Preparation Is Not Meaningless! Ten Incident Response Preparation Items For All Organizations

2024.09.20

The harsh reality is that cyber threats aren’t going away! As technology continues to evolve, so will the tactics and techniques used by threat actors. A recent report from Statista shows that by 2029, the cost of global cybercrime will reach $15.63 trillion. To combat this, one of the most important things an organization can do is to be prepared. According to the National Institute of Standards and Technology (NIST), of the four key phases of the incident response lifecycle, the first and most important is preparation.

Organizations can take several proactive preparation steps to ensure incident response (IR) readiness, including regular risk assessments, implementing comprehensive security policies, and providing continuous monitoring and threat intelligence collection. Organizations can also enhance their IR capabilities by investing in training programs and simulation exercises to respond more quickly and effectively to cyber incidents.

The following are some preparation activities that organizations can undertake before any cybersecurity incident occurs, which can ultimately help improve the organization’s overall IR and cybersecurity maturity.

1. Conduct an IR readiness assessment

Untested organizations may not fully grasp what they don’t know. An IR preparedness assessment conducted by an external third party provides a critical view of the organization’s current state of preparedness. Such an assessment includes evaluating processes, procedures, people, documentation, and technology to measure the maturity of the organization’s overall IR preparedness. Unlike an audit, the goal of these assessments is to identify potential weaknesses that could impair the organization’s ability to respond effectively to an incident.

Organizations can proactively address potential deficiencies by identifying people (capabilities and skills gaps), processes, or technology. This proactive approach not only strengthens cyber threat defenses, but also provides opportunities to improve readiness. Ultimately, such assessments enable organizations to strengthen their defenses and better protect themselves in an increasingly complex and challenging cybersecurity environment.

2. Develop a robust IR plan

An IR plan is a comprehensive guide to managing cyber incidents. It meticulously outlines an organization’s response strategy before, during, and after an incident of any type and severity. It also details the structure of the organization’s IR team, specifying roles and responsibilities to ensure clarity and efficiency during an incident.

The plan should include the basic steps of IR: preparation, detection and analysis, containment, eradication and recovery, and post-incident activities. Each step is designed to systematically address and mitigate the impact of the incident, ensuring a structured approach to incident management. In addition, an effective plan will define goals and objectives, incident severity, and other key factors that contribute to a comprehensive response framework.

Most importantly, the IR plan should be viewed as a living document. It needs to be regularly updated and maintained to remain effective and relevant. Fortinet recommends reviewing the plan biennially and reassessing it after every major incident. This review process ensures that lessons learned are integrated into the plan and that any changes in the organization are reflected and addressed.

Without such a plan, an organization may make hasty decisions during a crisis, leading to costly and ineffective outcomes. A well-maintained IR plan can provide a clear roadmap during an incident and enhance the organization's ability to respond to challenges quickly and effectively.

3. Provide guidance through the IR manual

An incident response playbook is an important extension of a broader IR plan, providing standardized procedures for specific incidents. The playbook provides a clear, actionable framework that outlines the precise steps an organization must take to prepare for, respond to, and recover from a variety of different types of incidents. By focusing on specific incident scenarios, the playbook ensures that the response is not only swift, but also effective and consistent.

Each IR manual provides detailed guidance for all phases of an IR, including preparation, detection and analysis, containment, eradication, recovery, and post-incident activities. These documents should also be designed to be comprehensive, including step-by-step action items assigned to specific members of the response team. This level of detail ensures that during an incident response, all tasks are considered and every objective is met.

Typical playbooks include ransomware, malware, business email compromise (BEC), denial of service attacks, data loss incidents, lost or stolen devices, insider threats, and zero-day vulnerabilities. The playbook should describe specific actions and responsibilities for each scenario, ensuring that the response team is fully prepared to handle the incident effectively and confidently.

4. Test your IR plan with a tabletop exercise

Once the IR plans and manuals are ready, it’s time to test them using a tabletop exercise. According to NIST, a tabletop exercise is “a discussion-based exercise in which personnel (discuss) their roles in an emergency and how they would respond to a specific emergency.”

Simply put, a tabletop exercise is like a role-playing game. A facilitator provides participants with facts, or “injections,” about a fictitious cybersecurity incident. Participants then discuss how to respond to these “facts,” using the IR plan and playbook as guidance. These exercises can be developed to cater to specific audiences, often as an operational exercise for technical team members, or as a high-level exercise for organizational leaders to focus on business and policy-related decisions during an incident.

Tabletop exercises should be conducted at least annually. However, a quarterly cycle is optimal for teams to stay fresh and improve their ability to respond to cybersecurity incidents.

5. Develop system inventory and network diagram

Unfortunately, many security and IT professionals don't know what IR resources exist or how to access them. This makes it difficult for security teams to understand the context of known activity or effectively discover the breadth and depth of an incident, and critical time is wasted tracking down business owners, building network maps, or other activities that should have been implemented before an incident occurred. This can significantly slow response efforts and exacerbate business impact.

The system inventory should include key identifying information such as business owner, system function, host name and IP, data classification, data criticality, relevant audit or regulatory information, and other key identifying information that may be useful to incident responders. This information can help identify and ensure timely response to the most critical systems across the organization. It is also important to understand the business processes associated with these systems so that informed decisions can be made throughout the incident process.

Network maps help incident responders understand the location of systems, network segmentation, and potential choke points or isolation points that can be used to help contain and eliminate threat actors. Developing a system inventory and network map prior to an incident can enable a more efficient response, allowing responders to understand the impact to the organization if a given system were compromised during an incident.

6. Implement a patch management process

Threat actors are gaining a long-term and stable foothold by exploiting vulnerabilities in public systems as an initial access vector. According to FortiGuard survey data, 46% of all IR incidents handled in the second half of 2023 and the first half of 2024 were directly caused by vulnerabilities in public-facing applications. Vendors typically provide patches for these vulnerabilities weeks, months, or even years before attackers exploit them. While some may argue that patching is not foolproof due to the existence of zero-day vulnerabilities, patching can effectively reduce the threat scope of an organization and eliminate easy targets, making it an indispensable defensive measure.

7. Perform regular vulnerability assessments and penetration tests

Vulnerability assessments are essential to evaluating and improving the effectiveness of your patch management process. These assessments are typically targeted at internal/external IPs or systems, using automated tools and manual techniques to check for existing vulnerabilities between systems, applications, and network devices. During this assessment process, it is critical to carefully review the results to eliminate false positives and accurately assess the potential impact of the vulnerability on the organization.

While vulnerability assessments focus on known vulnerabilities, penetration testing plays a complementary role in discovering unknown vulnerabilities that could compromise an organization's network, systems, or applications. Penetration testing can be tailored to a specific environment, such as an internal or external network, to identify potential entry points that threat actors could exploit. Alternatively, penetration testing may focus on a specific web or mobile application, performing a thorough examination to identify potential vulnerabilities that could be exploited maliciously or to gain unauthorized access within a network.

Although regulations may require organizations to perform annual penetration tests on specific environments, for many organizations it is wise to perform these assessments more frequently. Given the dynamic nature of network environments, vulnerability assessments should be performed regularly, typically monthly, while penetration testing is typically performed at least annually, and more frequently if possible.

8. Check the Active Directory environment

Active Directory (AD) infrastructures typically scale as organizations grow. While AD environments are part of identity and access management (IAM) programs, they are often overlooked when it comes to thorough management and security oversight. Performing a comprehensive review of your AD environment to ensure it is aligned with key recommendations from Microsoft and standards organizations such as NIST will not only enhance the overall security posture of your AD configuration, facilitate optimization of logging capabilities, and drive more effective incident detection and investigation efforts.

Assessments of your AD environment should include evaluating its configuration against industry best practices. This process is designed to identify and remediate potential security gaps, misconfigurations, or vulnerabilities that malicious actors could exploit. By implementing recommended protocols, organizations can significantly reduce overall threats and strengthen defenses against unauthorized access and potential breaches.

Reviewing and enhancing AD logging is essential for fast and accurate incident response. Properly configured logs provide critical insights into user activity, authentication attempts, and system events, enabling security teams to detect and mitigate threats in a timely manner. This proactive approach helps reduce potential risks and ensures compliance with regulatory requirements and industry standards. A comprehensive review and ongoing management of the AD environment helps maintain robust IAM practices and enhance overall network security resilience.

9. Enable centralized logging and ensure monitoring

Many cybersecurity incidents can go undetected for weeks or even months, highlighting the critical role logs play in effective incident investigations. Adopting a risk-based approach is essential to determining which logs to capture, defining retention periods, and establishing the necessary level of detail to support the investigation process. By integrating logs generated by devices, networks, and security solutions, organizations can correlate data to aid investigations and detect anomalous behavior in their environment.

Centralized logging forms the foundation of an effective detection program, but monitoring this information is equally important. Without strong monitoring, organizations may ignore or miss critical alerts, which could lead to escalation of cybersecurity incidents. Therefore, organizations must ensure timely responses to anomalies and alerts identified through centralized logs and security alert mechanisms.

By integrating centralized logging and monitoring, organizations can proactively identify and respond to incidents before they escalate into full-blown incidents. This proactive posture strengthens IR capabilities, improves overall network resiliency, and better protects against potential threats in today's dynamic threat environment.

Don’t forget the end user

The FortiGuard IR team has observed a significant increase in the use of valid credentials over the past year, accounting for approximately 54% of initial access methods. This trend indicates that attackers are becoming more sophisticated and are leveraging legitimate credentials to gain unauthorized access to bypass traditional security measures. To effectively combat this threat, organizations should prioritize analyzing normal user behavior in their environment to identify outliers that indicate malicious activity. A powerful approach is to implement user and entity behavior analytics (UEBA). UEBA leverages advanced algorithms and machine learning to monitor user actions, establish behavioral baselines, and detect anomalies that may signal a security incident.

However, sophisticated tools are not required for user behavior analytics, provided that robust logging practices are in place (see item 9 above). Organizations can create comprehensive behavioral baselines by systematically logging various user activities, such as login times, devices used for authentication, systems accessed, and applications used. These baselines are able to identify outliers that may indicate potential cybersecurity incidents. Defining what is normal behavior and establishing thresholds for abnormal activity are critical steps. When anomalies are detected, it indicates that an account may have been compromised or there is an insider threat, requiring immediate investigation and response. However, regardless of how user behavior analysis is conducted, an action guide must be prepared for responders.

Integrating behavioral analytics into security strategies is critical to mitigating the growing threat of credential abuse. By leveraging UEBA (or even basic logging and monitoring), organizations can create a dynamic, responsive security posture that quickly identifies and mitigates threats. This proactive approach enhances early detection of malicious activity, improves IR capabilities, and strengthens the organization's security framework.