The Biggest Mistakes to Avoid with Incident Response

Incident response is a critical component to containing and remediating security incidents and events. It can also be an incredibly detailed and difficult process to manage when you’re trying to restore business operations.

Consider these big mistakes you’ll want to avoid with incident response.


1. Lack of an IR Playbook


Incident response is a well-planned process for the security team. It must be customized for your organization completely because all security events must be ticketed and tracked by category and sub-category. By doing so, it creates escalation profiles that in aggregate comprise an IR playbook, and include:

  • Escalation types
  • Create ticket
  • Send email alert
  • Traverse a call tree

Based on analysis results and escalation type, IR actions should also be documented in the playbook.  ROI can be assigned to each response type.

  • Ex: malware results in offline scan or re-image
  • Ex: scanning results in double-checking systems hardening, possibly add firewall/IPS rule to block
  • Ex: DDoS should have mitigations in place already, coordinate with DDoS Prevention Vendor
  • Ex: AAA should have investigative steps to determine root cause (is it old credentials on a file share or service account, or brute force attempts?)
  • Ex: AUP violations should have consequences coordinated with HR and awareness raised about severity of infraction
  • Ex: App/OS Vulnerabilities should coordinate with engineering that handles patch management and include possibly taking a server out of service until mitigated
  • Ex: Health is critically important – if you’re not getting logs from an endpoint of interest you’re in the dark as to what’s happening with it

Incident Response Playbook Example 

2. Inadequate logging to the SIEM

Another common mistake in IR is not having adequate logging in place or worse yet, no SIEM in place at all. Coordination with engineering may prove a challenge, but security teams must first be accurately aware of what’s in the environment, and second ensure that logs are ingested, correlated and monitored. 

Security must keep after it if they know, or even suspect, that there are assets in the environment that they don’t know about and/or aren’t ingesting logs.


3. Not Conducting Complete Forensic Analysis

Conducting thorough and complete root cause and forensics analysis can be missed in the heat of battle, with management demanding a return to safe operations as quickly as possible. 

Containment is not remediation; if only contained, without root cause analysis and remediation, threat actors will be back in 30-90 days or less.

Learn more about each critical phase you must have in incident response.


4. Having a Prevention Bias

Over-emphasis on preventive measures while allowing response activities to remain immature. People tend to think it can’t happen to them if they have multi-layered preventive measures in place.  “People who say they’ve never been compromised are unaware that they have been.”

Learn more about what it means to have a prevention bias.


5. Only Reacting to Real-World Security Incidents

Only reacting to real-world incidents – tabletop exercises that take the IR team through its paces are invaluable in not only keeping them fresh on what actions to take but ensure that documented procedures are still current.


Keep these common mistakes in mind throughout your incident response process. And, if you need expert advice to plan and build your own incident response process, consider CIPHER as a managed security services provider (MSSP) that can integrate a proven process directly into your business.

*** This is a Security Bloggers Network syndicated blog from Cipher Cyber Security Blog authored by Dave Rickard. Read the original post at: