Two Common Choke Points in the Incident Response Process

By Rob Lelewski, CISA, CRISC, CISM, CCE, CISSP-ISSMP, EnCE, GCIH

The Nexus  |  Monday, 12 March 2018

Many organizations simply do not have the luxury of maintaining an in-house incident responder or incident response staff. This leaves the organization with 2 options:

  1. Call in support from a vendor.
  2. Attempt to address the incident with internal staff.

This article explores the initial technical issues involved with the first option: calling in support from an incident response vendor.

Calling in Support

When the organization reaches out to the incident response vendor, a triage call is set up with trained members of the vendor’s incident response team. Regardless of whether the organization is facing the latest version of ransomware, or unknown administrator accounts are discovered on a sensitive system, the purpose of this call is to help the organization understand its options. Should it be mutually determined that the vendor’s incident response team can be of assistance, the vendor will likely ask the compromised organization to provide three data sets: disk images, random-access memory (RAM) and logs.

Choke Point #1: Collecting Data Sets

When the sky is ostensibly falling, the most precious resource is time. When an incident occurs, the workforce may be unable to function, the production lines have stopped, and all too much attention from the C-suite is being focused on the incident.

The incident response vendor is likely located in a major city that is not nearby. It will be at least a day before any of the vendor’s incident response staff can fly in and hit the ground. This puts the organization’s staff in the position of being de facto first responders, for better or for worse, and responsible for collecting disk images, RAM and logs.

This may be old hat for some organizations that are equipped to fight this fire on a daily basis; however, many organizations do not have these skill sets in house. This costs precious time as the vendor has to walk the organization through how to collect these artifacts from, potentially, a variety of systems. This may easily add an extra day or 2 to the response process, thus elongating the incident and potential damage. And how many times has someone learned a skill on the fly only to realize he/she needed to repeat a process because it was not done correctly?

Choke Point #2: Transferring Data

Assuming the data sets have now been collected, how does the organization get them to the incident response vendor? Again, the vendor might be in a faraway city and it may not be feasible to speed across town to drop off a hard drive.

Transferring over the wire is certainly feasible, but there are obvious limitations with larger data sets. It may be simple to transfer a 2GB RAM capture and a set of 50MB logs, but what if the data are larger? What if the organization has 16GB RAM images, 500GB disk images and a series of large files? Transferring over the wire simply is not feasible in some cases.

The organization needs to have a Plan B in place. This may be using an overnight shipping provider to send the drive to the incident response vendor. Of course, maintaining confidentiality is key and the Internet is littered with stories of lost hard drives with sensitive data. Ergo, the organization will need to leverage encryption to ship the drive, because no one would want to ship an unencrypted drive, right?

And, if all else fails, the organization can buy the intern a plane ticket to be a high-priced courier for the day.

Mitigate Those Choke Points

Mitigating the aforementioned choke points is not overly difficult, but, like most things in life, it requires some planning.

Knowing that the incident response vendor might request disk images, RAM and select logs, it is logical to have at least 1 member of staff trained in gathering said data sets in a manner that will not cause spoliation while maintaining integrity. Training in these skill sets may be inexpensive: self-study books are available and many industry-leading software packages and techniques are free or open source. Alternatively, plenty of industry certifications are available, along with higher-end training courses.


Having a practiced plan to transfer large data sets is a key component of working with an incident response vendor.

The second choke point, transferring large data sets, can be practiced ahead of time with the incident response vendor. If it is determined that Plan A takes more than a day to transfer a few gigabytes of data and has a high rate of failure, an alternative solution may be implemented. Either way, having a practiced plan to transfer large data sets is a key component of working with an incident response vendor.

Conclusion

Having an incident response vendor in place is critical and, in time of need, organizations will be thankful the vendor is there. However, ensuring the organization can work with the needs of its incident response vendor is an important component of mitigating the organization’s risk. While no one wants to be subjected to a security incident, starting off on the right footing will enable the organization to respond more quickly while mitigating the overall risk.

Rob Lelewski, CISA, CRISC, CISM, CCE, CISSP-ISSMP, EnCE, GCIH

Is a team lead for Secureworks’ proactive services and focuses on helping organizations prepare for cybersecurity incidents by creating and reviewing incident response plans, performing tabletop exercises, and conducting other activities to help improve his clients’ security posture. He is a regular contributor to The Nexus and muses about information security topics.