Over the past five years organizations across the globe have made enormous investments in cybersecurity.
Yet massive breaches are still happening, with attackers repeatedly finding their way around even the most advanced automated defence systems, and organizations struggling to detect and respond before the attackers have achieved their objective, be that data exfiltration, deploying ransomware, and more.
Respond to live, hands-on keyboard attacks by human adversaries
Introducing Continuous Response, a methodology developed to put the right people in the right place at the right time, armed with the right information to enable a swift and effective response to a live attack while it is occurring, before it can harm your business.
At its heart Continuous Response advances incident response from a post-mortem scenario – after a business has experienced impact – to live containment and remediation, preventing attackers from accomplishing their mission, and protecting your business from the effects of a cyber attack.
What does it take to implement Continuous Response?
Most businesses already have the building blocks for Continuous Response.
For example, many organizations already have capable EDR tooling and all the log sources necessary for response, but perhaps they don’t have employees who are fully versed in how to use and monitor them. They may not have established processes for escalating suspicious activity when it’s detected. Continuous Response ensures that your people, processes, and technology are ready for compromise; it is not necessarily about spending lots of money, but applying the methodology where it has the most value. For example:
You can have all the tooling in the world, but you need the necessary people to utilize it. Your best technical teams need to be appropriately trained in how to use your tooling for detection and response, how to hunt for suspicious activity and escalate it when needed, and how to collaborate with your internal and external teams to identify and resolve an incident.
If you don’t have it already, begin developing your playbook. Your procedure for response needs to apply to your environment. In our whitepaper – Rethinking Response – we include an example playbook, which could be a starting point. But mainly, start to consider: when an incident occurs, how are you going to escalate it? At what point does something become serious in your view? Who needs to be involved and when? How are you going to communicate?
With detection and response and dealing with live attackers, you need to have the correct level of visibility and speed, the ability to access the relevant data as quickly as possible, and the expertise to analyze and act on it as quickly as possible. A lot of tooling will prioritize retrieving artefacts over processing them, which can add additional lead time during a live attack. The right technology should give you the actions to respond and stop attacker processes, potentially – for example – frustrating them by degrading their C2 channels.
However, it’s pointless to buy technology for technology’s sake. Whatever you buy or implement should align with the specific needs of your organization and protect the assets that are most critical to your business. A framework such as VUCA – outlined in our whitepaper ‘Rethinking Response’ – can help guide you and your board towards these conclusions.
However, determining your organization’s level of response readiness comes down to one question: are you prepared to fight an attacker live in action?
Or, put another way, could you stop an attack, before it stops you?