Continuous evaluation of incident response strategies is essential for effective cyber defense. Each incident offers invaluable lessons that refine processes and protocols. Organizations must prioritize collaboration and adaptability, ensuring all stakeholders are aligned. This proactive approach fosters resilience and significantly bolsters data protection against evolving threats. One of the hardest decisions during an ongoing incidence response is when to continue monitoring a malicious attack versus containing and eradicating the malicious attack from your networks. There is no right answer but working with Threat Intelligence, Law Enforcement, Legal, Communication Specialist and System Owners to gather information you need to defend against the attacker and protect the affected information, systems and networks is critical. Having detailed crisis management and incident response plans is crucial in determining the proper timing and the proper actions in such an instance. There are times when you should just contain and eradicate the malicious actors access and there are other times when it is useful to monitor and watch what the malicious actors are doing so your response, containment and restoration efforts can be more effective.

To highlight this fact let me recount two separate and different instances: In one instance unauthorized malicious activity was detected on a highly sensitive network with a whole host of personal privacy information and private intellectual property. Because of the highly sensitive nature of the information and the proximity of the malicious actor’s access to this data, collaboration with the System Owners, Law Enforcement and ourselves as defenders determined that it was too risky to allow the malicious actors to maintain access in this instance. Therefore, the pre-planned Incident Response Plan for containment, eradication and recovery was immediately executed not allowing the malicious actor any further access to sensitive data and before any of the data could be exfiltrated from the network. In another instance unauthorized malicious activity was detected on a standard enterprise network. When we collaborated with the System Owner’s, Law Enforcement and Threat Intelligence it was determined that the tactics, techniques and procedures (TTPs) for this activity were new and unique, and the network being attacked was fairly generic. It was determined in this case to continue to monitor the activity following our Incident Response Plan instead of immediately removing the malicious actor’s access. This decision turned out to be fortuitous, because it allowed us to monitor similar activity simultaneously in geographically diverse regions, which provided us the additional information that the malicious actors in this case were not a single attacker, but rather a group of attackers. Additional information gathered while monitoring also allowed us to pinpoint the malicious actors’ locations and allowed us to accumulate their TTPs. This allowed us to identify additional locations they had breached by reviewing prior detections that were thought to be singular malicious actors. Keeping close coordination with the Crisis Management Teams we determined the proper time to implement the Incident Response Plan which then eradicated the malicious actors from the network with the ability to keep them out and allowed us to recover the networks to normal operations with enhanced protections.

This highlights the critical aspects of collaborating with key partners and having an Incident Response Plan, and Crisis Action Plans ready for use in place. Law Enforcement provides key information about prior activities and about if information gathered is enough to locate and prosecute malicious actors if that is the goal. Threat Intelligence can augment the information to determine if a malicious actor has been seen before, what a malicious actor’s Modis operandi might be and what TTPs they might use during their malicious activity. Without the detailed inputs of Law Enforcement and Threat Intelligence the decision to perform further monitoring in the one case might not have been made and the valuable additional information would not have been gathered. In contrast, the knowledge of the System Owners of the sensitive information in the first example provided the correct decision to lock the malicious actors out of the network immediately. This decision might not have been accurately taken if this critical collaboration had not taken place. In addition, having Incident Response and Crisis Management Plans prepared and already in place were critical in the swift and accurate actions that had to take place in both scenarios. Without these plans, actions might not have been complete, might have taken addition time to authorize or might not have determined the correct actions to perform. This includes not only alerting and informing affected individuals but also reconfiguring detection and monitoring systems to fully capture malicious activity at multiple locations, containing malicious activity as well as patching and reconfiguring systems so that when recovered malicious actors could not easily reenter those systems.

In conclusion, the importance of a well-coordinated response to cyber incidents cannot be overstated. Effective collaboration among all stakeholders, clear communication, and a structured Incident Response Plan are vital for navigating the complexities of cyber threats. By learning from each incident, organizations can enhance their defenses and better prepare for future attacks. Ultimately, proactive measures and a strong crisis management framework will lead to more resilient networks and improved protection of sensitive data.