Questions to Ask Your Incident Response Provider

Intro

It is said that somebody once asked Robert Baden-Powell, the founder of the worldwide Scout movement, what he meant when he coined the motto “Be Prepared.”

“Be prepared for what?” the person asked.

“Why, for any old thing,” responded Baden-Powell.

What Baden-Powell meant by this was that we must always be prepared for whatever challenges might lie ahead.

In cybersecurity, this means being prepared for the possibility of a data breach. As important as threat detection is, you can never be sure of preventing every cyber-attack. Indeed, a recent survey of 2,600 executives found that almost half of U.S. companies have suffered a data breach in the past, and many of these businesses believed they were fully protected.

Incident response (IR) is critical to mitigating the fallout from a data breach. If your business uses a managed SOC provider for its cybersecurity, then incident response must be included in your package.

Here are 13 questions to ask your incident response provider.

1. Which tools do you use?

1. Which tools do you use?

First and foremost, you should ask your IR team if they use your tools and hardware or deploy their own dedicated tools or agents.

But this is just the beginning. You should also ask which tools they use for:

  • Artifacts acquisition, e.g. open-source forensics tools, commercial forensics tools, IT tools;
  • Live memory analysis, e.g. open-source tools, client’s tools, or a forensic agent/endpoint detection and response (EDR) tool;
  • Data analysis; and
  • Viewing data insights.
2. What are your incident response capabilities?

2. What are your incident response capabilities?

Of course, tools on their own aren’t enough. Your IR provider must have the required capabilities. Ask them to showcase their expertise by being able to:

  • Investigate and find the threat and root cause;
  • Suggest and recommend remediation actions;
  • Conduct static and dynamic analysis;
  • Reverse engineer any malware;
  • Detect correlation to an advanced persistent threat (APT) or another type of malware campaign; and
  • Use best practice and digital evidence-handling methodologies to apply the report in the court of law.
3. What are your hours?

3. What are your hours?

This is a simple one. Attackers work around the clock and your IR team must as well. Incident response should be available 24 hours, 7 days a week, 365 days a year.

4. Who is available if a data breach occurs?

4. Who is available if a data breach occurs?

If a data breach occurs, then you want all hands on deck. Your provider’s digital forensic and incident response (DFIR) team should be there to lead the operation, with help from the monitoring and infosec teams.

5. How experienced is your team?

5. How experienced is your team?

Cyber-attacks can take place in a diverse number of ways, so your cybersecurity team needs diversity of experience. This means having a team of experts from a range of different fields such as cybersecurity, forensics, intelligence, and the military.

Another thing to look out for in your IR team is Global Information Assurance Certification (GIAC) accreditations such as SANS500 for Windows forensic analysis and SANS508 for advanced digital forensics and threat hunting.

6. What should I be doing to prepare?

6. What should I be doing to prepare?

Effective incident response begins with having an Incident Response Plan (IRP), a concept we cover in detail in this e-book.

Part of an incident response plan should be knowing what you need to do if there’s a breach. For example:

  • Who is your first point of contact?
  • What are the first steps you should take?
  • How do you access data, resources and other relevant tools?
  • Do you have appropriate and up-to-date training, documents and procedures in place?
  • Do you have an appropriate workspace (if applicable)?

Your IR provider should be able to help you with all of the above during onboarding.

7. Is the service scalable?

7. Is the service scalable?

Every business aspires to grow and presumably, yours does too. If growth is part of your future plans, then you should ask your SOC service provider whether it can provide the same scope of coverage (threat detection, incident response, etc.) as your client base expands.

8. Do you have intelligence to back up IR?

8. Do you have intelligence to back up IR?

Strong intelligence is the backbone of incident response. Your provider should be capable of using web intelligence (WEBINT) to monitor the darknet, clearnet and deep web, and open-source intelligence (OSINT) tools to monitor other hard-to-reach parts of the internet. It should be able to uncover the Tactics, Techniques, and Procedures (TTPs) used by cyber attackers to carry out Advanced Persistent Threats (APTs).

Once the intelligence team figures out what the attackers’ motives are, it makes the job of the incident response team a whole lot easier.

9. Have you encountered a specific incident?

9. Have you encountered a specific incident?

The reason for this question is fairly obvious. When you choose a SOC provider, you want to know that they’ve encountered all types of attacks. These include: ransom, ransomware, business email compromise breach, vulnerability exploitation, and encountered endgame scenario (i.e. the Golden Ticket).

Can you provide a report example?

Make sure to receive an example of a report as it is critical to know what to expect should a breach occur. You want to be sure your concerns are met and addressed.

10. At what stage of the incident response lifecycle can you help?

10. At what stage of the incident response lifecycle can you help?

 Your IR provider’s response should be “immediate and at all stages.”

11. Do you provide IR handling or just professional cybersecurity?

11. Do you provide IR handling or just professional cybersecurity?

You must decide if IR handling is required, or just professional cybersecurity will suffice?

IR handling means investigating the incident from all angles and performing all recovery and remediation actions on your behalf.

Professional cybersecurity includes investigation, recommendation, and insights on how to mitigate attacks. However, it is still up to you to perform any recovery and remediation actions.

12. What is your expected time for containment?

12. What is your expected time for containment?

It’s impossible to say exactly how long it will take to contain something. However, your service-level agreement should state an acceptable time within which each incident type receives a first response and an acceptable time within which each incident type has its initial investigation.

Your IR provider should also be able to provide a checklist of what needs to be done to contain different types of incidents. For example, if your business is the victim of BEC fraud (business email compromise), then your provider will need to revoke all tokens, terminate all sessions, change and reset passwords, and remove all rules in order for the incident to be contained.

13. What post-incident activities do you provide?

13. What post-incident activities do you provide?

When the incident is finally in your rearview mirror, it’s time to focus on lessons learned. Your IR vendor should be able to provide:

  • Threat-hunting operations, looking for signs of a latent breach that you missed during the containment and eradication stages;
  • Monitoring the old threat (as the hackers may decide they want to exploit your network again) and studying logs to see if there was a sign before the initial attack that you missed; and
  • Conduct a “Red Team” attack simulation to make sure the breach has been closed and secured.
Lesson: Be specific

Lesson: Be specific

Preparation is key to your cybersecurity posture, and this begins with asking the right questions of your IR provider. Remember to be specific when questioning your provider. That way you get detailed and specific answers, and you get a better night’s sleep knowing that your provider has you covered for all types of attacks