SlideShare a Scribd company logo

sophos-four-key-tips-from-incident-response-experts.pdf

D
Dennis Reyes

sophos tips

Technology
1 of 6
Download to read offline
FOUR KEY TIPS FROM INCIDENT RESPONSE EXPERTS
Four Key Tips From Incident Response Experts 1 Responding to a critical cyber incident can be an incredibly stressful and intense time. While nothing can fully alleviate the pressure of dealing with an attack, understanding these key tips from incident response experts will help give your team advantages when defending your organization. This document highlights the biggest lessons everyone should learn when it comes to responding to cybersecurity incidents. They are based on the real-world experience of the Sophos Managed Threat Response and Sophos Rapid Response teams, who have collectively responded to thousands of cybersecurity incidents. Tip #1: React as quickly as possible When an organization is under attack, every second matters. There are a few reasons why teams may take too long to react. The most common is that they don’t understand the severity of the situation they find themselves in, and that lack of awareness leads to a lack of urgency. Attacks tend to hit at the most inopportune times: holidays, weekends, and in the middle of the night. Since most incident response teams are significantly understaffed, this can understandably lead to a “we’ll get to that tomorrow” attitude. But unfortunately, tomorrow may be too late to do something to minimize the impact of the attack. Overwhelmed teams are also more likely to react slowly to indicators of attack because they suffer from alert fatigue, which means signals get lost in the noise. Even when a case is initially opened, it may not be correctly prioritized due to a lack of visibility and context. This costs time, and time is not on a defender’s side when it comes to incident response. Even in situations where the security team is aware that they are under attack and something needs to be done immediately, they may not have the experience to know what to do next, which also makes them slow to respond. The best way to combat this is by planning for incidents in advance. More than half of organizations were hit by ransomware last year – and attackers succeeded in encrypting files in 73% of cases.1
Four Key Tips From Incident Response Experts 2 Tip #2: Don’t declare “mission accomplished” too soon When it comes to incident response it’s not enough to only to treat the symptoms. It’s important to treat the disease as well. When a threat is detected, the first thing to do is triage the immediate attack. This could mean cleaning up a ransomware executable or a banking Trojan or blocking the exfiltration of data. However, often teams will stop the initial attack but not realize they haven’t really solved the root cause. Successfully removing malware and clearing an alert doesn’t mean the attacker has been ejected from the environment. It’s also possible that what was detected was only a test run by the attacker to see what defenses they’re up against. If the attacker still has access, they’ll likely strike again, but more destructively. Incident response teams need to ensure they address the root cause of the original incident they mitigated. Does the attacker still have a foothold in the environment? Are they planning to launch a second wave? Incident response operators who have remediated thousands of attacks know when and where to investigate deeper. They look for anything else attackers are doing, have done, or might be planning to do in the network – and neutralize that, too. For example, in one instance, Sophos incident response specialists were able to thwart an attack that lasted nine days and saw three separate attempts by the attackers to hit an organization with ransomware. Since they were not yet a Sophos MTR customer, the Sophos Rapid Response team was first engaged. In the first wave of the attack (which was ultimately blocked by the organization’s endpoint protection solution) attackers targeted 700 computers with Maze ransomware and were making a ransom demand of US$15 million. Realizing that they were under attack, the target’s security team engaged the advanced incident response skills of the Sophos Managed Threat Response (MTR) team. The Sophos incident response specialists quickly identified the compromised admin account, identified and removed several malicious files, and blocked attacker commands and C2 (command and control) communications. The Sophos MTR team was then able to defend against two additional waves of attacks by the adversary. If the attackers had succeeded and the victim had paid, this could have been one of the most expensive ransomware payments to date. In another example, the Sophos MTR team responded to a potential ransomware threat but quickly realized there was no evidence of ransomware. At this point, some teams might have closed the case and moved on to other work. However, the Sophos MTR team continued investigating and uncovered a historic banking trojan. Fortunately for this customer, the threat was no longer active, but it serves as an example of why it’s important to look beyond the initial symptoms in order to determine the full root cause, as it could be an indicator of a broader attack. SOPHOS MTR CASEBOOK: The ransomware hunt that unearthed a historic banking trojan START Customer emails in to say their vendor has been hit by ransomware. Sophos MTR team immediately starts investigating to determine if the customer is a related target. 15 MINUTES The MTR team finds no evidence of ransomware, but does see a behavioral detection for a highly obfuscated .js script that Sophos had previously blocked on execution. 38 MINUTES The MTR team sends file samples to SophosLabs for analysis and to request Indicators of Compromise (IOCs) to continue the hunt. 1 HOUR 11 MINUTES SophosLabs provides further information and IOCs for the MTR team. A new detection is created for the .js script to protect all customers. 1 HOUR 32 MINUTES Using the IOCs, the MTR team locates a process that previously called out to a C2. The team has high confidence this threat is a Qbot variant. 1 HOUR 45 MINUTES SophosLabs provides further IOCs of file paths and details of a scheduled task the script interacted with. The MTR team continues to investigate. 1 HOUR 52 MINUTES The MTR team uses the IOCs to locate historic executions, and the threat’s update and persistence mechanism. 2 HOUR 6 MINUTES Case closed. The MTR team has removed all remaining artifacts from the host and provided the customer with full details. Undiscovered Discovered Triage/Analysis Containment/Neutralization
Four Key Tips From Incident Response Experts 3 Tip #3: Complete visibility is crucial While navigating an attack, nothing makes defending an organization more difficult than flying blind. It’s important to have access to the right high-quality data, which makes it possible to accurately identify potential indicators of attack and determine root cause. Effective teams collect the right data to see the signals, can separate the signals from the noise, and know which signals are the most important to prioritize. Collecting signals Limited visibility into an environment is a sure-fire way to miss attacks. Over the years, many big-data tools have been brought to market to try and solve this specific challenge. Some rely on event-centric data like log events, others utilize threat-centric data, and others rely on a hybrid approach. Either way, the goal is the same: collect enough data to generate meaningful insights for investigating and responding to attacks that would otherwise have been missed. Collecting the right high-quality data from a wide variety of sources ensures complete visibility into an attacker’s tools, tactics, and procedures (TTPs). Otherwise, it’s likely only a portion of the attack will be seen. Reducing noise Fearing they won’t have the data they need to get the full picture of an attack, some organizations (and the security tools they rely upon) collect everything. However, they’re not making it easier to find a needle in a haystack; they’re making it harder by piling on more hay than is necessary. This not only adds to the cost of data collection and storage, but it also creates a lot of noise, which leads to alert fatigue and time wasted chasing false positives. Applying context There’s a saying among threat detection and response professionals: “Content is king, but context is queen.” Both are necessary to run an effective incident response program. Applying meaningful metadata associated to signals allows analysts to determine if such signals are malicious or benign. One of the most critical components of effective threat detection and response is prioritizing the signals that matter the most. The best way to pinpoint the alerts that matter the most is with a combination of context provided by security tools (i.e. endpoint detection and response solutions), artificial intelligence, threat intelligence, and the knowledge base of the human operator. Context helps pinpoint where a signal originated, the current stage of the attack, related events, and the potential impact to the business.
Four Key Tips From Incident Response Experts 4 Tip #4: It’s OK to ask for help No organization wants to deal with breach attempts. However, there’s no substitute for experience when comes to responding to incidents. This means that the IT and security teams often tasked with high-pressure incident response are thrown into situations that they simply don’t have the skills to deal with; situations that often have a massive impact on the business. The lack of skilled resources to investigate and respond to incidents is one of the biggest problems facing the cybersecurity industry today. This problem is so widespread that according to ESG Research2 , “34% say their biggest challenge is that they lack skilled resources to investigate a cybersecurity incident involving an endpoint to determine root cause and the attack chain.” This dilemma has given way to a new alternative: managed security services. Specifically, managed detection and response (MDR) services. MDR services are outsourced security operations delivered by a team of specialists, and act as an extension of a customer’s security team. These services combine human-led investigations, threat hunting, real-time monitoring, and incident response with a technology stack to gather and analyze intelligence. According to Gartner, “by 2025 50% of organizations will be using MDR services”3 , signaling a trend that organizations are realizing they will need help to run a complete security operations and incident response program. For organizations that have not employed an MDR service and are responding to an active attack, incident response specialist services are an excellent option. Incident responders are brought in when the security team is overwhelmed and needs outside experts to triage the attack and ensure the adversary has been neutralized. Even organizations that have a team of skilled security analysts can benefit from collaborating with an incident response service to shore up gaps in coverage (i.e. nights, weekends, holidays) and specialized roles that are needed when responding to incidents. According to analyst firm ESG, 34% of organizations say their biggest challenge is that they lack skilled resources to investigate a cybersecurity incident involving an endpoint to determine root cause and the attack chain.”2 By 2025, 50% of organizations will be using MDR services (this is up from less than 5% in 2019).3 In a 2019 survey of 3,100 IT and security professionals, 54% of respondents claimed they were “unable to take full advantage of their EDR solution” due to a lack of experienced talent.4
Four Key Tips From Incident Response Experts United Kingdom and Worldwide Sales Tel: +44 (0)8447 671131 Email: sales@sophos.com North American Sales Toll Free: 1-866-866-2802 Email: nasales@sophos.com Australia and New Zealand Sales Tel: +61 2 9409 9100 Email: sales@sophos.com.au Asia Sales Tel: +65 62244168 Email: salesasia@sophos.com © Copyright 2020. Sophos Ltd. All rights reserved. Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. 20-11-09 WPEN (PS) 1 2020 survey of 5,000 IT managers https:/ /secure2.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-cybersecurity-the-human-challenge-wp.pdf 2 https:/ /www.esg-global.com/blog/soapa-discussion-on-edr-and-xdr-with-jon-oltsik-and-dave-gruber-video-part-1 3 Gartner, Market Guide for Managed Detection and Response Services, 26 August 2020, Analysts: Toby Bussa, Kelly Kavanagh, Pete Shoard, John Collins, Craig Lawson, Mitchell Schneider 4 2019 survey of 3,100 IT managers https:/ /secure2.sophos.com/en-us/security-news-trends/whitepapers/gated-wp/uncomfortable-truths-of-endpoint-security.aspx How Sophos can help Sophos Managed Threat Response (MTR) service Concerned about your organization’s ability to respond to a potentially serious incident? If so, the Sophos Managed Threat Response (MTR) service is an option worth considering. Sophos MTR provides 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully- managed service. Going beyond simply notifying you of attacks or suspicious behaviors, the Sophos MTR team takes targeted actions on your behalf to neutralize even the most sophisticated and complex threats. If an incident does occur, the MTR team will initiate actions to remotely disrupt, contain, and neutralize the threat. The team of security operations experts also provide actionable advice for addressing the root causes of recurring incidents. Learn more at www.sophos.com/mtr Sophos Rapid Response service If your organization is under attack and needs immediate incident response assistance, Sophos can help. Delivered by an expert team of incident responders, Sophos Rapid Response provides lightning-fast assistance with identification and neutralization of active threats against organizations. On-boarding starts within hours, and most customers are triaged within 48 hours. The service is available for both existing Sophos customers as well as non-Sophos customers. The Sophos Rapid Response team of remote incident responders quickly takes action to triage, contain, and neutralize active threats. Adversaries are ejected from your estate to prevent further damage to your assets. Learn more at www.sophos.com/rapidresponse Sophos Intercept X Advanced with EDR Organizations looking to increase their ability to detect, investigate, and response to incidents in-house should consider adding Sophos endpoint detection and response (EDR) capabilities. Sophos Intercept X Advanced with EDR enables your team to conduct threat hunting and helps keep IT operations hygiene running smoothly across your entire estate. Sophos EDR empowers your team to ask detailed questions to identify advanced threats, active adversaries, and potential IT vulnerabilities – and then quickly take appropriate action to stop them. Learn more and try it for free at www.sophos.com/edr

Recommended

Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Ricardo Resnik
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015Andreanne Clarke
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Ricardo Resnik
 
Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?Armor
 
Best Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesBest Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesSplunk
 
DamballaOverview
DamballaOverviewDamballaOverview
DamballaOverviewDavid C. Petty
 

Recommended

Hands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinHands on Security, Disrupting the Kill Chain, SplunkLive! Austin
Hands on Security, Disrupting the Kill Chain, SplunkLive! AustinSplunk
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Ricardo Resnik
 
IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015IBM X-Force Threat Intelligence Quarterly Q4 2015
IBM X-Force Threat Intelligence Quarterly Q4 2015Andreanne Clarke
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Damballa automated breach defense june 2014
Damballa automated breach defense june 2014Ricardo Resnik
 
Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?Cybersecurity - Whose responsibility is it?
Cybersecurity - Whose responsibility is it?Armor
 
Best Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesBest Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesSplunk
 
DamballaOverview
DamballaOverviewDamballaOverview
DamballaOverviewDavid C. Petty
 
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
ONTOLOGY-BASED MODEL FOR SECURITY ASSESSMENT: PREDICTING CYBERATTACKS THROUGH...
ONTOLOGY-BASED MODEL FOR SECURITY ASSESSMENT: PREDICTING CYBERATTACKS THROUGH...ONTOLOGY-BASED MODEL FOR SECURITY ASSESSMENT: PREDICTING CYBERATTACKS THROUGH...
ONTOLOGY-BASED MODEL FOR SECURITY ASSESSMENT: PREDICTING CYBERATTACKS THROUGH...IJNSA Journal
 
PHISHING PROTECTION
PHISHING PROTECTIONPHISHING PROTECTION
PHISHING PROTECTIONSylvain Martinez
 
201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtable201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtableJunSeok Seo
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOKBoris Loukanov
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitShawn Tuma
 
Incident Response Whitepaper - AlienVault
Incident Response Whitepaper - AlienVaultIncident Response Whitepaper - AlienVault
Incident Response Whitepaper - AlienVaultJermund Ottermo
 
Ransomware 2020 Report
Ransomware 2020 ReportRansomware 2020 Report
Ransomware 2020 ReportFortis
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesEC-Council
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...Shawn Tuma
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
 
SentinelOne Buyers Guide
SentinelOne Buyers GuideSentinelOne Buyers Guide
SentinelOne Buyers GuideExclusive Networks ME
 
CIO Review 2016-AUG SentinelOne
CIO Review 2016-AUG SentinelOneCIO Review 2016-AUG SentinelOne
CIO Review 2016-AUG SentinelOneSean Roth
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...EC-Council
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsPriyanka Aash
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hackingAsaduzzaman Kanok
 
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...infosecTrain
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
 

More Related Content

What's hot

Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
 
ONTOLOGY-BASED MODEL FOR SECURITY ASSESSMENT: PREDICTING CYBERATTACKS THROUGH...
ONTOLOGY-BASED MODEL FOR SECURITY ASSESSMENT: PREDICTING CYBERATTACKS THROUGH...ONTOLOGY-BASED MODEL FOR SECURITY ASSESSMENT: PREDICTING CYBERATTACKS THROUGH...
ONTOLOGY-BASED MODEL FOR SECURITY ASSESSMENT: PREDICTING CYBERATTACKS THROUGH...IJNSA Journal
 
201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtable201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtableJunSeok Seo
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOKBoris Loukanov
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitShawn Tuma
 
Incident Response Whitepaper - AlienVault
Incident Response Whitepaper - AlienVaultIncident Response Whitepaper - AlienVault
Incident Response Whitepaper - AlienVaultJermund Ottermo
 
Ransomware 2020 Report
Ransomware 2020 ReportRansomware 2020 Report
Ransomware 2020 ReportFortis
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfslametarrokhim1
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesEC-Council
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceVishal Kumar
 
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...Shawn Tuma
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
 
CIO Review 2016-AUG SentinelOne
CIO Review 2016-AUG SentinelOneCIO Review 2016-AUG SentinelOne
CIO Review 2016-AUG SentinelOneSean Roth
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...EC-Council
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsPriyanka Aash
 

What's hot (20)

Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House CounselAdam Palmer: Managing Advanced Cyber Threats for In-House Counsel
Adam Palmer: Managing Advanced Cyber Threats for In-House Counsel
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
 
ONTOLOGY-BASED MODEL FOR SECURITY ASSESSMENT: PREDICTING CYBERATTACKS THROUGH...
ONTOLOGY-BASED MODEL FOR SECURITY ASSESSMENT: PREDICTING CYBERATTACKS THROUGH...ONTOLOGY-BASED MODEL FOR SECURITY ASSESSMENT: PREDICTING CYBERATTACKS THROUGH...
ONTOLOGY-BASED MODEL FOR SECURITY ASSESSMENT: PREDICTING CYBERATTACKS THROUGH...
 
PHISHING PROTECTION
PHISHING PROTECTIONPHISHING PROTECTION
PHISHING PROTECTION
 
201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtable201408 fire eye korea user event press roundtable
201408 fire eye korea user event press roundtable
 
2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK2016 CYBERSECURITY PLAYBOOK
2016 CYBERSECURITY PLAYBOOK
 
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
 
Incident Response Whitepaper - AlienVault
Incident Response Whitepaper - AlienVaultIncident Response Whitepaper - AlienVault
Incident Response Whitepaper - AlienVault
 
Ransomware 2020 Report
Ransomware 2020 ReportRansomware 2020 Report
Ransomware 2020 Report
 
Understanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdfUnderstanding Cyber Attack - Cyber Kill Chain.pdf
Understanding Cyber Attack - Cyber Kill Chain.pdf
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
 
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent AdversariesUsing Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
Using Hackers’ Own Methods and Tools to Defeat Persistent Adversaries
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
The Legal Case for Cybersecurity: Implementing and Maturing a Cyber Risk Mana...
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
 
SentinelOne Buyers Guide
SentinelOne Buyers GuideSentinelOne Buyers Guide
SentinelOne Buyers Guide
 
CIO Review 2016-AUG SentinelOne
CIO Review 2016-AUG SentinelOneCIO Review 2016-AUG SentinelOne
CIO Review 2016-AUG SentinelOne
 
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
Security Metrics Rehab: Breaking Free from Top ‘X’ Lists, Cultivating Organic...
 
Risk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security ControlsRisk Analysis using open FAIR and Adoption of right Security Controls
Risk Analysis using open FAIR and Adoption of right Security Controls
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 

Similar to sophos-four-key-tips-from-incident-response-experts.pdf

Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...infosecTrain
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...CODE BLUE
 
How to recover from your next data breach
How to recover from your next data breachHow to recover from your next data breach
How to recover from your next data breachSILO Compliance Systems
 
Future Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecFuture Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecCheapSSLsecurity
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyRapidSSLOnline.com
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementMighty Guides, Inc.
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controlsAlienVault
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseSilvioPappalardo
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise21CT Inc.
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Symantec
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilienceSymantec
 
threat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaperthreat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaperRudy Piekarski
 
Threat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperThreat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperDuncan Hart
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...Kaspersky
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperCMR WORLD TECH
 
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018Panda Security
 

Similar to sophos-four-key-tips-from-incident-response-experts.pdf (20)

Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
Explore SOC (Security Operations Center)-based Interview Questions to Unlock ...
 
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
[cb22] Keynote: Underwhelmed: Making Sense of the Overwhelming Challenge of C...
 
Threat Hunters
Threat HuntersThreat Hunters
Threat Hunters
 
How to recover from your next data breach
How to recover from your next data breachHow to recover from your next data breach
How to recover from your next data breach
 
Future Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - SymantecFuture Cyber Attacks & Solution - Symantec
Future Cyber Attacks & Solution - Symantec
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategy
 
CYBER ATTACK RECOVERY GUIDE
CYBER ATTACK RECOVERY GUIDECYBER ATTACK RECOVERY GUIDE
CYBER ATTACK RECOVERY GUIDE
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat Management
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
React Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident ResponseReact Faster and Better: New Approaches for Advanced Incident Response
React Faster and Better: New Approaches for Advanced Incident Response
 
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of CompromiseInsight Brief: Security Analytics to Identify the 12 Indicators of Compromise
Insight Brief: Security Analytics to Identify the 12 Indicators of Compromise
 
Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...Preparing for future attacks. Solution Brief: Implementing the right securit...
Preparing for future attacks. Solution Brief: Implementing the right securit...
 
Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015Mark Lanterman - The Risk Report October 2015
Mark Lanterman - The Risk Report October 2015
 
Symantec cyber-resilience
Symantec cyber-resilienceSymantec cyber-resilience
Symantec cyber-resilience
 
threat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaperthreat-lifecycle-management-whitepaper
threat-lifecycle-management-whitepaper
 
Threat Lifecycle Management_Whitepaper
Threat Lifecycle Management_WhitepaperThreat Lifecycle Management_Whitepaper
Threat Lifecycle Management_Whitepaper
 
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
A Buyers Guide to Investing in Endpoint Detection and Response for Enterprise...
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
PandaLabs Reveals its Predictions for Cybersecurity Trends in 2018
 

Recently uploaded

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 

Recently uploaded (20)

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 

sophos-four-key-tips-from-incident-response-experts.pdf

  • 1. FOUR KEY TIPS FROM INCIDENT RESPONSE EXPERTS
  • 2. Four Key Tips From Incident Response Experts 1 Responding to a critical cyber incident can be an incredibly stressful and intense time. While nothing can fully alleviate the pressure of dealing with an attack, understanding these key tips from incident response experts will help give your team advantages when defending your organization. This document highlights the biggest lessons everyone should learn when it comes to responding to cybersecurity incidents. They are based on the real-world experience of the Sophos Managed Threat Response and Sophos Rapid Response teams, who have collectively responded to thousands of cybersecurity incidents. Tip #1: React as quickly as possible When an organization is under attack, every second matters. There are a few reasons why teams may take too long to react. The most common is that they don’t understand the severity of the situation they find themselves in, and that lack of awareness leads to a lack of urgency. Attacks tend to hit at the most inopportune times: holidays, weekends, and in the middle of the night. Since most incident response teams are significantly understaffed, this can understandably lead to a “we’ll get to that tomorrow” attitude. But unfortunately, tomorrow may be too late to do something to minimize the impact of the attack. Overwhelmed teams are also more likely to react slowly to indicators of attack because they suffer from alert fatigue, which means signals get lost in the noise. Even when a case is initially opened, it may not be correctly prioritized due to a lack of visibility and context. This costs time, and time is not on a defender’s side when it comes to incident response. Even in situations where the security team is aware that they are under attack and something needs to be done immediately, they may not have the experience to know what to do next, which also makes them slow to respond. The best way to combat this is by planning for incidents in advance. More than half of organizations were hit by ransomware last year – and attackers succeeded in encrypting files in 73% of cases.1
  • 3. Four Key Tips From Incident Response Experts 2 Tip #2: Don’t declare “mission accomplished” too soon When it comes to incident response it’s not enough to only to treat the symptoms. It’s important to treat the disease as well. When a threat is detected, the first thing to do is triage the immediate attack. This could mean cleaning up a ransomware executable or a banking Trojan or blocking the exfiltration of data. However, often teams will stop the initial attack but not realize they haven’t really solved the root cause. Successfully removing malware and clearing an alert doesn’t mean the attacker has been ejected from the environment. It’s also possible that what was detected was only a test run by the attacker to see what defenses they’re up against. If the attacker still has access, they’ll likely strike again, but more destructively. Incident response teams need to ensure they address the root cause of the original incident they mitigated. Does the attacker still have a foothold in the environment? Are they planning to launch a second wave? Incident response operators who have remediated thousands of attacks know when and where to investigate deeper. They look for anything else attackers are doing, have done, or might be planning to do in the network – and neutralize that, too. For example, in one instance, Sophos incident response specialists were able to thwart an attack that lasted nine days and saw three separate attempts by the attackers to hit an organization with ransomware. Since they were not yet a Sophos MTR customer, the Sophos Rapid Response team was first engaged. In the first wave of the attack (which was ultimately blocked by the organization’s endpoint protection solution) attackers targeted 700 computers with Maze ransomware and were making a ransom demand of US$15 million. Realizing that they were under attack, the target’s security team engaged the advanced incident response skills of the Sophos Managed Threat Response (MTR) team. The Sophos incident response specialists quickly identified the compromised admin account, identified and removed several malicious files, and blocked attacker commands and C2 (command and control) communications. The Sophos MTR team was then able to defend against two additional waves of attacks by the adversary. If the attackers had succeeded and the victim had paid, this could have been one of the most expensive ransomware payments to date. In another example, the Sophos MTR team responded to a potential ransomware threat but quickly realized there was no evidence of ransomware. At this point, some teams might have closed the case and moved on to other work. However, the Sophos MTR team continued investigating and uncovered a historic banking trojan. Fortunately for this customer, the threat was no longer active, but it serves as an example of why it’s important to look beyond the initial symptoms in order to determine the full root cause, as it could be an indicator of a broader attack. SOPHOS MTR CASEBOOK: The ransomware hunt that unearthed a historic banking trojan START Customer emails in to say their vendor has been hit by ransomware. Sophos MTR team immediately starts investigating to determine if the customer is a related target. 15 MINUTES The MTR team finds no evidence of ransomware, but does see a behavioral detection for a highly obfuscated .js script that Sophos had previously blocked on execution. 38 MINUTES The MTR team sends file samples to SophosLabs for analysis and to request Indicators of Compromise (IOCs) to continue the hunt. 1 HOUR 11 MINUTES SophosLabs provides further information and IOCs for the MTR team. A new detection is created for the .js script to protect all customers. 1 HOUR 32 MINUTES Using the IOCs, the MTR team locates a process that previously called out to a C2. The team has high confidence this threat is a Qbot variant. 1 HOUR 45 MINUTES SophosLabs provides further IOCs of file paths and details of a scheduled task the script interacted with. The MTR team continues to investigate. 1 HOUR 52 MINUTES The MTR team uses the IOCs to locate historic executions, and the threat’s update and persistence mechanism. 2 HOUR 6 MINUTES Case closed. The MTR team has removed all remaining artifacts from the host and provided the customer with full details. Undiscovered Discovered Triage/Analysis Containment/Neutralization
  • 4. Four Key Tips From Incident Response Experts 3 Tip #3: Complete visibility is crucial While navigating an attack, nothing makes defending an organization more difficult than flying blind. It’s important to have access to the right high-quality data, which makes it possible to accurately identify potential indicators of attack and determine root cause. Effective teams collect the right data to see the signals, can separate the signals from the noise, and know which signals are the most important to prioritize. Collecting signals Limited visibility into an environment is a sure-fire way to miss attacks. Over the years, many big-data tools have been brought to market to try and solve this specific challenge. Some rely on event-centric data like log events, others utilize threat-centric data, and others rely on a hybrid approach. Either way, the goal is the same: collect enough data to generate meaningful insights for investigating and responding to attacks that would otherwise have been missed. Collecting the right high-quality data from a wide variety of sources ensures complete visibility into an attacker’s tools, tactics, and procedures (TTPs). Otherwise, it’s likely only a portion of the attack will be seen. Reducing noise Fearing they won’t have the data they need to get the full picture of an attack, some organizations (and the security tools they rely upon) collect everything. However, they’re not making it easier to find a needle in a haystack; they’re making it harder by piling on more hay than is necessary. This not only adds to the cost of data collection and storage, but it also creates a lot of noise, which leads to alert fatigue and time wasted chasing false positives. Applying context There’s a saying among threat detection and response professionals: “Content is king, but context is queen.” Both are necessary to run an effective incident response program. Applying meaningful metadata associated to signals allows analysts to determine if such signals are malicious or benign. One of the most critical components of effective threat detection and response is prioritizing the signals that matter the most. The best way to pinpoint the alerts that matter the most is with a combination of context provided by security tools (i.e. endpoint detection and response solutions), artificial intelligence, threat intelligence, and the knowledge base of the human operator. Context helps pinpoint where a signal originated, the current stage of the attack, related events, and the potential impact to the business.
  • 5. Four Key Tips From Incident Response Experts 4 Tip #4: It’s OK to ask for help No organization wants to deal with breach attempts. However, there’s no substitute for experience when comes to responding to incidents. This means that the IT and security teams often tasked with high-pressure incident response are thrown into situations that they simply don’t have the skills to deal with; situations that often have a massive impact on the business. The lack of skilled resources to investigate and respond to incidents is one of the biggest problems facing the cybersecurity industry today. This problem is so widespread that according to ESG Research2 , “34% say their biggest challenge is that they lack skilled resources to investigate a cybersecurity incident involving an endpoint to determine root cause and the attack chain.” This dilemma has given way to a new alternative: managed security services. Specifically, managed detection and response (MDR) services. MDR services are outsourced security operations delivered by a team of specialists, and act as an extension of a customer’s security team. These services combine human-led investigations, threat hunting, real-time monitoring, and incident response with a technology stack to gather and analyze intelligence. According to Gartner, “by 2025 50% of organizations will be using MDR services”3 , signaling a trend that organizations are realizing they will need help to run a complete security operations and incident response program. For organizations that have not employed an MDR service and are responding to an active attack, incident response specialist services are an excellent option. Incident responders are brought in when the security team is overwhelmed and needs outside experts to triage the attack and ensure the adversary has been neutralized. Even organizations that have a team of skilled security analysts can benefit from collaborating with an incident response service to shore up gaps in coverage (i.e. nights, weekends, holidays) and specialized roles that are needed when responding to incidents. According to analyst firm ESG, 34% of organizations say their biggest challenge is that they lack skilled resources to investigate a cybersecurity incident involving an endpoint to determine root cause and the attack chain.”2 By 2025, 50% of organizations will be using MDR services (this is up from less than 5% in 2019).3 In a 2019 survey of 3,100 IT and security professionals, 54% of respondents claimed they were “unable to take full advantage of their EDR solution” due to a lack of experienced talent.4
  • 6. Four Key Tips From Incident Response Experts United Kingdom and Worldwide Sales Tel: +44 (0)8447 671131 Email: sales@sophos.com North American Sales Toll Free: 1-866-866-2802 Email: nasales@sophos.com Australia and New Zealand Sales Tel: +61 2 9409 9100 Email: sales@sophos.com.au Asia Sales Tel: +65 62244168 Email: salesasia@sophos.com © Copyright 2020. Sophos Ltd. All rights reserved. Registered in England and Wales No. 2096520, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, UK Sophos is the registered trademark of Sophos Ltd. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. 20-11-09 WPEN (PS) 1 2020 survey of 5,000 IT managers https:/ /secure2.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/sophos-cybersecurity-the-human-challenge-wp.pdf 2 https:/ /www.esg-global.com/blog/soapa-discussion-on-edr-and-xdr-with-jon-oltsik-and-dave-gruber-video-part-1 3 Gartner, Market Guide for Managed Detection and Response Services, 26 August 2020, Analysts: Toby Bussa, Kelly Kavanagh, Pete Shoard, John Collins, Craig Lawson, Mitchell Schneider 4 2019 survey of 3,100 IT managers https:/ /secure2.sophos.com/en-us/security-news-trends/whitepapers/gated-wp/uncomfortable-truths-of-endpoint-security.aspx How Sophos can help Sophos Managed Threat Response (MTR) service Concerned about your organization’s ability to respond to a potentially serious incident? If so, the Sophos Managed Threat Response (MTR) service is an option worth considering. Sophos MTR provides 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully- managed service. Going beyond simply notifying you of attacks or suspicious behaviors, the Sophos MTR team takes targeted actions on your behalf to neutralize even the most sophisticated and complex threats. If an incident does occur, the MTR team will initiate actions to remotely disrupt, contain, and neutralize the threat. The team of security operations experts also provide actionable advice for addressing the root causes of recurring incidents. Learn more at www.sophos.com/mtr Sophos Rapid Response service If your organization is under attack and needs immediate incident response assistance, Sophos can help. Delivered by an expert team of incident responders, Sophos Rapid Response provides lightning-fast assistance with identification and neutralization of active threats against organizations. On-boarding starts within hours, and most customers are triaged within 48 hours. The service is available for both existing Sophos customers as well as non-Sophos customers. The Sophos Rapid Response team of remote incident responders quickly takes action to triage, contain, and neutralize active threats. Adversaries are ejected from your estate to prevent further damage to your assets. Learn more at www.sophos.com/rapidresponse Sophos Intercept X Advanced with EDR Organizations looking to increase their ability to detect, investigate, and response to incidents in-house should consider adding Sophos endpoint detection and response (EDR) capabilities. Sophos Intercept X Advanced with EDR enables your team to conduct threat hunting and helps keep IT operations hygiene running smoothly across your entire estate. Sophos EDR empowers your team to ask detailed questions to identify advanced threats, active adversaries, and potential IT vulnerabilities – and then quickly take appropriate action to stop them. Learn more and try it for free at www.sophos.com/edr