s Enterprise Security Manager. In addition, we propose the following four strategies to increase your odds of survival:

1. Partner with an incident response provider.
   Even if you believe your in-house security team represents the best and the brightest, when it comes to incident triage, bringing in experts who have different insights and viewpoints can help tremendously. Having an IR provider on retainer will also increase your credibility. Because the IT team at this company had proactively partnered with Symantec, when it came time to disclose the incident to management, no one questioned their conclusions.
    
2. Be prepared and stay true to the process.
   We hammer on this point constantly, but we can’t emphasize enough the importance of having a well-documented and well-rehearsed incident response plan.
   
   While it might be tempting to improvise a gun-slinger solution, resist any urge to deviate from the plan. If you’ve retained an IR provider, contacting them should be one of your first steps.
    
3. Map out your network and know what systems you’re running.
   We receive an alarming volume of calls from people who are panicked that their network is crashing but are clueless about how to navigate it.
   
   Unless your organization has an accurate (and up to date) map of its network and people who are fluent in describing your data and security systems, you will lose valuable time. Designate an IT or security professional (and a backup) to answer fundamental questions about which assets you possess, which assets might be affected, the applications you’re running, and the security products you have in place.
    
4. Adopt and enforce data security policies that reflect the current, hostile reality.
   Hardly a week goes by that we don’t hear about how an employee’s email carelessness   has enabled unauthorized third-parties to access sensitive company data. Such breaches put your entire enterprise at risk. Require multi factor authentication across all email platforms
    
5. Update and test all backups regularly.
   Ransomware attacks can encrypt your backups, which are in place so your operations don’t grind to a halt.  So, you should arrange for offsite storage of at least four weeks of weekly full and daily incremental backups. Also, make sure you have backups that are not connected to the network to prevent them from being encrypted by ransomware. Lastly, ensure restore capabilities support the need of the business.

Finally (and again), don’t hesitate to engage an emergency response team. Whether it’s a false alarm or an actual attack or something in between, the earlier you call for help, the better off you’re going to be.