The Future of Incident Response

Today’s IT Incident Response (ITIR) landscape is plagued by immaturity and misconceptions that severely limits its effectiveness and customer value. The focus of this whitepaper will be on the security related application of Incident Response services. For ITIR services to improve effectiveness, investigation success and capability to handle advanced security incidents, these services needs to broaden the scope of investigation as well as increase granularity of service and method of evidence collection

“Cyber security is not SIGINT at rest, it´s HUMINT in motion” – The Grugq

The first area of immaturity for many ITIR services lies in the scope of service, which is too narrow. ITIR Services should not be a strict IT Service that only investigates incidents of IT equipment. There are three reasons why this is a faulty concept and limits effectiveness and customer value.

  • Many incidents involve People, being insider related or incorporating social engineering practices. Limiting the response to IT equipment leaves this essential area out of scope and severely limits investigation effectiveness and relevant evidence collection.
  • Many advanced intrusions involve physical presence on the crime scene. The plethora of individuals that have physical access to parts of the IT-infrastructure under investigations is vast. Cleaning companies, facility managers, plumbers, electricians, consultants, the list goes on. It is of uttermost importance to incorporate evidence and investigate entry systems, camera surveillance records and other evidence of physical presence. We should keep in mind that most legal systems highly favors physical evidence since it is historically better understood by the legal profession.
  • Digital evidence is immature and not well understood by the legal profession. This implies that in order to have the opportunity to use the investigation results for compensation purposes or in human resource purposes, the chances of success hinges on the perceived strength in the evidence by the legal profession and not by technicians. This implies the great benefits of incorporating more traditional sources of evidence such as surveillance footage and physical evidence.

The second area of immaturity lies in the non-granularity of the incident response task. Many ITIR Services makes no distinction between the removal of publicly known malware from the IT environment and investigating a complex intrusion that involves both human resources and not publicly known IT attack vectors. 

Often ITIR is marketed as services that involve advanced investigation. However, in reality it does not live up to these standards, which is due to a lack of competencies and limitations in the service scope.  

This false marketing makes the customers believe that the IR Team can actually deal with advanced intrusions in a beneficiary manner for the customer. In reality, they have purchased a well-marketed IT-Cleaning service. This common set up will make the customer suffer from:

  • A false sense of security and ability of the IR Team.
  • Paying for a high level service with a low level delivery. 
  • The clean system syndrome – where in reality the IR Team helps the attacker clean out evidence from the systems while still maintaining residual access, either technical and or physical.

The third area of immaturity lies in the static collection of evidence. Working with standards such as ISO/IEC 27037 this approach is understandable and forensically correct. However, we must realize that in reality most IT-systems do not log and or record enough data to prove a certain chain of action without reasonable doubt. This conundrum makes the use of introducing situation adapted logging/recording in correlation with the risk adjusted assessment to prolong the intrusion time, in order to get better evidence, justified and effective. 

What to look for in an IR Supplier:

  • Documented experience in responding to complex incidents
  • Full spectrum delivery model from IT to HR and Legal
  • Granularity in pricing depending on complexity of task
  • Adaptive evidence collection practices
  • Organizational integration services for effective communication and time savings during deployment
  • Workshops, simulations and educational portfolio
  • SLA guaranteed by the size and balance sheet of the provider