When a breach occurs, time is of the essence. The decisions you make about whom to collaborate with and how to respond will determine how much impact the incident is going to have on your business operations.
This blog shared by our partner Crowdstrike outlines the seven key ingredients needed for successful incident response, given the spate of widespread ransomware attacks we are witnessing today. This unique approach to incident response is captured in an insightful CrowdStrike Services Incident Response eBook that describes in more detail the value of each ingredient and how it contributes to a substantial reduction in the time it takes to recover from a cyber incident (reducing weeks/months to hours/days) and the cost of recovery, and most importantly the avoidance of business downtime that could have a material impact on an organization’s financials.
These key ingredients are based on many years and thousands of IR engagements defending organizations across the globe against nation-state and eCrime threat actors. Crowdstrike have evolved and honed their incident response technologies, processes and methods to keep pace with these adversaries so they can help you respond to today’s sophisticated, widespread attacks.
With these key ingredients and the value they deliver, we can recover from a widespread attack with speed and precision, with minimal user impact and system downtime, and avoid any potential business outage or interruption for our clients.
The key ingredients are:
- Immediate Threat Visibility
- Active Threat Containment
- Accelerated Forensic Analysis
- Real Time Response and Recovery
- Enterprise Remediation
- Threat Hunting and Monitoring
- Managed Detection and Response
If you suspect you are the victim of a breach, your traditional security technology and processes may have failed you. The faster you can deploy next-generation security technology, the faster you can stop the breach.
The last thing you want in this situation is to use a traditional recovery approach that suggests the only way to recover from a breach is the full blunt force of wiping systems and applying full system remediation (reimage, rebuild or replace). This approach may have worked for attacks that occur on a handful of systems, but against today’s widespread ransomware attacks that impact hundreds or thousands of endpoints, we need a more intelligence-driven and effective solution — one that provides immediate visibility to the full threat context and enables the real-time surgical removal of attack artifacts with speed and precision.
In effect, the first four ingredients are the key: gain immediate threat visibility, contain the active threat, accelerate the forensic analysis, and recover the endpoints using real-time response. We do this to minimize the percentage of endpoints that require full system remediation. We want to recover the majority of endpoints using real-time response, so we only have to focus on reimaging or rebuilding a much smaller number of systems. For some clients, we are able to recover all of their systems using CrowdStrike Falcon® Real Time Response, enabling them to get back to business faster.
While we are typically able to recover environments rapidly, we continue to support our clients with threat hunting and monitoring from the Falcon OverWatch™ threat hunting team for the duration of the engagement. Adversaries that gain access to a network look to establish persistence within your environment and are not going to go away easily. The OverWatch team monitors for any recurrences of the initial threat and any hands-on-keyboard activity that the adversary might attempt. At the end of the CrowdStrike Services Incident Response engagement, we want our clients to feel confident they have recovered from the breach and ejected the adversary completely from the network. For those clients that never wish to go through this again, we offer a fully managed detection and response (MDR) solution, Falcon Complete™, which allows customers to continue running the Falcon platform while relying on the expertise of our team to detect threats in 1 minute, investigate in 10 mins and respond inside of 1 hour to prevent breaches from impacting their business.
For more details on activereach and Crowdstrike’s modern intelligence-led approach to rapid response and recovery from today’s widespread security incidents, click here for a Demo or call the team on 0845 625 9025
This article was written by James Perry & Tim Parisi and published on the Crowdstrike website in June 2022.