Why a proactive detection and incident response plan is crucial for your organization

The security community is continuously changing, growing, and learning from each other to better position the world against cyberthreats. In the latest post of our Community Voices blog series, Microsoft Security Senior Product Marketing Manager Brooke Lynn Weenig talks with Matt Suiche, Director of Research and Development for Memory Analysis and Incident Response for Magnet Forensics. The thoughts below reflect Matt’s views, not the views of Matt’s employer or Microsoft, and are not legal advice. In this blog post, Matt talks about incident response.

Brooke: What are the top threats impacting organizations?

Matt: One of the big threats is business email compromise, with all the phishing happening of organizations and billions of dollars being stolen because of invoices being modified after attackers access the mailboxes of key employees.

Another threat is info-stealers. Essentially, ransomware involved criminal groups breaching organizations’ infrastructure, encrypting their files, and asking for ransom. Now, because more organizations are aware of that threat, they have become more proactive, and use backups. This is why criminal groups are switching to info-stealers, where they steal that sensitive information rather than randomly encrypting files. They are more strategic with the data they are stealing, so they can monetize the information. Ransomware actors even buy the credentials of companies on different forums or from other criminal groups.

Brooke: How can organizations reduce the risk of threats?

Matt: Reducing your risk is a continuous process because threats today are different from a few years ago and they are different from what they will be in one to three years.

Organizations must understand that there will never be zero risk. That is why it is important to be proactive when it comes to detection as well as have a strong, quick, and efficient incident response plan in place. We enable our users to proactively hunt for threats not only after breaches but also as a routine exercise as sometimes actors can be present in your network for months before they take any visible actions.

This plan should also include digital forensics—uncovering root causes and working those learnings back into the rest of the organization to remediate vulnerabilities, as well as improve the overall incident response plan, which is another strong way to reduce the risk of attack through similar methods.

Brooke: How do you get leadership buy-in to build an incident response team?

Matt: To get budget, the chief information security officer needs to convince upper management of being prepared for a cyber breach, as it is inevitable. At organizations that understand the security risk, it may be easier to get budget, but then it is about how you deploy that budget. That comes down to the organization and leadership prioritizing what they want to focus on based on the actual threat model of the organization and areas where they know they are weak and want to improve.

The answer is going to differ from one organization to another, but the main thing is to make sure that leadership understands the risk of poor cybersecurity and a lack of preparedness for when a breach occurs. Fortunately, in 2023, there are enough stories in the press, movies, TV shows, and books to do the job for people.

Brooke: How does an organization develop an efficient incident response process?

Matt: First, each organization needs to understand its threat model, because each organization has different risks. The issues of a healthcare company and a financial institution are going to be completely different, and even the people targeting you would have different attack strategies.

Organizations need to focus on both detection and response capabilities. Detection involves being proactive, making sure you have visibility of your network and understand what is happening. If there is a threat, you detect it. The response part is why you have an incident response plan and digital forensics capabilities in place. If something is happening, you need to be able to investigate it immediately and thoroughly.

Organizations also need to understand their threat model and the profile of people that may be going after them. Based on that information, focus on a strategy for detection and a strategy for incident response. Threat intelligence is a component of both.

Everyone also needs to have a backup plan internally whenever they investigate because detection is great but not perfect.

Brooke: What do we need to know about incident response to protect ourselves?

Matt: Unfortunately, a lot of security processes involve humans, so if you are a large organization, automate as much as you can to avoid security people experiencing burnout and so your company can be more efficient.

If you are an organization developing software, make sure you have proper application security people in place. If you are handling data, make sure you have good controls in place. If you are a financial institution, you are going to need all of the above, so it really depends on the profile of the organization. It is about people being logical and not only relying on security products.

Brooke: Why is multifactor authentication so important?

Matt: With identity, we are talking about control. Multifactor authentication is great because it adds a layer to authentication. As long as we depend on passwords for authentication, multifactor authentication is a must because of the issues happening with spear phishing, business email compromise, and databases containing passwords being leaked.

Passwordless is the future of authentication. Until we move toward the direction of passwordless authentication, two-factor authentication is going to be a must.

Brooke: How do you sift through information about a threat effectively without burnout?

Matt: AI is good if you know and understand the data you have, which is not often the case. Information triage is always required. Organizations need to understand their needs properly and not simply be driven by checkbooks or just check boxes because of compliance.

A good first step is what we call a priority intelligence requirement. Data is always about context. You need to understand what type of data you have to categorize it and then that can be efficient. If you have a lot of information, it is good, but if you have data with no context, it is useless. That is why you need to always make sure you have the right context, and that what you are collecting is responding to your intelligence requirements.

Brooke: What is the best way to monitor tenant administrator accounts?

Matt: This goes back to building a proper threat model so organizations can identify potential infection vectors and how administrative accounts are being used. In a lot of cases, you may have administrative accounts that are completely forgotten or hidden somewhere. For example, an employee left, and that account was not disabled.

That is why I like authentication. More organizations are using single sign-on (SSO) technologies in addition to multifactor authentication. Another great way to do this is to avoid multiple accounts and centralize identity and control so it is easier to monitor. It is a difficult exercise because you may have multiple Microsoft Azure Active Directory accounts, multiple cloud providers, different accounts for accounting, or other things not inside the SSO. If you do a threat model, you can list all the ways of authentication that would require monitoring in the first place.

Brooke: What is your advice for incident response teams, whether one person or more?

Matt: Whether one person handles incident response, or you have a team of 10 people, you must understand what you do well but also your limitations. Understanding your limitations is often quite tricky because people do not like the exercise of discovering what is missing or requires improvement.

Sometimes, the security approach is generic and aligned with compliance checkboxes when it should be more practical. The more practical it is, the easier it is to make decisions. Understand your current capabilities and weaknesses, then focus on where you have gaps. Start with creating an incident response plan and aligning your internal stakeholders around it. Ensure it includes steps for what happens during and immediately after the breach and post-incident so that you can learn from the incident and come out stronger. If you just spend your time filtering and doing triage of data and information, it is like running in the sand backward.

Learn more

Learn more about Microsoft Incident Response.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and Twitter (@MSFTSecurity) for the latest news and updates on cybersecurity.

READ MORE HERE