5 incident response best practices your company needs

More than half of incident response employees have encountered counter-IR instances in the form of log destruction and evasion tactics, according to Carbon Black.

IBM: 77% of businesses do not have a cyber incident response plan

In a massively expanding cybersecurity landscape, security teams and hackers find themselves competing to grow more sophisticated in their defenses and attacks, respectively, according to a Tuesday report from Carbon Black.

Exactly 50% of today's attack's involve "island hopping"--with attackers targeting both your network and all of those along your supply chain as well, the report found. More than half of the 40 Carbon Black incident response (IR) partners surveyed said they also encountered instances of counter-IR in the past 90 days, in the form of destruction of logs (87%) and evasion tactics (70%).

SEE: You've been breached: Eight steps to take within the next 48 hours (free PDF) (TechRepublic)

Some 70% of all attacks now involve attempts at lateral movement, as cybercriminals leverage new vulnerabilities and native OS tools to move throughout a network, the report found.

Nearly a third (31%) of targeted victims experienced destructive attacks, with the financial, healthcare, and manufacturing industries most vulnerable, according to the report.

"Attackers are fighting back. They have no desire to leave the environment. And they don't just want to rob you and those along your supply chain," Tom Kellermann, chief cybersecurity officer of Carbon Black, said in the report. "In the parlance of the dark web, attackers these days want to 'own' your entire system."

Incident response best practices

Here are five best practices for IR that businesses should keep in mind, according to the report:

1. Have a backup plan for setting up a new operating environment--and make sure it's one you can get online in a few hours

It may be fast to set up a new Office 365 system, for example, but businesses need to have a playbook and strong communication measures in place between the IR team and their client to be successful, the report said.

2. Don't turn on the lights right away

Avoid immediately terminating the command and control system, or letting the adversary know that you're watching them to better observe lateral movement and isolate targeted systems.

3. Store data

Organizations should store 30 or more days of data from all endpoints to preserve the environment and combat the destruction of logs, the report said. Setting aside a protected, central source that only your administrators can access is useful.

4. Bring down the noise

IR teams can collect and monitor more data than ever, increasingly leading to alert fatigue. Rather than working top-down with a large number of alert, IR professionals should build up rules manually, the report said.

5. Rebuild the environment from scratch and augment existing capabilities with endpoint detection and response (EDR)

With EDR tools, if an organization experiences another infection, they will have some analysis of the root cause, the report noted.

For more on incident response, check out the Tech Pro Research Incident response policy.

Also see

Image: iStockphoto/Sarayut Tanerus