What We Do
How we do it
Resources
TRU INTELLIGENCE CENTER
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
View Threat Intelligence Resources →
SECURITY ADVISORIES
Mar 15, 2023
CVE-2023-23397 - Microsoft Outlook Elevation of Privilege Zero-Day Vulnerability
THE THREAT On March 14th, as part of Microsoft’s monthly Patch Tuesday release, the company disclosed a critical, actively exploited vulnerability impacting Microsoft Office and Outlook. The…
Read More
View all Advisories →
Company
ABOUT ESENTIRE
About Us
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
Read about how we got here
Leadership Work at eSentire
LATEST PRESS RELEASE
Mar 20, 2023
Exertis and eSentire Partner to Deliver 24/7 Multi-Signal MDR, Digital Forensics & IR Services and Exposure Management to Organisations Across the UK, Ireland, and Europe
Basingstoke, UK– 20 March, 2023. Leading technology distributor, Exertis, announced today that it has bolstered its cybersecurity services, adding eSentire, the Authority in Managed Detection and Response (MDR), to its Enterprise portfolio of offerings. eSentire’s award-winning, 24/7 multi-signal MDR, Digital Forensics & Incident Response (IR), and Exposure Management services will be available…
Read More
Partners
PARTNER PROGRAM
e3 Ecosystem
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Learn more
ECOSYSTEM PARTNER RESOURCES
Apply to become an e3 ecosystem partner with eSentire, the Authority in Managed Detection and Response.
Login to the Partner Portal for resources and content for current partners.
Search
Resources
Blog — May 06, 2021

Five Common Mistakes to Avoid in Digital Forensics and Incident Response (IR)

7 minutes read
Speak With A Security Expert Now

There is no such thing as perfect cybersecurity, so as business and information security professionals, we accept that mistakes will occur, and risks will exist. Your business is on a journey to scale, and in turn your security program will continue to evolve. But, and it’s a big BUT, that doesn’t mean we shouldn’t develop robust strategies, harden your defenses and prepare for emergency incident response situations. It’s your responsibility to take proactive steps to ensure your team, and entire organization are prepared to address a serious security breach or incident.

While you’re considering your emergency preparedness plans, keep in mind the top 5 mistakes to avoid in digital forensics and incident response (IR) that every IT leader should know…

1 . Having incomplete preventative measures in place

A comprehensive cybersecurity and incident response plan requires specialized expertise, organizational commitment, disciplined personnel and layers of modern tools to provide defense in depth. But even sophisticated organizations can make mistakes when creating an incident response plan like failing to consider and cover the entire threat surface, intentionally or inadvertently maintaining out-of-scope devices, keeping services externally exposed, treating insecure behavior from executives as necessary exceptions or simply introducing defense solutions too slowly.

Incomplete implementations of tools and allowing exceptions without compensating controls lead to issues within environments.

When developing your incident response plan, ask yourself:

2. Thinking a cybersecurity incident won’t happen

The unfortunate reality is that at some point you’ll have to deal with a malicious event or full-blown cybersecurity incident. Maybe configuration or patching issues will leave gaps, a laptop will be misplaced, a phishing attempt will succeed, or a sophisticated attack will break through.

The prudent approach to risk management is to accept this unwelcome truth and prepare your organization, because with the right processes and systems in place you can at least limit the frequency, reduce the magnitude and be aware of cybersecurity incidents. (What you don’t know most definitely can hurt you.)

Ask yourself:

3. Moving too slowly after a security breach

Time is of the essence when a cybersecurity incident occurs. Delays negatively impact containment and recovery activities and can give threat actors time to destroy evidence. Failing to have an incident response provider at the ready and decision paralysis are two major causes of delays that impact an organization’s ability to respond to a cybersecurity incident.

Not having an Incident Response Provider on Retainer

Having an Incident Response provider, on retainer, ensures you have someone to call when an incident occurs, and you have an incident response playbook in place that you can follow.

The alternative requires you to pick up the phone, reach out to different providers, initiate conversations and negotiate contracts and legal terms during a period of time characterized by chaos and panic.

Decision paralysis (and failure to execute the incident response plan)

It is crucial during incident response to designate someone within your organization with sufficient decision-making authority to enable and enforce timely responses. Avoid committees, as they create dangerous delays and lead to very conservative, least-objectionable thinking at a time when decisiveness is paramount.

Additionally, ensure the designated person is willing to make potentially tough decisions (for instance, taking customer services offline to contain an incident) and has real authority within the organization. An incident is not the time to debate power dynamics and to get pulled into political discussions, nor is it the time to discover that people feel empowered to disobey the instructions because they came from the “wrong” person.

Ask yourself:

4. Not knowing your regulatory and contractual obligations

Industry and regional regulations as well as contractual notification requirements impose specific obligations upon your organization, and it’s crucial you understand them.

Automatically or incorrectly labeling an incident as a “breach”

In any relevant agreement, or piece of regulation, a “breach” should be defined with legal and contractual meaning, as well as implications. An incident should not be labeled as such until the specific conditions are met. Again, it’s important to understand the regulatory and contractual requirements you must abide by, and be consistent in your approach, so you can reserve the term “breach” for incidents that meet the criteria, thereby avoiding unnecessary notifications and consequences.

Furthermore, your Incident Response plan should clearly identify who within your organization has the authority to label an incident a breach.

Not knowing your notification requirements

Failing to properly understand your notification requirements can lead to two follow-on mistakes:

  1. Failing to send a notification when you were obligated to do so
  2. Sending a notification when you were not obligated to do so

Both mistakes can cause significant damage. To avoid such errors, your organization needs to be keenly familiar with two sets of notification requirements relating to cybersecurity incidents:

While many security breach notification regulations and requirements contain similar components, there can be important differences. Keep in mind, as security breaches rise in frequency and prominence, regulations and contractual obligations are changing, which requires organizations to stay up to date.

Ask yourself:

5. Mishandling evidence

Digital forensics evidence is vital to many aspects of Incident Response and litigation support. Inadvertent destruction of evidence and preventing the incident responder from accessing evidence are two common challenges that hamper incident response.

Destroying the evidence

In the rush to contain and clean up a cybersecurity incident, it’s common for well-intentioned personnel to destroy the digital forensics evidence (for instance by rebuilding compromised assets). Unfortunately, doing so eliminates crucial information that the incident reponse team needs to perform digital forensic analysis, to determine the full incident scope and to complete their end-to-end incident management.

Make sure the division of responsibilities between your internal team and your IR provider is clear, and unambiguously identify who has the authority to make decisions that can impact evidence. That way, you won’t accidentally destroy information your incident responder needs to fulfill their role.

Blocking access to evidence

During the course of IR, it’s entirely possible that your Incident Response provider will need access to sensitive systems and information. For example, in the case of a business email compromise an Incident Responder may require complete access to your email systems (Office/Outlook, Gmail, etc.).

To prevent confusion during a cybersecurity incident, it’s important the Incident Response procedures clearly explain which systems the IR provider can access and to ensure that all personnel involved (for instance, the email administrator) are aware.

Ask yourself:

Cybersecurity incidents can compromise personal and business data, severely impact operations and lead to legal consequences. When an incident occurs, it’s not the time to start planning. Or panicking. It’s imperative your organization plan ahead and establish a comprehensive Emergency Preparedness plan, outlining your Incident Response playbooks.

Both Managed Detection and Response (MDR) and Incident Response (IR) services are vital parts of an overall cybersecurity program, augmenting your response capability, and ensuring your organization can detect, respond to and recover from incidents.

To learn more about how eSentire’s Managed Risk Program and Managed Detection and Response services can better prepare you for a cybersecurity incident, contact us https://www.esentire.com/get-started.

View Most Recent Blogs
eSentire
eSentire

eSentire is the Authority in Managed Detection and Response, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events. Combining cutting-edge machine learning XDR technology, 24/7 Threat Hunting, and proven security operations leadership, eSentire mitigates business risk, and enables security at scale. The Team eSentire difference means enterprises are protected by the best in the business with a named Cyber Risk Advisor, 24/7 access to SOC Cyber Analysts & Elite Threat Hunters, and industry-leading threat intelligence research from eSentire’s Threat Response Unit (TRU). eSentire provides Managed Risk, Managed Detection and Response and Incident Response services. For more information, visit www.esentire.com and follow @eSentire.